THE FIRST STEPS TO MANAGING CYBER-RISK [Risk Management]
By Dunbar, Thomas | |
Proquest LLC |
A worker loses a laptop with the sensitive health-care data of thousands of insureds. Hacktivists breach a nonprofit's computer system, shutting down operations for hours during a donation pledge drive. Cybercriminals steal thousands of credit card numbers from an upscale retailer. A social networking site has millions of its users' passwords stolen. What do all these events have in common? If you said they were technological risks, you would be wrong. They are actually business risks.
Today, every company is reliant on technology, and data is often a critical asset. Managers and IT personnel must monitor reports via their computers and mobile devices 24/7 - but even that seems like a futile attempt to keep up. Because each day, according to a June Financial Times article, companies generate 2.5 exabytes, or 1 billion gigabytes, of data. This daily deluge means that nearly 90% of the stored data in existence today has been created in just the past two years.
With this unprecedented growth, new threats emerge constantly. Such risks historically have been the domain of the IT department, but while cyberrisks are by definition rooted in technology, they are not actually technological risks; they are business risks. And business risks are best addressed through a holistic risk management process that includes systematic risk identification, assessment, quantification and mitigation.
The following three steps will pave the way for risk professionals to better protect one of their company's most important assets: data.
Step #1:
Assemble a Cyber-Risk Team
When it comes to cyberthreats, it is not about //the company will be attacked but when. The first, and one of the most important, things a risk manager can do is to talk to the information security team and involve them in a cyber enterprise risk management effort. Specifically, ask them what assessments have already been done. Then, examine what they have put in place to provide reasonable safeguards spanning people, processes and technologies. And keep them involved throughout the process, not just at the outset.
A good way to get the input and buy-in of the entire organization is to appoint a cyber risk management team to evaluate the company's enterprisewide threats. Include the chief information technology officer, head of IT security, general counsel and others from departments including communications, manufacturing and human resources. These are the personnel who will stand as the frontline response to any threat.
Get everyone involved and keep the organization informed of the efforts and steps you take to protect the corporation. Periodically report on the state of the organization's cyberpreparedness to top executives and the board of directors. Both the board and senior leaders have a fiduciary responsibility to protect the information assets of the company.
In particular, the board needs to be made aware of all cyber-risks and receive regular reports on how new developments and trends could affect the company. Recently, the
If there is an incident, the company's reputation is on the line. News outlets will be quick to pick up on cyberincidents, and most company officers will not know where to turn.
Take the recent Linkedln breach, which exposed some six million user passwords. Not only was Linkedln lax with security measures, but it took the company hours to discover that its network had been attacked - and hours longer to notify the victims. No one was managing the risk. And that is not unusual. Only after
Step #2:
Identify and Assess the Risks
Once you have formed the cyber risk management team, the second step is to identify, assess and measure the risks for their potential frequency and financial impact. Think in terms of vital data and where it resides - not just on the computer in an office, but how it flows throughout your organization. Is the data in transit (on a USB drive), at rest (on an employee's desktop PC) or mobile (on an iPhone)? Once you understand where the data is and its importance, you can assess the risk and develop strategies to protect it.
Work with your team to understand your situational awareness. Think about the value of your data to a hacker, hacktivist or cybercriminal. What information would they target? Or, could you be a potential target of cyberespionage or cyberterrorism? And do not forget about non-tech-based threats, such as a hurricane, that could shut down systems or prevent access to data. Or, consider the exposure when an employee unintentionally obtains unauthorized access to data. These are risks related to technology but ultimately rooted in other realms (natural disasters and access control management).
Examine the vulnerabilities and current mitigation practices and then, based on resources, make determinations as to where people, processes and tools must be deployed. Threats must be evaluated for their potential likelihood and financial severity. Risk managers need to be part of the decision-making process to determine which risks pose the greatest threat to the corporation and which of the many IT security options will best mitigate these risks.
Step #3:
Develop an Incident Response Plan
Companies with incident response plans fare much better after a data breach than those without plans. Thus, the final step is to develop a plan that, first and foremost, defines who will be the point person for external and internal activities when a breach occurs.
Unfortunately, very few companies maintain internal experts who can deal with all aspects of this kind of risk. So one thing to note while creating the plan is whether or not a cyberinsurance policy exists. If it does, alert all departments about its existence so that the company can take advantage of the insurer's expertise.
Some insurers offer crisis management experts, frontline breach professionals and cyber-risk lawyers. Some policies even provide a risk management package that includes self-assessment tools.
But whether you buy insurance or not, you will need an incident response plan. So ensure that the company does research beforehand to find third-party experts to lean on when disaster strikes.
One last component of any plan is to ensure it includes a means to learn from the breach. Include a formal debriefing step after an incident to get to its root cause and understand when the attack took place, how the system was infiltrated and what the motivation of the attacker was.
