The prospect of a cyber breach looms for every business and the stakes have never been higher. A survey by the Ponemon Institute with Hewlett-Packard found that the average cost of responding to a cyber attack for U.S. companies has increased 96% over the last five years to a whopping $12.7 million. Considering that the 59 organizations which participated in the study have seen a 176% increase in the number of cyber attacks with an average of 138 successful attacks per week, the chances that a company will experience an attack increase every day.
The survey also found that it took approximately 170 days to detect an attack and another 45 days to resolve it, usually costing somewhere around $1.6 million to the company.
A global analysis report Ponemon conducted with IBM found the costs worldwide had risen 15% over last year, costing a company $3.5 million in US dollars this year to resolve.
Evaluating and calculating the possible costs of a breach have become a must for every business. Booz Allen Hamilton has created a free tool that helps senior executives at companies understand the damage inflicted by cyber attacks and assess the costs should their companies become a target.
To help put some of this into perspective, PropertyCasualty360.com had an opportunity to pose some questions about managing the risks associated with cyber attacks to Jay Shelton, senior vice president, risk management services for Assurance. Shelton has more than 16 years of experience in the risk management field and is an expert in managing risk across several business lines.
1. How should companies conduct an audit to determine susceptibility to cyber risk?
Companies should first start by understanding the type of information being collected and where it’s stored. The audit or risk assessment should focus on three key areas: administrative safeguards, physical safeguards and technical safeguards. Administrative safeguards include assessing policies and procedures regarding limiting access to confidential, personal information for customers, employees or others so that the only employees who have access to this information are those who need it to perform their job duties. Also ensure vendors have appropriate safeguards in place to protect the data you send them.
Some key administrative policies should be a “clean desk policy” that requires employees to properly secure records containing confidential, personal information and then conduct periodic audits to ensure the policy is followed, as well as a record retention policy that would help ensure your organization does not keep records for longer than necessary. Further, an acceptable use policy should be in place, which outlines how your employees should use information.
Physical safeguards could include: storing paper records containing confidential, personal information in locked file cabinets; shredding records that contain confidential, personal information; and storing servers, laptops, flash drives or other sensitive equipment in secure, locked areas. Technical safeguards should include encrypting laptops, flash drives, and data stored on servers. You should update system software regularly, particularly when a specific virus or malware breach is discovered, and install and update firewalls, antivirus and anti-spyware software to ensure the most up to date protection is being used.
2. Companies experience multiple network breaches daily without incident due to good network security practices. Should leadership be notified every time a network breach occurs?
There’s not a standardized threshold in which company leadership should be notified of a cyber incident. It really depends on the size and scope of the breach, whether there is an obligation to notify government agencies, affected individuals or the public.
Because every company is different in their risk exposure, breach notification protocols should be established and outlined in the company’s Incident Response Plan. Specifically, it should outline who, when, and how the incident is communicated, internally and externally, as well as from the IT manager to CEO to the insurance carrier and government agencies. It’s critical that everyone understands their role and responsibility in a breach response and what triggers the next level of notification.
3. What are some cyber security industry standards and best practices?
Data privacy and security practices vary from industry to industry and from state to state, but certain best practices apply to all organization, such as:
- Assign one person to be responsible for data security with enough authority to get things done.
- Conduct a risk assessment to identify areas of vulnerability and improve your network security.
- Implement policies and procedures that limit access to sensitive data and record retention storage. Consistent enforcement is the key to compliance.
- Review and improve your vendor contracts to make sure your service providers with whom you share confidential and personal information are required to protect your information, specifically if you’re using cloud-based information storage.
- Implement a continuous employee awareness, education and training program on your data security policies and procedures.
- Prepare for a data breach by having an Incident Response Plan reviewed and tested frequently to ensure the plan can be executed effectively and timely.
- Have cyber and privacy liability insurance coverage with appropriate limits of liability, so in the event of a cyber breach, you have a financial backstop to cover the losses that may occur as a result.
4. What are four key elements of a comprehensive incident response plan?
A comprehensive incident response plan should outline the steps to take if a data breach is suspected or occurs. A living document (which should be continuously updated as the business changes), like an IRP, must outline who and how the company will respond to a breach. An IRP should be clear, succinct and organized in sections, while containing the appropriate details for response: who, what, when and how for various situations. More specifically, there are four key elements every IRP needs:
- Incident Response Team – this should outline the roles & responsibilities of team members, as well as list both internal and external team members and their detailed contact information, along with their specific role and notification level.
- Incident Triage Notification – this should contain the various trigger notifications of a response team, insurance carrier, law enforcement, outside forensic investigation, crisis and media management.
- Breach Response – this includes detailed response procedures such as timing, affected individuals, and government notification. It should also address issuing a press release, internal communications, what’s posted on the website, and accompany remedies such as credit monitoring and identity theft resolution.
- Mitigation & Remediation – this should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches, and review and improve the incident response team.
Having a detailed and tested IRP in place prior to a breach occurring will save you time, money, and reputational damage when the inevitable happens.
5. How do you determine how much cyber insurance your company needs?
When determining what kind or how much cyber insurance to buy, always start by asking, “What do I need?” The cyber insurance market is highly competitive, with many insurers currently focused on building market share, so a carrier might be willing to give you coverage or terms that another won’t.
Then, look at your limits of liability. One of the most important issues in negotiating cyber insurance is determining the appropriate limits of liability. The cost of responding to a data breach can be substantial. Estimates vary, but one study found that in 2011, the average organizational cost of a data breach involving the loss or theft of personal data was $5.5 million, or $194 per electronic record. Because cyber insurance isn’t particularly expensive, you should choose limits of liability in line with your total potential liability exposure in the event of a breach.
Get retroactive coverage. Most cyber insurance policies limit coverage to breaches that occur after a specified “retroactive date.” In some, this date is the same as the policy’s inception date. This means there may not be coverage provided for claims made due to breaches that occurred before the policy period, even if the insured did not know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, you should always ask for a retroactive date that is earlier than the inception date. This will ensure the coverage includes unknown breaches that occurred before the policy incepted but first give rise to a claim after it did.
With constant attacks by hackers from around the globe, every business is vulnerable to cyber breaches. While companies have to fend off multiple breaches every day, an attacker only has to be successful once to gain access to valuable intel.