Filed Under:Agent Broker, Commercial Business

6 steps to take to evaluate cyber risk

Data breaches are no longer a peripheral concern. They are now a business risk. (Photo: iStock)
Data breaches are no longer a peripheral concern. They are now a business risk. (Photo: iStock)

Daily news reports of cyber data incidents serve as a constant reminder of the growing cyber risks that companies face.

According to the Identity Theft Resource Center, there were 781 data breaches reported in 2015 alone, compromising nearly 170 million private records. As these numbers continue to skyrocket, the question for executives and risk managers has become not if you will experience a data breach but when. Response tactics aside, just wrapping your head around the risks and developing a strategy in a changing environment present their own significant challenges.

To make the most informed decisions, you need information. However, the issue isn't findinginformation, but finding the rightinformation and knowing how to use it. Try typing “cyber security” into a Google search. You’ll get approximately 16 million search results. According to Google’s published trends, the term is searched more than 33,000 times monthly ― a 100% increase from mid-2014.  With that information comes a lot of questions, but not always clear answers. 

The past year has seen the surge of Cyber Liability insurance adoption ― and with it an influx of new questions.

Risk managers and C-suite executives across industries want to know: Do I need Cyber insurance? How does it fit into my risk strategy? What’s the right coverage, and how do I prepare for a cyber intrusion or data breach incident? 

Before you and your broker sit down with a Cyber insurance provider, take some time to assess your potential cyber liability and fill gaps where you can.

It’s become clear is cyber risk is not a peripheral concern, and certainly not exclusively an information technology problem. It’s a business risk, and one that is recognized at the highest levels of the organization. According to BDO's recent Board Survey, more than two-thirds of directors report that their board is more involved in cybersecurity than it was a year ago.

What may be reassuring about this realization is that successful companies already address business risks every day. As with any other risk, addressing cyber security concerns starts with a risk assessment. In fact, many Cyber insurance providers require a self-administered risk assessment before extending coverage. The assessment is often factored into policy underwriting.

Here are six steps you can follow to evaluate cyber risk and prepare your organization:

Security breach

For many companies, it is their intellectual property that hackers are interested in. (Photo: iStock)

1. Assess IT security

At first blush, this task can seem overwhelming, particularly for companies with fewer resources. Start by considering the information your company owns, how it's collected and where it's stored. The process should involve key members across the organization, from management to operations to back of the house. The IT team should be heavily involved as well.

A proper assessment process identifies the data at risk, and considers both protected data and proprietary data.

Most of the data breaches that make headlines concern cyber incidents involving protected data, such as an individual’s personal health information or credit card information.

However, for many companies the most valuable data they own, and the greatest data breach risk, is intellectual property such as trade secrets and patents.

Look no further than the examples of Sony or Avid Life Media to understand that some hackers are interested in far more than stealing Social Security numbers.

Motivations can span foreign government-sponsored espionage, extortion or even moral outrage. These types of attacks are seldom in the news because companies are not required to report such incidents, and especially because they often involve criminal investigations. 

Credit card data

If your customers' credit card information is stolen, do you know how much that will cost you? (Photo: iStock)

2. Quantify risk

With guidance from key department personnel and IT, seek to develop two to three data breach scenarios that could affect the organization. The goal is to quantify the potential financial impact.

  • Leverage any IT security assessments that have been performed in the past, such as penetration testing or white-hat modeling.
  • Consider the costs in the following categories: computer forensics, crisis management, notification costs, credit monitoring, data restoration, defense costs, fines and penalties, and business interruption.
  • Use this assessment as an opportunity to line up potential vendors to assist with a breach by seeking cost estimates for the response to your scenario. For example, if you have a breach affecting 150,000 records of credit card numbers from customers living across 12 states, your attorneys should be able to provide a fee estimate of the legal and notification costs.

After you’ve developed scenarios and response cost estimates, your company can develop a strategy to address the risk and better quantify the potential benefits of Cyber coverage.

Related: Survey: Cyber incidents, competition are major Business Interruption threats

Electronic vandalism

Your property policy might provide some coverage for electronic vandalism in certain circumstances. (Photo: iStock)

3. Evaluate existing insurance policies

After completing an assessment, evaluate your existing Property, Liability, Cyber or Fidelity policies to identify what risks may already be covered.

For example, some property policies provide electronic vandalism coverage that may apply to certain cyber events. 

