"We've been hacked."

More than one company — in fact, more than one government —awoke to the reality of this unsettling statement in 2015. Reportsabout hacks into accounts at eBay, Sony Pictures Entertainment, andthe Central Intelligence Agency may have been among the mostpublicized incidents, but weren't the only serious breachesrecorded. If time has proven anything, it's that cyber-relatedexposures are not diminishing, nor are they being stopped bysecurity measures.

All indications are that data breaches and other cyber-relatedexposures are on the rise, and the situation may become worsebefore it gets better. According to the Identity Theft ResourceCenter, there have been more than 620 data breaches in the UnitedStates in 2015, resulting in 176 million records being exposed (asrecorded through October).

Some of the largest data breaches on record have occurred withinthe past year, including:

• Healthcare provider Anthem, with personal information reportedlycompromised for as many as 97 million people.

• Social website AshleyMadison.com, with personal details for 36million user accounts stolen and made public.

• The federal Office of Personnel Management (OPM), with more than5.6 million fingerprint records reportedly stolen.

Two types of corporate victims

According to Richard Clarke, the former national coordinator forsecurity, infrastructure protection and counterterrorism for theUnited States, there are two types of companies — those that havebeen breached and are aware of it, and those that have beenbreached and just don't know.

Related: How industrial companies can manage cyberthreats

Once a breach has been discovered, the tangible and intangiblecosts associated can be significant and affect a business'long-term ability to survive. According to the 2015 NetDiligenceCyber Claims Study, the average cyber-related insurance claimamounted to $673,767 ($4.8 million for a large company and $1.3million per claim in the healthcare sector). The study alsoreported the average cost per breached record amounted to about$964.

(Image: Thinkstock)

Cyber exposures

In the current marketplace, many businesses can amass a greatdeal of information about customers and employees and then storethe information indefinitely.

The primary cyber-related exposure a company often faces is adata breach that results in unauthorized access or release of anindividual's personally identifiable information (PII) or protectedhealth information (PHI). PII includes such information as name,address, birth date, Social Security number, driver's licensenumber, and credit card or financial account information. PHIincludes an individual's healthcare policy number, biometricinformation, medical condition, test results, prescriptions, and soforth.

As technology continues to advance, the cyber exposures thatcompanies face are expected to increase exponentially. To that end,a company's management team needs to consider cyber-relatedexposures from different perspectives:

• Cyber as a peril: Businesses are becoming moreautomated and depend increasingly on computers, software and theInternet to manage their industrial control systems. Managers ofthese critical infrastructure operations — including energy,utilities, communications, transportation and manufacturing — needto consider and evaluate the potential impact that catastrophicevents such as cyber terrorism and cyber war can have. What wouldthe implications be for the business if control systems were tofail or be destroyed? What would the potential impact be on thecompany's main business operations and those of its contributors inthe supply chain?

• Corporate financial perspective: Whenevaluating cyber exposures, a company must assess its financialhealth and ability to survive a threat. In conducting audits andassessments, rating agencies may ask the company how it would reactto a cyber threat. If the company is publicly traded, its stockprice might be affected. A company could face lawsuits fromshareholders and customers for failing to take adequatecybersecurity measures. Additionally, a company experiencing acyber incident might experience reputational harm and loss ofbusiness, even if only for a short period of time. Lastly, acompany has to decide whether to secure cyber insurance.

• Information Technology perspective: Excellentcybersecurity measures and dedicated IT resources are critical tohelping protect a company's assets. Many businesses continuallywrestle with whether to invest more in IT operations to preventcyber breaches and better protect their data or to purchase cyberinsurance in the event of a breach. Many IT experts now believethat 100 percent prevention is impossible and that working tomitigate the losses during a cyber incident may be a prudent courseof action.

• Insurance perspective: Depending on the extentof its business operations, a company may have to comply withmultiple federal and state privacy laws if a data breach isdiscovered. Currently, 47 states and the District of Columbia,Guam, Puerto Rico and the U.S. Virgin Islands have enacted lawsrequiring private or government entities to notify potentiallyaffected individuals of a data breach. Has the company secured theservices of a data breach coach or remediation firm to help addressthose requirements? Is there adequate insurance coverage to helppay for breach-related expenses?

