Under Attack

Technologically sophisticated criminals remain one step ahead of the IT systems designed to protect even the largest multi-national companies. That said, organizations that include post-attack response measures and appropriate risk transfer strategies in their cyber security plans are well-positioned to weather even the most insidious data breach.

THREAT PROFILE

Cyber crime and data breaches now take a roughly US$445-billion bite out of the global economy annually, notes Net Losses: Estimating the Global Cost of Cybercrime, research released this past June by the Center for Strategic and International Studies (CSIS).

The Ponemon Institute reported that in 2013, the average cost to a company for a major data breach was US$5.4 million.

Additionally, 56% of Canadian respondents said that their organizations are not protected from advanced cyber attacks, and 59% said they do not believe their companies have sufficient security to prevent criminals from stealing corporate information, note results from Exposing the Cybersecurity Cracks: Canada, released in June.

Most cyber attacks are the result of direct hacking (56%) or malware (30%), and larger corporations and governmental institutions make attractive targets, accounting for 50% of all cyber assaults, Privacy Rights Clearinghouse reports. Still, small companies, which often operate with more vulnerable security systems in place, are increasingly victimized and now make up 31% of all attacks.

This is largely because smaller organizations are not only easy profit centres for online criminals, but can also unwittingly serve as gateways to larger partners and clients. Both companies involved in such “piggy-back” attacks could have a resulting claim, while both companies should have a cyber policy that could be triggered.

CYBER SECURITY

Cyber attacks will happen – it is just a matter of when and how well-prepared a company is to deal with the related fallout. While nobody is ever fully protected, there are plenty of steps that every business – big or small – can take to respond to an attack, to make life more difficult for cyber criminals and to be prepared for recovery following a security breach.

The most successful cyber risk management practices begin at the boardroom level. Buy-in from senior leadership is key to the development and implementation of company-wide information security policies and protocols. Basic information risk management, as outlined below, can stop as much as 80% of the cyber attacks directed at any company, regardless of size.

Companies should implement an effective governance structure, maintain the board’s engagement and produce appropriate information security policies. Said policies and procedures relate to, among other things, the following:

•user education and awareness training;

•monitoring for all networks and systems;

•incident management, including response and disaster recovery;

•network security;

•management and control of user privileges;

•secure configuration guidance;

•malware protection;

•removable media usage controls; and

•monitoring for both mobile and home working.

It is critically important, however, that cyber security plans include a sharp focus on post-attack recovery that equals, or better still exceeds, pre-attack IT preparations. Having the correct expertise is vital, yet most companies – surprisingly even large organizations – simply do not have the in-house know-how to conduct proper post-attack investigations, notifications and public relations campaigns. The longer the problem is unresolved, the more costly it becomes. And not just from an insurance perspective, but also from a reputational point of view.

RECOVERY AND RISK TRANSFER

Business interruption costs can increase at alarming rates during the time it takes for an attack to be rooted out and neutralized. As such, clients should be able to choose from a range of business interruption covers to tailor a solution to their specific needs.

Additionally, without proper notification capabilities (in the event that personal information is stolen), companies can be left vulnerable to lawsuits and even regulatory actions in some jurisdictions.

This demands that any insurance solution include immediate access to an IT crisis response team that will work to resolve the incident by providing a full range of services. These include such things as IT forensic services, media crisis management services and specialized legal services.

However, even companies with well-staffed communications, IT and legal departments may not be as well-prepared to deal with cyber attacks as they might think. For example, some companies have very good IT people, but do not keep forensic specialists in-house.

In addition, telecommunications and media companies often feel that they are well-prepared to handle a communications crisis, but still might not have the very specific, niche area of expertise that is available through insurers.

One need only look at the events surrounding the highly publicized attacks on Sony and Target, to name just two, to understand the possible scope of the expertise required following a major security breach.

All of these aforementioned concerns should be addressed during the underwriting process. The development of a robust post-attack response plan starts with close co-operation between the insurance provider’s risk engineers and the client. Look for an insurance company that takes a collaborative approach to underwriting to identify and shore up vulnerabilities.

This is also the stage at which clients and providers do the necessary legwork to quantify the worst-case scenario before deciding how much coverage to purchase and how much exposure is appropriate.

Additionally, worldwide coverage is absolutely necessary because a company might never identify where an attack came from, or the attack might originate in multiple jurisdictions and target several others.

Attacks can come from anywhere and target a location, making it pointless to limit a cyber attack policy to one country or territory since the modern world is far too interconnected for such a narrow protection.

CHANGING REGULATORY LANDSCAPE

Many jurisdictions are taking a close look at beefing up the legal protections for personal data and increasing company obligations for notifying individuals in the event of a security breach and mitigating the damage. The Canadian government, for example, is reviewing legislation – the Digital Privacy Act, which modifies the Protection of Personal Information and Electronics Documents Act (PIPEDA) – that would require mandatory breach notification, new penalties and other provisions to improve compliance with existing legislation and increase protection for consumers.

Most states in the United States require notification and crisis response – such as credit monitoring and the changing of bank account details – in the event of a cyber attack, notes the National Conference of State Legislatures, and U.S. federal law allows class action lawsuits arising from privacy breaches.

The European Union, for its part, is considering a significant expansion to existing law that would place a considerable financial burden on companies with regard to both compliance and remediation requirements.

In the private sector, there are more and more contractual requirements focused on cyber insurance. Companies are beginning to realize that partners, vendors and clients can be unintentional conduits for attacks, and are taking precautions to ensure that they are properly protected.

In this sense, cyber insurance is very much like any relatively new insurance solution, in that it is initially embraced by a narrow sector, but gradually will find relevance throughout the business world, much like the market drivers for errors and omissions insurance 20 yea rs ago.

Regardless of the impetus for developing a cyber security response plan and purchasing an appropriate cyber attack insurance solution, 62% of respondents surveyed by Ponemon Institute in 2013 reported that the insurance made their company better prepared to deal with security threats.

Headlines announcing yet another major hacking event seem ubiquitous. From Target to Sony to Neiman Marcus, catastrophic security breaches have caused enormous damage, resulted in major business interruptions and delivered body blows to corporate reputations. With related threats growing, it has become clear that what a company does to respond to an attack and mitigate the damage as quickly as possible is just as important as what it does to prevent the attack in the first place.

Maybe more so.