At the 2015 Philly I-Day, a panel presented an engaging session designed to educate underwriters, brokers, claims adjusters and risk managers about the risks and challenges of cyber attacks. The panel consisted of:
- David Shannon, Esq., Co-Chair, Privacy & Data Security Practice Group, Marshall Dennehey Warner Coleman & Goggin
- Mark Greisiger, President, NetDiligence
- Matthew Prevost, RPLU, Vice President, Professional Risk, ACE USA
- Moderator: John Dempsey, CPA, CFE, Managing Director, Aon Global Risk Consulting
Your data is everywhere. It can be accessed through servers, multiple databases, physical transport, remote users, laptops, backup storage facilities, service providers, vendors, off-shore operations and credit card processors. Cyber is consistently listed as the one of the top concerns of risk managers. The number of reported cyber breaches has been escalating significantly the last few years and an increasing number of cyber breaches go unreported – either intentionally, to avoid publicizing the event, or because the breach was not detected.
According to the 2014 NetDiligence Cyber Claims Study, the average per-record costs for a breach is $956. This is more than triple what the costs were in 2013, primarily due to increased requirements from states for notifications and data monitoring following a breach. Large companies, on average, spend $2.9 million per breach. For larger retailers or healthcare providers, the exposures can be significantly higher. This doesn’t factor in the negative public relations costs associated with a breach.
The main sources of cyber attacks include insiders or malicious and disgruntled employees, outside attackers, viruses and malware, non-malicious employees (clicking on an infected e-mail), and third-party vendors.
The top four weak spots found with regard to data are:
- Flawed or ignored intrusion detection software.
- Lack of data encryption.
- Inadequate patch management – system and network updates.
- Lack of centralized security event logs.
Recommendations for developing a cyber risk management program include:
- Cyber Risk Assessments: The purpose of an assessment is to identify the strengths and weaknesses of your data protection program. This is important to affirm you are complying with “reasonable” safeguards based on your industry. This “reasonable” threshold is important when it comes to prevailing in lawsuits that arise from cyber breach events.
- Preventative Measures: As mentioned previously, the key here is making sure that you are complying with “reasonable” safeguards based on industry standards and updating your protective measures as new threats emerge. Your insurance coverage is an element of these protective measures because preventing all breaches is almost impossible. You must have coverage in place as protection in the event of a breach. To secure this coverage, you need the assessment to quantify the amount and type of data that your system contains. This will assist in determining how much coverage you need. What was seen as adequate policy limits two years ago is just a fraction of what is recommended now. Large, high-profile breaches have highlighted just how great the potential exposures can be.
- Breach Response Team: The breach response team’s first responsibility is containing the breach and alerting the appropriate internal parties. Next there must be an investigation to determine the source of the breach. Finally, the response team must notify law enforcement, their insurance carrier, appropriate federal and state agencies, and those whose data was involved in the breach.
- Purging Old Data: Many companies keep data long beyond what is required by law or for business purposes. This additional data creates additional, and unnecessary, cyber breach exposures. Companies should establish and follow a program to purge old data from their systems.
- Vendor Management: Focusing on your internal cyber risk vulnerabilities is only a piece of the puzzle. Many large cyber breaches happened because a third-party vendor had access to your system or data and they got breached. Thus, an essential element of any cyber risk management program is making sure your vendors meet or exceed your internal protocols around data. This can be very challenging for companies that work with smaller businesses.