Daily news reports of cyber data incidents serve as a constant reminder of the growing cyber risks that companies face.
According to the Identity Theft Resource Center, there were 781 data breaches reported in 2015 alone, compromising nearly 170 million private records. As these numbers continue to skyrocket, the question for executives and risk managers has become not if you will experience a data breach but when. Response tactics aside, just wrapping your head around the risks and developing a strategy in a changing environment present their own significant challenges.
To make the most informed decisions, you need information. However, the issue isn't findinginformation, but finding the rightinformation and knowing how to use it. Try typing “cyber security” into a Google search. You’ll get approximately 16 million search results. According to Google’s published trends, the term is searched more than 33,000 times monthly ― a 100% increase from mid-2014. With that information comes a lot of questions, but not always clear answers.
The past year has seen the surge of Cyber Liability insurance adoption ― and with it an influx of new questions.
Risk managers and C-suite executives across industries want to know: Do I need Cyber insurance? How does it fit into my risk strategy? What’s the right coverage, and how do I prepare for a cyber intrusion or data breach incident?
Before you and your broker sit down with a Cyber insurance provider, take some time to assess your potential cyber liability and fill gaps where you can.
It’s become clear is cyber risk is not a peripheral concern, and certainly not exclusively an information technology problem. It’s a business risk, and one that is recognized at the highest levels of the organization. According to BDO's recent Board Survey, more than two-thirds of directors report that their board is more involved in cybersecurity than it was a year ago.
What may be reassuring about this realization is that successful companies already address business risks every day. As with any other risk, addressing cyber security concerns starts with a risk assessment. In fact, many Cyber insurance providers require a self-administered risk assessment before extending coverage. The assessment is often factored into policy underwriting.
Here are six steps you can follow to evaluate cyber risk and prepare your organization:
For many companies, it is their intellectual property that hackers are interested in. (Photo: iStock)
1. Assess IT security
At first blush, this task can seem overwhelming, particularly for companies with fewer resources. Start by considering the information your company owns, how it's collected and where it's stored. The process should involve key members across the organization, from management to operations to back of the house. The IT team should be heavily involved as well.
A proper assessment process identifies the data at risk, and considers both protected data and proprietary data.
Most of the data breaches that make headlines concern cyber incidents involving protected data, such as an individual’s personal health information or credit card information.
However, for many companies the most valuable data they own, and the greatest data breach risk, is intellectual property such as trade secrets and patents.
Look no further than the examples of Sony or Avid Life Media to understand that some hackers are interested in far more than stealing Social Security numbers.
Motivations can span foreign government-sponsored espionage, extortion or even moral outrage. These types of attacks are seldom in the news because companies are not required to report such incidents, and especially because they often involve criminal investigations.
If your customers' credit card information is stolen, do you know how much that will cost you? (Photo: iStock)
2. Quantify risk
With guidance from key department personnel and IT, seek to develop two to three data breach scenarios that could affect the organization. The goal is to quantify the potential financial impact.
- Leverage any IT security assessments that have been performed in the past, such as penetration testing or white-hat modeling.
- Consider the costs in the following categories: computer forensics, crisis management, notification costs, credit monitoring, data restoration, defense costs, fines and penalties, and business interruption.
- Use this assessment as an opportunity to line up potential vendors to assist with a breach by seeking cost estimates for the response to your scenario. For example, if you have a breach affecting 150,000 records of credit card numbers from customers living across 12 states, your attorneys should be able to provide a fee estimate of the legal and notification costs.
After you’ve developed scenarios and response cost estimates, your company can develop a strategy to address the risk and better quantify the potential benefits of Cyber coverage.
Your property policy might provide some coverage for electronic vandalism in certain circumstances. (Photo: iStock)
3. Evaluate existing insurance policies
After completing an assessment, evaluate your existing Property, Liability, Cyber or Fidelity policies to identify what risks may already be covered.
For example, some property policies provide electronic vandalism coverage that may apply to certain cyber events.
Ultimately, this evaluation will enable you to identify gaps and coverage limits in your insurance program. For many organizations, this is helpful because with the uninsured financial exposures identified, management can perform a more complete review of the overall risk strategy.
Outside hackers aren't the only threat you face. Data breaches often happen because of employees or vendors making mistakes. (Photo: iStock)
4. Improve security and overall risk strategy
As most organizations recognize, insurance is just one part of the overall risk strategy.
With a proper evaluation of the uninsured risks and financial exposures, informed decision-makers can more easily decide which risks are retained, which risks are mitigated through additional insurance or where risks are addressed through investing in IT infrastructure, hiring and training employees.
When it comes to investing in your IT infrastructure, one cost-effective method to consider is focusing your efforts on securing your most valuable data, as opposed to multiple layers of defensive controls spread around all the organization’s data.
Even if you could anticipate all the ways intruders might access your network, half of all data breach incidents come from employee or vendor errors. You can spend a fortune to build the strongest castle walls in the world, but that won’t save you from an error, accident, or worse, a fraudulent act, by a trusted employee already inside.
Your managers should know what to do ahead of time in the event of a cyber incident. (Photo: iStock)
5. Prepare your organization
For the unprepared management team, reacting to a data breach can quickly become a disorganized effort.
It is essential to have a response plan before an issue arises. Most companies have formal disaster recovery and business continuity plans. They should also have a formal cyber incident response plan.
It's worth noting that a number of industry regulators have started to move toward mandating and conducting assessments of cyber incident response plans.
In its September 2015 Risk Alert, the Securities and Exchange Commission announced the intent of its Office of Compliance Inspections and Examinations examiners to assess “developed plans to address possible future events.” The Financial Industry Regulatory Authority Inc. and the Federal Financial Institutions Examination Council have shared similar guidance.
The plan should clearly define roles and responsibilities. Consultants such as IT specialists, attorneys and public relations managers should be identified, and key response team members should be authorized to quickly hire these consultants when facing an incident. Additionally, the response team should practice plan implementation. The moments after an actual data breach should not be the first time the response team members from your customer service department talk with fellow team members from IT.
Finally, make it a habit to continually reassess your environment. Executives are well versed in reading and analyzing reports like balance sheets and cash-flow statements. IT assessments and vulnerability reports should be no different, as management will be held responsible for the monitoring of its organization’s security in the wake of a breach.
You need know what your Cyber policy will and will not cover, as well as its limits and deductibles, before buying. (Photo: iStock)
6. When buying Cyber insurance, review the coverage
Cyber insurance as a product is still in early infancy, and no policy offers a one-size-fits-all solution.
Because measuring cyber risk involves many variables and has yet to be standardized, policies can vary greatly in terms of coverage, exemptions and cost. Cyber insurance premiums run the gamut from $5,000 to more than $1 million, so you want to find the coverage that best represents your organization's specific needs at an affordable rate, based on your assessment and risk strategy.
Cyber policies typically offer either first-party or third-party coverage, or both.
First-party coverage refers to direct losses to your organization from a cyber incident, which can encompass business interruption, breach notification and certain elements of crisis management. Third-party coverage extends to the legal liability resulting from a data breach or cyber attack, such as privacy violations or damages to third-party vendors.
When you get to the negotiating table, make sure you have a solid understanding of what the policy covers and what it does not, as well as coverage limits and deductibles. Cyber insurance doesn’t need to be prohibitively expensive ― but you’ll need to do some homework first.
Matt Hanson is a senior manager with BDO Consulting’s forensic insurance and recovery practice. Contact him at firstname.lastname@example.org.
Drew Olson is a director in BDO Consulting’s forensic insurance and recovery practice. Contact him at email@example.com
You’re invited to join us on Facebook