Cyber attacks expose an organization to various cyber risks like financial loss, regulatory sanctions and reputational damage. In this session at the 2016 California Workers’ Compensation & Risk Conference, Heather Wilkinson, Vice President, FINEX E&O/Cyber Manager at Willis Towers Watson, discussed current cyber threats and what companies can do to counter them.
The cyber insurance marketplace is expanding. Total premiums have reached $2 billion, with expectations that they will reach $20 billion by 2025. Underwriting guidelines are becoming more in depth at a rapid pace and it is becoming more difficult for companies to prove their insurability. This typically requires completion of a complicated application and interviews with third-party vendors. Those who have access to your network and sensitive data are now being evaluated as well.
In 2014, 68% of healthcare data breaches were caused by lost of stolen devices containing health information. In 2015, 99% of healthcare data breaches were caused by criminal hacking events using social engineering techniques to target their victims.
Human error is still the primary method that hackers use to enter a system – typically triggered by an employee clicking on a link that engages the malware – so training of employees is critical. No company, large or small, is immune to these “phishing” events. Frequency is low, but severity is high. Affected organizations are facing millions in class-action lawsuits. In 2015, the average cost of a data breach in the U.S. is reported at $6.5 million.
There is a variety of employee training available, varying from companies that will send fake phishing e-mails to employees (40% usually click on the first e-mail) to putting employees who click on a phishing e-mail in a virtual jail, where they have to pass a 15-minute training module before they can return to their work. However you decide to train, boardroom engagement is key. The tone needs to start from the top to promote a culture of security vigilance.
It is also important to have a data breach incident response plan and team. Make sure your plan is tested and practiced regularly. In relation to the response team, appoint team back-ups to compensate for unreachable employees in case the breach occurs after hours or on the weekend.
The next step is knowing what to do if a breach actually occurs. Once discovered, perform an initial analysis and contact your cyber insurance carrier. Next, assess the situation and deploy the incident team. If legally obligated to notify consumers or employees, notify them. Finally, address the public relations response to manage reputational damage. All of these steps need to be pre-prepared. These are not items that you want to have to develop after the breach has occurred.
If you do purchase cyber insurance, you often will have access to privacy attorneys for consultation. Policies often contain these supplemental resources. Keep in mind that forensics can be very time consuming depending on the size of your organization. On average, investigations take 65 days. Crisis management plans must include how you will manage public notification within this timeframe to stay compliant with regulatory bodies.