Ultimately, this evaluation will enable you to identify gaps and coverage limits in your insurance program. For many organizations, this is helpful because with the uninsured financial exposures identified, management can perform a more complete review of the overall risk strategy. 

Outside hacker

Outside hackers aren't the only threat you face. Data breaches often happen because of employees or vendors making mistakes. (Photo: iStock)

4. Improve security and overall risk strategy

As most organizations recognize, insurance is just one part of the overall risk strategy. 

With a proper evaluation of the uninsured risks and financial exposures, informed decision-makers can more easily decide which risks are retained, which risks are mitigated through additional insurance or where risks are addressed through investing in IT infrastructure, hiring and training employees.

When it comes to investing in your IT infrastructure, one cost-effective method to consider is focusing your efforts on securing your most valuable data, as opposed to multiple layers of defensive controls spread around all the organization’s data.

Even if you could anticipate all the ways intruders might access your network, half of all data breach incidents come from employee or vendor errors. You can spend a fortune to build the strongest castle walls in the world, but that won’t save you from an error, accident, or worse, a fraudulent act, by a trusted employee already inside.

Related: Here come the accountants — the codification of cyber risk

Cyber response plan

Your managers should know what to do ahead of time in the event of a cyber incident. (Photo: iStock)

5. Prepare your organization

For the unprepared management team, reacting to a data breach can quickly become a disorganized effort.

It is essential to have a response plan before an issue arises. Most companies have formal disaster recovery and business continuity plans. They should also have a formal cyber incident response plan.

It's worth noting that a number of industry regulators have started to move toward mandating and conducting assessments of cyber incident response plans.

In its September 2015 Risk Alert, the Securities and Exchange Commission announced the intent of its Office of Compliance Inspections and Examinations examiners to assess “developed plans to address possible future events.” The Financial Industry Regulatory Authority Inc. and the Federal Financial Institutions Examination Council have shared similar guidance.

The plan should clearly define roles and responsibilities. Consultants such as IT specialists, attorneys and public relations managers should be identified, and key response team members should be authorized to quickly hire these consultants when facing an incident. Additionally, the response team should practice plan implementation. The moments after an actual data breach should not be the first time the response team members from your customer service department talk with fellow team members from IT.

Finally, make it a habit to continually reassess your environment. Executives are well versed in reading and analyzing reports like balance sheets and cash-flow statements. IT assessments and vulnerability reports should be no different, as management will be held responsible for the monitoring of its organization’s security in the wake of a breach.

Cyber damage control

You need know what your Cyber policy will and will not cover, as well as its limits and deductibles, before buying. (Photo: iStock)

6. When buying Cyber insurance, review the coverage

Cyber insurance as a product is still in early infancy, and no policy offers a one-size-fits-all solution.

Because measuring cyber risk involves many variables and has yet to be standardized, policies can vary greatly in terms of coverage, exemptions and cost. Cyber insurance premiums run the gamut from $5,000 to more than $1 million, so you want to find the coverage that best represents your organization's specific needs at an affordable rate, based on your assessment and risk strategy.

Cyber policies typically offer either first-party or third-party coverage, or both.

First-party coverage refers to direct losses to your organization from a cyber incident, which can encompass business interruption, breach notification and certain elements of crisis management. Third-party coverage extends to the legal liability resulting from a data breach or cyber attack, such as privacy violations or damages to third-party vendors.

When you get to the negotiating table, make sure you have a solid understanding of what the policy covers and what it does not, as well as coverage limits and deductibles. Cyber insurance doesn’t need to be prohibitively expensive ― but you’ll need to do some homework first.

Matt Hanson is a senior manager with BDO Consulting’s forensic insurance and recovery practice. Contact him at mhanson@bdo.com.

Drew Olson is a director in BDO Consulting’s forensic insurance and recovery practice. Contact him at dolson@bdo.com

Related: 4 reasons why your client’s Cyber claims could be denied

You’re invited to join us on Facebook

NAPSLO 2016

 

Featured Video

Most Recent Videos

Video Library ››

Top Story

N.J. commuter train crashes into Hoboken station causing death, destruction

A commuter train crashed into one of the busiest train stations in the New York City area during the morning rush on Thursday, killing at least one person and sending at least 74 to area hospitals.

Top Story

A look at fall's most common road hazards, region by region

Based on comprehensive claims data from Farmers, here's what's most likely to cause an auto accident in your area right now.

More Resources

Comments

eNewsletter Sign Up

Agent & Broker Insider eNewsletter

Proven success tips and essential information to help agents and brokers grow their practice – FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.