During a session at the RIMS 2018 Annual Conference, Shiraz Saeed, National Practice Leader – Cyber Risk, Starr Companies and Jean Nkamdon, CPA, CFE, RIMS-CRMP, Risk Management & Compliance Manager, The Washington Post lead a conversation about cyber risk dynamics. During the session he covered new risks presented by the Internet of Things and the interconnectedness of multiple technology systems.
How do we identify exposures?
Do you handle private information?
- PII, PHI, PFI
- Corporate confidential information
- Company (employees)
- Clients (consumer or commercial)
Where do you store the information?
- Online vs offline information
- System topography
- Do you operate the network yourself or outsource?
- Security and governance
Do you have a website?
- What content is on the site?
- Can employees or third-parties upload content (blogs, posts pictures or comments)?
- Content ownership
How can an event occur?
- malicious- stealing information(card skimming)
- negligence -lost resources(laptop, smartphone or tablet)
- vendors- security and governance
- individual hackers/organized crime
- ideological and or financial
- stealing information
- sending viruses/malicious code – ransomware
- disruption of business
There are two coverage triggers. Security failure is a failure of a company to protect their company systems and virus, malicious code, malware attacks
Third-Party and First-Party Coverage
Incident response expenses include legal consultation, forensic investigation, public relations services, notification to consumers based on legal mandate, providing ID-monitoring/credit monitoring. Security and privacy liability include government agencies, individuals, class actions, businesses or administrative.
First-party coverage also includes business interruption, data recovery and cyber extortion. Business interruption addresses loss of income and operating expenses resulting from the interruption or suspension of business due to failure of network security. Data recovery contemplates the costs associated with restoring, recollecting or recreating lost electronic data. Cyber extortion provides coverage for the extortion threats against a company’s computer network and confidential information by an outsider seeking money or other valuables.
Many things you need to keep in mind when you are looking at your exposure. Keep in mind the volume and type of records, security and governance and vendors. Regarding coverage keep in mind non-physical vs physical coverage. Also the claims handling which includes policy triggers vs. cases of loss vs. resulting damage.