How to develop a cyber strategy

It's clear that many companies stand to benefit when they prepare a cyber strategy before a claim occurs. On the following pages are some of the steps in developing such a strategy:

For manufacturers, a critical asset is an industrial control system. (Photo: iStock)

1. Identify assets. What constitutes a critical asset will often vary from company to company.

For example, retail operations, healthcare facilities, and higher education institutions might consider their customer data to be a critical asset.

Manufacturing, energy and telecommunications firms typically consider their critical assets to be industrial control systems.

Financial institutions might take a different view and identify the trading platform to be a critical asset.

2. Outline a plan of action. Companies need to establish a plan of action and identify measures to help protect their assets. Have clients vet upstream and downstream supply chain vendors to inquire whether they employ cyber security best practices.

Many cyber incidents happen through simple human error. Your employees need to be trained on proper cyber procedure. (Photo: iStock)

3, Develop partnerships. Leveraging the assistance of a skilled service provider — professionals who have handled prior data breaches — may make dealing with a cyber incident an easier process.

This might include a breach coach, who is typically an external legal counselor skilled in handling data breaches, or a data breach resolution service that offers pre-breach assessment and education and post-breach remediation services.

4. Train employees. Employees often pose the greatest internal threat to a company.

While malicious employees play a part, studies have shown that more often than not, it's an honest employee who causes cyber incidents, either through human error or by mistakenly doing what the employee believes is right.

Developing and distributing a cyber emergency response plan can be the first step, but the company should also train all employees and turn the response plan into a protocol — that is, make it almost second nature as opposed to an afterthought. It's important for everyone — from the C-suite down to entry level — to be onboard and know how the plan unfolds.

A good Cyber insurance policy will provide coverage for a breach, loss of business income and for restoring or replacing lost data, among other protections. (Photo: Shutterstock)

Consider Cyber coverage

To survive, a company needs to do all it can to prepare for a cyber incident. Being prepared often goes beyond developing a cyber strategy — it should also include consideration of a Cyber insurance policy as a risk management transfer mechanism.

While most business leaders don't think twice about purchasing a Commercial Property or General Liability insurance policy, when it comes to Cyber, far fewer companies have secured this specialized coverage. A robust Cyber insurance policy generally provides first- and third-party coverages designed to address data breach exposures, including coverages for the following:

• Security breach expenses incurred to establish whether a breach has occurred, investigate the cause and scope of the intrusion, and notify victims.

• Actual loss of business income and extra expenses that a company incurs as a result of ceasing its web activities because of a virus or extortion threat.

• Extortion threats and threats to introduce a virus, malicious code, or a denial-of-service (DoS) attack into the insured's computer system; divulge the organization's's proprietary information; inflict ransomware; or publish the personally identifiable information (PII) or personal health information (PHI) of the insured's clients.

• Public relations expenses associated with restoring a firm's reputation following a breach.

• The cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code or DoS attack.

• Security breach liability arising from the unauthorized disclosure of a third party's PII or PHI from within the computer system or if the firm's computer system spreads a virus to a third party.

• Liability arising from programming errors or omissions that ultimately disclose clients' confidential information held within the computer system.

• Website publishing liability and media liability for errors, misstatements or misleading statements posted on a website that infringe on another party's copyright, trademark, trade dress or service mark; defame a person or organization; or violate a person's right of privacy.

Advance planning is often the best defense in combating cyber risk. Companies that develop and implement a well-prepared cyber security strategy before a cyber incident occurs are generally in a better position to respond and survive. 

Shawn E. Dougherty is director of cyber at ISO Solutions, a Verisk Analytics business.

Related: 6 steps to growing your Cyber insurance base

Have you Liked us on Facebook?