The ABCs of Cyber Risk Management
This session at the PARMA 2019 Annual Risk Management Conference highlighted best practices for prevention, management and handling of cyber-related claims.
Speakers included
- James P. Wagoner at McCormick, Barstow, Sheppard, Wayte & Carruth
- Graham Van Leuven at Clyde & Co.
- Lejf E. Knutson at McCormick, Barstow, Sheppard, Wayte & Carruth
Assessing Cyber Vulnerabilities
The following types of risks exist in all organizations:
- Data breach – Wrongful disclosure, unverified disclosure or computer security failure to prevent outside access.
- Phishing – A targeted attack to gain user credentials or gain access to a machine or network.
- Fraudulent Fund Transfers – Fraudulent emails instructing changes in payment details in efforts to misdirect outgoing wire transfers or other payments.
- E-mail Compromise – Third-party access to/control over a user’s email system.
- Ransomware – Encryption of system data and demand for ransom payment in Bitcoin or other cryptocurrency to restore access.
- Employee Misconduct – Current employee use of organization resources for misconduct or former/departing employees abusing network by using un-withdrawn credentials.
- Distributed denial of service (DDOS) attacks – Overloading a network by outside requests, therefore preventing other users from accessing network or internal use of the network because of insufficient resources.
- Lost Devices – Lost laptops, mobile phones or other electronic devices that contain confidential information or tokens to access an organization network.
Being Prepared & Vigilant
The best defense is to create a proactive plan using the following steps:
- Knowing Your Data – Identify what information is stored on computer systems and where the data originates. This includes any type of sensitive information like passwords, credit card numbers and health records.
- Defending Your Data – Data is often moved or archived, both on and off site. To effectively protect this data, there should be periodic reviews on where and how that data is stored, including onsite backups and cloud computing. Best practices include destroying old data that is no longer needed and using encryption on data storage and transfer.
- Protecting the Organization – Employees are often the largest source of security vulnerability. Organizations should limit employee access solely to the systems and information that they need to do their job. Educate employees on security protocols and implement guidelines for security. Finally, utilize multiple and overlapping protections to guard against security failures.
- Updating Systems – Update all operating systems and software regularly. Devices than handle sensitive information, like payroll or point of sale functions, should be separate from devices that perform routine services. Any banking services should require multi-factor authentication and any fund transfers should be verified by more than one authorized employee. Prevent employees from using public or unsecure wireless connections to conduct any company business.
Creating a Response Plan
Create a plan for each type of incident that may occur. If there is an incident, who is tasked with guiding the response? Are there preferred vendors that can be retained and put into place quickly? What is the typical/expected response time for everyone involved in the response?
A typical breach timeline includes the following steps:
- Discovery – This includes the first recognition of an incident and notification within organization. It is best to immediately notify insurers and begin internal determination of investigation steps or available resources for investigation.
- Investigation – Privacy counsel should be retained early. Counsel can help manage the investigation and will retain the necessary forensic investigators, thereby maintaining privilege for forensic investigation. Statements of work from any relevant vendors should be requested ASAP for review and to raise any potential coverage issues early.
- Coverage Analysis – As soon as facts are available, evaluate both cyber and non-cyber coverage and notify your applicable carriers. Coverage should address any potential retroactive coverage issues. Determine questions like: What if malware was in place before any policies took effect? To what extent is notification covered and who are you required to notify? If notification is not necessary for all impacted, will notification services be provided anyway? At whose expense?
- Notification Obligations – A fast response is critical. Get call center, credit monitoring, and any public relations/crisis management vendors in place.
- Cost Resolution – Review invoices from vendors, track amounts based on initial estimates and resolve any retention/excess of limits issues with insurance.