Related: Cyber attacks drive insurance purchases in early2015

Preparing for the worst

It's clear that many companies stand to benefit when theyprepare a cyber strategy before a claim occurs. Here are some ofthe steps in developing such a strategy:

• Identify assets. What constitutes a criticalasset will often vary from company to company. For example, retailoperations, health care facilities and higher educationinstitutions might consider their customer data to be a criticalasset. Manufacturing, energy and telecommunications companies mightconsider their critical asset to be industrial control systems.Financial institutions, on the other hand, might take a differentview and identify the trading platform to be a critical asset.Regardless, identifying what assets need to be protected is acrucial first step.

• Outline a plan of action. Companies need toestablish a plan of action and identify measures to help protecttheir assets. Vetting upstream and downstream supply chain vendorsto inquire whether they employ cybersecurity best practices shouldbe included in any strategy.

• Develop partnerships. Leveraging the servicesof a skilled service provider — professionals who have handledprior data breaches — may make dealing with a cyber incident aneasier process. This might include a breach coach, typically anexternal legal counselor skilled in handling data breaches, or adata breach resolution service that offers pre-breach assessmentand education and post-breach remediation services.

• Train employees: Employees often pose thegreatest internal threat to a company. While malicious employeesplay a part, studies have shown that more often than not, it's anhonest employee who causes cyber incidents, either through humanerror or by mistakenly doing what the employee believes is right.Developing and distributing a cyber emergency response plan can bethe first step, but the company should also train all employees andturn the response plan into a protocol — that is, make it almostsecond nature as opposed to an afterthought. It's important foreveryone — from C-suite down to entry level — to be onboard andknow how the plan unfolds.

Related: Cyber insurance coverage, its value, limitationsand exclusions

(Image: Thinkstock)

Consider Cyber insurance

To survive, a company needs to do all it can to prepare for acyber incident. Being prepared oftentimes goes beyond developing acyber strategy — it should also include consideration of a Cyberinsurance policy as a risk management transfer mechanism.

While most business leaders don't think twice about purchasing aCommercial Property or General Liability insurance policy, when itcomes to cyber, far fewer companies have secured this specializedcoverage. A robust Cyber insurance policy generally provides first-and third-party type coverages designed to address data breachexposures, including coverages for the following:

• Security breach expenses incurred to establish whether a breachhas occurred, investigate the cause and scope of the intrusion, andnotify victims

• Actual loss of business income and extra expenses that a firmincurs as a result of ceasing its web activities due to a virus orextortion threat

• Extortion threats and threats to introduce a virus, maliciouscode, or a denial-of-service attack into the insured's computersystem; divulge the firm's proprietary information contained in thesystem; inflict "ransomware"; or publish the PII or PHI of thefirm's clients

• Public relations expenses associated with restoring a firm'sreputation following a data breach

• The cost to replace or restore electronic data or computerprograms damaged or destroyed by a virus, malicious code, ordenial-of-service attack

• Security breach liability arising from the unauthorizeddisclosure of a third party's PII or PHI from within the computersystem or if the firm's computer system spreads a virus to a thirdparty

• Liability arising from programming errors or omissions thatultimately disclose clients' confidential information held withinthe computer system

• Website publishing liability and media liability for errors,misstatements, or misleading statements posted on a website thatinfringe on another party's copyright, trademark, trade dress, orservice mark; defame a person or organization; or violate aperson's right of privacy

Advance planning is often the best defense in combating cyberrisk. Companies that develop and implement a well-preparedcybersecurity strategy before a cyber incident occurs are generallyin a better position to respond and survive.

Related: 4 big mistakes insureds make when choosing a Cyberclaims provider

Are you following us on Facebook?

________________

How can you transform your risk management preparednessand response strategy into a competitive advantage?

Introducing ALM's cyberSecure — Atwo-day event designed to provide the insights and connectionsnecessary to implement a preparedness and response strategy thatchanges the conversation from financial risk to competitiveadvantage. Learnmore about how this inaugural event can help youreduce risk and add business value.