Lastly, remember that a plan is only valuable if it works and if everyone involved knows it. So even if you are lucky and no breach occurs, take the incident response plan out and test it at least once a year.
BOTH THE BOARD AND THE SENIOR LEADERS OF AN ORGANIZATION HAVE A FIDUCIARY RESPONSIBILITY TO PROTECT THE INFORMATION ASSETS OF THE COMPANY.
WHAT DOES CYBER LIABILITY INSURANCE COVER?
Fortunately, insurers often do include a wide range of coverage under one policy, including, network security liability, media content services liability, privacy liability, extortion threat, business interruption, credit monitoring, privacy notification costs and regulatory fines. Some policies will also cover social media risks, crisis management, business interruption and data restoration. And coverage can include both the direct and indirect costs associated with a breach, ranging from breach notice costs to damages to defense costs. Meanwhile, a special "service provider breach" policy can cover all associated expenses incurred by a service provider that handles a company's data (except for internal man-hours) while a "denialof-service attack" policy will cover lost income and repair costs if the company is shut down by an attack.
Trie last aspect to remember may be the most important: in the scheme of things, cyberinsurance policies may be inexpensive compared to the potentially enormous costs associated with any kind of data breach, loss of customer faith or interruption of operation.
For a comprehensive list of guidelines to remember, see "How to Buy Cyberinsurance" on page 40.
IF THERE IS AN INCIDENT, THE COMPANY'S REPUTATION IS ON THE LINE. NEWS OUTLETS WILL BE QUICK TO PICK UP ON CYBERINCIDENTS. AND MOST COMPANY OFFICERS WONT KNOW WHERE TO TURN.
NEARLY 97% OF DATA BREACHES IN 2011 WERE AVOIDABLE
In 2011, there were 855 data-breach incidents that compromised a total of 174 million records, according to
What was most striking about the 2011 research is that nearly 97% of the breaches were avoidable through simple or intermediate controls. Companies that were victims of hacking or malware were selected because they possessed an easily exploitable weakness.
These findings show that target selection is based more on opportunity than choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
Given this, it is not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures. Low levels of adherence to industry security standards highlight a plethora of issues across the board for related organizations. While at least some evidence of breaches often exists, victims do not usually discover their own incidents. Third parties usually clue them in, and, unfortunately, that typically does not occur until weeks or months down the road.
Data Breach Facts in 2011
* 97% of breaches were avoidable through simple or intermediate controls
* 96% of attacks were not highly difficult
* 96% of victims subject to the Payment Card Industry Data Security Standard (PCI DSS) had not achieved compliance
* 94% of all data compromised involved servers
* 92% of incidents were discovered by a third party
* 85% of breaches took weeks or more to discover
* 79% of victims were targets of opportunity
PREPARING TO DEAL WITH DIGITAL'S LOOMING DARK SIDE
Extraordinary online business benefits have revolutionized business and, as digital interconnectedness continues growing daily around the globe, so too do the implications of its power. Managing assets and financial risk in business today relies heavily on the speed and ubiquity of computer connections and networks globally. As
But, for the nation's risk managers, it is clear that cyber-risk has become the revolution's menacing dark side. Increasingly, headlines spotlight massive credit card privacy breaches, allegations of sovereign espionage, and "hacktivists" penetrating the firewalls at the
In the "2011 Emerging Risk Survey Report" of 2,500 members of the Joint Risk Management Section of the
Only "financial volatility" at 69% and "failed/failing states" at 42% ranked ahead of cybersecurity in the current survey, which was conducted by
Even after acknowledging cognitive bias that encroaches on almost all surveys and prompts respondents to "anchor in" or be influenced by recent events, cybersecurity concerns and cyber-risk fears have emerged as high-priority concerns across a broad spectrum of influential leaders and decision makers. For example, at the 2012
Further, the WEF report suggested a key axiom for the Cyber Age: "Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected."
Clearly, the axiom focuses on the heart of the risk: the pervasiveness of the potential ignition points for an intentional or accidental significant cyberevent. Of greatest concern is a major disruption of critical information infrastructure caused by cybercrime, terrorist attack or technical failure that results in a failure of a critical-service infrastructure, such as power distribution, water supply, transportation, telecommunication, emergency services or finance.
For the entire enterprise risk management field, accurately assessing the potential impact of cyberevents for organizations is a task well-suited to actuarial expertise. As they always have, actuaries assess risk, bringing specialty skills related to modeling, statistics and probabilities to the task. But, potentially even more important today is the actuary's ability to integrate disparate information from diverse sources-external sources as well internal functions such as IT, finance, business continuity, etc. By building meaningful, coherent risk scenarios that integrate a broad range of relevant factors, actuaries generate predictive models that can weigh complex risks and opportunities and communicate these issues to inform strategic decision making within an organization.
This article was originally published as a
Copyright: | (c) 2012 Risk and Insurance Management Society, Inc. |
Wordcount: | 2392 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News