It’s in the news every day. Just recently there was a report of a breach at the IRS. You’d think that of all of the government entities holding personal information the IRS would be one to have an all but impenetrable and completely locked down system. In addition there is more and more media focusing on cyber-security related to smartphones and how easy it is for a hacker to gain access to phones and all of the information contained therein.
The hard fact is that cybercrime is pervasive. Cyber thieves are crafty and persistent in finding ways and opportunities to breach security to gain access to personal information and beyond.
Cyber Attack Realities
The Risk – If your business uses computers, chances are someone will try to hack them.
The Fallout – Data breaches can result in fines, litigation, business interruption and reputation damages.
The Solution – Having the right protocols and insurance policies in place can mitigate the damage caused by a cyber-attack.
The ramifications of a cyber-breach can be both financially and operationally catastrophic to any business. We live in a cyber-world where we must learn to deal with the associated risks from both a business and a personal perspective.
How can a business best deal with Cyber Security?
Start by performing risk assessments from both an IT as well as an insurance perspective. As technology is constantly changing, this should be done on a continuous basis. Insurance coverage aspects need to be evaluated in-depth as exposures for each business entity, as well as specific coverage offerings, will vary from insurance company to insurance company. Do your due diligence. Here are just a few of the areas to consider when limiting exposures and liability:
Initial Steps in the Risk Management Process
Businesses should first focus on developing a robust internal risk management program, including the establishment of strong policies and procedures; Training and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs.
In general an organization should review the following areas to begin developing a well-rounded risk management program:
- Corporate Security policy
- Asset classification and control
- Personnel security
- Computer network and management protocols for vulnerability
- System access controls
- Privacy and regulatory compliance
Then, ask yourself “what does our company have in place to mitigate our exposures?”
- Do we have an effective privacy policy? A policy that your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed among, and followed by, employees.
- Do we have an effective privacy breach response plan? Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
- Do we continuously test our disaster response and business continuity plans? Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
Continually Assess Risks and Exposures
Companies should continuously assess risks, exposures and insurance policies. It is imperative to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments, and as such it is good practice as organizational risks change with changing practices.
An assessment might be as simple as asking the following questions:
- What are our risks/exposures? These can be broken down into two parts, first party claims and third party claims:
First Party Claims would include Forensic Examination Expenses; PCI/PFI Audit Costs; Privacy Notification Costs; Privacy Counsel Fees; Mailing Notification Costs; Credit Monitoring & Call Center Services; Business Interruption (loss of income); Intellectual Property Loss; Public Relations; Extortion.
Third Party Claims include Claims by Private Litigants, Consumers, or other businesses; Claims by State Attorney Generals; Claims by FTC; Regulatory Fines & Penalties; PCI Fines & Penalties; Loss of Business; Damage to Reputation
Insurance coverage aspects address the exposures listed above. However, keep in mind that each insurance carrier will have various definitions, terms and conditions that will play a part in each of these coverage areas. Some of these terms include:
- Invasion of Privacy and Identity Theft
- Breach of Security, Network Disruption
- Intellectual Property
- Errors & Omissions
- Defamation & Product Disparagement
- Discrimination & Harassment
- Extortion
- Digital Theft & Forgery
- Business Income
- Disaster Recovery
- Crisis Response Costs
Consider:
- What are the threats? Cyber criminals, organized criminal groups, Bot-network operators, hackers, insiders, phishers, spammers, corporate espionage, even terrorists.
- Where are we exposed? Corporate intellectual property, employee data, client data, third party data, web sites, social media outlets. What parts of our systems are at risk?
- What are the gaps in our existing coverage? What’s covered and what’s not – how will our policy respond is there is a cyber-security event? How can the gaps be addressed?
The bottom line here is that cyber-attacks and data breaches have become an everyday threat to both individuals and businesses. The diverse types of cyber risks are ostensibly limitless and it’s all but impossible to predict exactly how and when you or your business may become a bull’s eye for cyber-criminals. Be diligent in your efforts to control what you can and mitigate exposure where possible.