BY RANDY GLENN, CCIC & JENNIFER A. BECKAGE, ESQ., CIPP/US
“We never thought it would happen to us.” That is the most common response to a cyberattack on a business, regardless of the sector, size, or scope of the company.
No matter what kind of business you operate, your most valuable asset may be your data. Although businesses are taking steps to protect themselves and their clients, cyber risk continues to be a threat. According to a report from the Online Trust Alliance, cyberattacks targeting businesses nearly doubled from 2016 to 2017. Some believe the actual number may be twice that since the majority of cyberattacks are never reported.
If and when a data security event occurs, how long does it take an organization to recover? Returning to business as usual is challenging and, without a plan, often impossible. The cost and effort to undergo forensics, evaluate regulations, meet quick deadlines, and respond to internal and external stakeholders can all impact your ability to be resilient following a data incident. The good news is there are steps you can take, including performing risk assessments and transferring the cost of risk with Cyber Insurance.
Operational resilience starts at the asset level, which can be a challenge because of the size and scope of the project and the business disruption and cost. Understanding what systems and vendors hold data, and how they relate to one another, is a great step in cyber preparedness and creating operational efficiencies. Breaking assets into categories such as people, information, technology, and facilities can help you better understand how each asset category might be impacted in a breach and what the scope of disaster for the asset being compromised will be on your business’ bottom line.
When assets are outsourced to a third-party vendor, your contract with that vendor will govern the parties’ relationship, including how they will help to respond to an incident and their obligations to secure information. Once these are known and understood, you can focus on taking steps to transfer that risk. Insurance is a great tool to transfer risk, but it is not a substitute for proper risk management and legal counsel.
Any discussion about insurance options should also include planning a response to a data security incident. Having insurance may provide an opportunity to shift costs and risks, but there will still be work that needs to be done which will require company buy-in and adoption, including senior management and the board. Relying on trusted advisors with meaningful experience and specialization in this space is also a good way to obtain sound advice.
The Information Technology department, C-suite, and legal teams should collaborate on a regular basis to discuss ongoing insurance needs, perform table-top simulated data security incidents, and evaluate new data security and privacy regulations that impact the organization. These conversations and technical hardening of systems will help make your business more resilient and help put you in a legally defensible position if “it” happens.
It is paramount that ALL employees understand their role in helping to guard against cyberattacks since a single employee clicking on the wrong link (even unintentionally) can negatively impact the entire operation. If protecting your business, its assets, profitability, and reputation are top of mind, then underestimating the exposure to a cyber event can be costly.
Taking a few steps such as instituting a rigorous cyber security training program and making
an investment in a cyber insurance policy can significantly mitigate your business’ risk so you don’t end up wishing you had done something sooner.
Attorney Advertising: Prior results do not guarantee a similar outcome.