How Vulnerable is Your Company to a Cyber Breach?
The word information may sound simple and boring, but the owners of information have access to power, money, and immense competitive advantage. Its not surprising, then, that companies devote significant time, effort, and resources to protecting their proprietary and valuable information.
As the recent spate of hacking incidents portends, data security breaches and threats are increasing, despite growing awareness. President Barack Obama signaled as much when he issued an executive order, Improving Critical Infrastructure Cybersecurity, earlier this year, highlighting the urgency of the issue.
In the face of a data breach, the legal, operational, and reputational risks are immense. The financial toll of a cyber attack can be staggering (see table below showing some historical examples). The consequences tend to be immediate. Not too long ago, organizations saw protecting against these threats as the responsibility of the IT department. Yet as the world has become increasingly reliant on the transfer of electronic datafor business, business relationships, and social interactionthe risk of losing critical information has risen. Data protection has become a topic of discussion at the board level and a top priority for senior executives, particularly those tasked with driving and managing the growth of an organization.
A Sampling of Significant Data Breaches Since 2007
Source: Privacy Rights Clearinghouse, Chronology of Data Breaches, www.privacyrights.org
In all likelihood, you could look at your own organization and see examples of how the electronic transfer and tracking of information is expanding, such as:
- An increase in online sales and orders.
- Increased activity for online engagement with customers and suppliers.
- More frequent social media activity by both the company and its employees.
- Growing digital transfer of contracts and business agreements.
- Additional tracking of employee activity, operational processes, and results.
Thus, all of this increased electronic activity requires larger and more detailed databases. With so much valuable information now residing in the digital space, it is crucial to understand the factors contributing to the risk of cyber breaches. Here are five of the most common risk factors:
- Technology failure (firewall, server compromised)
- Criminal act by outsider (hacking, portable device theft)
- Employee misconduct (collusion with competitor, theft, unauthorized disclosure)
- Human error (lost or unsecured data portals, misdirected data, improper security configurations)
- Vendor error (misdirected data, packages, email)
If it has not been done already, it would be worth your while to take the above list to internal IT and risk management professionals to discuss your companys awareness of and vulnerability to each risk, and to get a clear picture of protections that are currently in place. Your organization might be a leading data protection pioneer that has already developed a comprehensive approach to dealing with each of these contributing factors, but in all likelihood, your company has been more reactive to changing information protection risks and has not created specific, proactive, plans that have been vetted by a cross-functional team.
That last piece is essential: If company headquarters personnel are the only individuals that have been included in the information protection discussion, you probably are overlooking critical vulnerabilities to your business.
Beyond internal stakeholders, an ongoing dialogue should be maintained with a number of other professionals who deal exclusively with cybersecurity matters. Legal experts, IT companies, public relations practitioners, forensic accounting specialists, insurance brokers, and insurance carriers all have a role to play in ensuring that your company is abreast of the rapidly evolving knowledge of this entity risk and prepared to respond effectively in the case of a breach. Those responses typically take three forms:
- Retain: Keep the risk within the organization. In this instance, an entity will hopefully choose to spend resources and time to fully evaluate the risk and determine measures to reduce it. This is where technology and cyber-risk experts can be valuable in properly identifying risk factors and levels.
- Allocate: Involve in-house legal counseland potentially external counselto contractually shift the risk to customers, suppliers, and business partners of the entity.
- Transfer: Transfer the risk to another entity, which is primarily done through obtaining insurance coverage that specifically responds to the impacts of this risk. This is where a knowledgeable insurance broker specializing in cyber risk, and the expertise of forensic accounting and claims consultants experienced in measuring losses, can be valuable and critical.
Importantly, shareholders and lending institutions expect a robust data security program to be in place. That program, as mentioned above, should include an insurance component. Woefully, companies are increasingly finding that their expectations of being properly protected after a cyber event fall well short, and the financial impact is far greater than expected. So it is important to highlight the basic types of coverage that can be obtained via the growing number of specialized cyber-risk insurance products. They can be separated into two major categories, with various options therein:
- Third-Party Liabilities: This set of protections covers damages and defense costs associated with security or privacy breaches of third-party information contained in a companys network or resulting from failure to protect sensitive (confidential) information. It can also cover costs associated with responding to and complying with regulatory action.
- First-Party Liabilities: This set of protections is more multifaceted. It can help to recover crisis management and event-related expenses, generally associated with the cost of a public relations firm. It can cover security breach remediation and notification expenses, services generally provided by forensic technology firms or companies specializing in data analytics. Computer programming and electronic data restoration can also be covered by first-party liability products, as can costs associated with business interruption and extra expenses. The costs of computer fraud and e-commerce extortion can also be insured, covering direct loss or extortion of money, securities, and property.
Clearly there is a financial and resource limitation to protecting against each and every possible data breach or cyber attack, but it is critical for organizations to develop awareness and stay informed of the evolving options for managing these risks and putting the above strategies in place.
As recently as a few years ago, companies believed that the financial burden of performing a comprehensive cyber-risk analysis and implementing programs to try to minimize or prevent cyber risk were not practical. Today, the dynamic has changed. While cyber risk is a relatively new phenomenon, we can take guidance from one of the giants of American entrepreneurship, Benjamin Franklin, who said, By failing to prepare, you are preparing to fail.
Clark Schweers is managing director at BDO Consulting and head of the firms Insurance Claim Services practice. Jeff Hall is a senior manager at BDO Consulting, specializing in complex cyber, property, and business interruption claims.