By the time you finish reading this article, we guarantee you that someone somewhere will have tried to breach your network or a vendor with whom you work. What’s standing between them and you?
Step back and reflect on what exactly a company is protecting from harm’s way. What are the “crown jewels,” and why are they so important to the organization? What is the weakest or most vulnerable link that is likely to result in a breach? Having a better understanding of these factors will guide the direction of the strategy, why it is being used, and the economic impact it has on the business. This will then set the company up to have a productive conversation when it comes to securing a cyber insurance policy.
Collecting sensitive information on customers—whether it is their personal, health, financial, or business information—is a normal business practice. Being entrusted with this information comes with the responsibility that it will be kept confidential. This expectation of privacy also extends to a company’s own employees and business information. Compromise of this information can lead to reputational harm, which can drive away customers and demoralize employees. A 2017 study by Cisco found that nearly a quarter of organizations suffering a cyberattack lost business opportunities due to reputational impairment, and nearly a third of the attacked organizations also lost revenue.
The damage hits close to home when it affects a company’s ability to operate. Some of the more common first-party costs, such as breach notification and forensic expenses, are debilitating to a company’s balance sheet since they are generally “first-dollar.” Costs associated with damages and legal expenses from customers and regulators filing liability suits against a company can drain its bank account. One study by Ponemon Institute puts the direct and indirect losses due to a data breach at over $7 million on average.
Understanding the motivation and methods of hackers can lead to better breach prevention. Verizon’s data breach investigation report says nearly four out of every five breaches emanate from an external actor, and the majority of these hackers are looking to trade their looted information for cash—specifically bitcoin—on the dark web. However, 20 percent of breaches also are committed for purposes of espionage. Examples range from a sovereign nation collecting intelligence to meddle in another country’s elections to a baseball team hacking another team’s internal database.
While the exact figures may be disputed, everybody agrees that the weakest link is usually the human one. Employees often are targeted with emails and pop-ups containing links to malware. “Phishing”—which involves the impersonation of a customer, vendor, or business leader—fraudulently diverts money and goods into the hands of thieves. Vulnerabilities in configuring web applications in addition to zero-day exploits in software code also can result in the compromise of information. However, not all threats are trying to steal or manipulate sensitive information. The attack by the malware Mirai botnet against the domain name service provider Dyn in October 2016 used countless internet-connected devices to launch a distributed denial of service attack, which flooded Dyn and blocked customer access to countless companies such as Amazon, CNN, and Netflix for hours. As seen in the case of Target’s HVAC vendor, a company relying on vendor relationships can exacerbate its own cybersecurity posture if the vendor is compromised. If it’s not one thing, then it is something else, and it seems that the hackers are always one step ahead. How can you get ahead of them? That’s the million-dollar question.
Knowing how to best prevent a breach not only will help the company, but also the company’s customers and vendors. The most important step a company can take in order to effectively defend itself is to educate its employees about how to identify a breach, what activities can lead to a breach, and the steps to take to minimize the risk of a breach. Security protocols also should be enforced to ensure sensitive data is only being accessed by authorized employees at times when it is critical for their jobs.
Of course, education and training are just one part of the overall solution, and it is important that policies and procedures are actually implemented. To do so, a company should designate an employee who is responsible for coordinating and managing all cyber-related risk activities. Likewise, a company should create a breach team composed of outside legal counsel, forensic experts, its insurance company, and, possibly, a public relations firm (depending on the scale of the breach) so that an emergency response plan can be initiated at the first possible indication of a breach. While basic technology and configurations such as firewalls and antivirus software should be in place to help prevent breaches, a company also should encrypt its sensitive files, enable multifactor authentication, and continuously monitor both its own enterprise IP footprint and endpoints as well as its vendors’ (if possible) to look out for anomalous activity and event-driven compromises. Regular backups of sensitive information also should be made with the integrity of the data checked to make sure the files are accurate and complete and can be restored in a timely manner.
Now that the organization has followed the appropriate steps to decrease the possibility of a breach, it is in a better place to consider risk transfer. The executive team must decide which information security projects will yield the greatest return for dollars spent. The estimated cyber insurance premium for an organization also should factor as an opportunity cost when deciding the IT security budget. The last step is to obtain insurance that will provide for expert services to manage a breach.
The insurance policy must be negotiated to include all appropriate third-party and first-party coverage grants with the fullest limits, lowest retentions, and broadest terms and conditions possible, including full prior acts retroactive date, so as not to exclude any possible claims incidents. To achieve such a contract will require clear communication of the company’s cybersecurity risk posture through the broker to the insurance carrier, with a focus on application responses and potential underwriting meetings. But with the right investment in people, processes, and technology, the organization will be a strong candidate for cyber insurance. They also will be in a better situation to respond to a breach when it occurs.