Almost 15% of systems remain vulnerable two years after the identification of the "Heartbleed Bug". Researcher Robert David Graham reported his results after completing scans on the 1.5 million systems that supported the bug. What should you be thinking?
What is the problem with this scenario? Most IT personnel will tell you the bug compromises security for applications including web and email, basically allowing cyber criminals to watch what you are doing. If two years have passed and systems are so vulnerable, what are the chances you or your third-party vendors are being impacted by this bug?
Can't my IT team detect this?
If you read the article (http://heartbleed.com/) "exploitation of this bug does not leave any trace of anything abnormal". Quite concerning to think someone could be tracing your actions undetected. This vulnerability can only be fixed as patches become available.
From an insurance standpoint
Unlike most types of crimes insurance professionals deal with, cyber crime can be mysterious. Unfortunately, cyber criminals are not breaking into your building and can't be easily caught by the police. This means most cyber activity goes undetected for a very long time.
When we work with business on cyber insurance, most are unaware of the IT infrastructure they have in place. This can make purchasing coverage difficult when it is hard to comprehend what type of exposure the organization is open to. These problems only mount when you consider the increasing number of clients and vendors interacting with a business every day.
Talking with an insurance professional about your cyber exposure should be a top priority. This exposure can have a large financial impact on your business and can be very hard quantify. It's time to start thinking about how cyber exposure might impact your business.
What do you think?
What should you do about employees when it comes to cyber?
Human resource management focused on cyber is the process of training and educating employees on the cyber strategy. Keep in mind poor human resource activity can lead to compromised systems and increased costs for an organization.
What steps can your human resources take towards an effective cyber strategy:
1) Planning - Human resource management needs to come from the strategic plan of an organization. If cyber is not part of the strategic plan then the organization will struggle to implement any initiatives and the strategy will ultimately fail. Having the entire executive team as part of the planning process is very important when it comes to cyber strategy.
2) Selecting - This can be one of the most difficult parts of any cyber strategy. Deciding a balance between security and functionality can be difficult. Often the more secure a cyber strategy is, the harder it can be for the entire organization to use the system. I suggest it is better to restrict access and grant permission on a case-by-case basis.
3) Orienting - The entire organization needs to understand the cyber strategy and their role in it before a plan is implemented. Just like orientating an employee to a new role, the onboarding process for a cyber strategy needs to be clear and communicated effectively. Once performance expectations are understood, it becomes easier for the entire organization to implement the cyber strategy.
4) Training - The long-term success of a cyber strategy depends on the strength of its users. Training should be viewed as an investment, in the same way that major purchasing decisions are made for an organization. The more people that understand and buy-in to the cyber strategy, the more likely the plan is to succeed.
5) Terminating - Unfortunately human resource management requires making difficult decisions. If circumstances present themselves where an employee is not following the cyber strategy, termination may be necessary. Employment standards should be followed to give an individual the proper opportunity to buy-in to the cyber strategy. In the event an improvement plan is not working; an employee should be terminated to prevent the entire cyber strategy from being compromised.
What do you think?
How do cyber breaches effect you?
This question is asked often, which is why we wanted to do a mini case study for our readers. In this example, we are going to look at the Home Depot breach and discuss the ongoing implications.
Most corporate directors and officers are aware of some of the cyber breaches that have occurred over the last couple of years. In Home Depots case 50 million customer records were stolen form the system causing a significant impact on their business. Following the breach various lawsuits followed against the company for breach of privacy. What we want to highlight is the derivative suit that followed the breach.
What is a derivative suit? A derivative suit is a lawsuit brought by shareholders on behalf of the corporation. In this case the shareholders are claiming there was a breach of duty and waste of corporate assets by certain company officers and directors.
Why is this relevant? The shareholders allege the directors and officers of Home Depot knew the company's systems were vulnerable and failed to act. In this case several warnings signs should have been acted upon prior to the breach?
Now what? The first question a director or officer might ask is "how does my insurance respond"? In this case, it is important to understand a director and officer’s liability may respond differently to consumer protection laws and deny coverage in this situation. A commercial general liability policy will exclude electric data as cyber products have been developed to pick up this exposure. A cyber policy will generally contain language such as "warranties" or "subjectivities" which require basic security steps be taken to prevent a breach.
As you might now be understanding there are several factors to take into consideration when considering the implications of a cyber event. Adequate protection for the directors and officers may be used up as more people look for defence under the policy of the corporation. This can leave directors and officers personally liable for lawsuits against the corporation.
The Take Away: Make sure you work with a professional team when purchasing insurance for your business. A specialist is better than a generalist and can give advice that will provide tremendous value before, during and after a claim.
What do you think?
It is clear to most organizations they face a growing cyber threat and something needs to be done about it, but what happens if they don't?
The resulting loss of reputation, income and market positioning can be detrimental to an organization. Directors and Officers are subject to lawsuits brought by shareholders and regulators in the event of a cyber breach. Of course, this means the resulting lawsuit needs to be something that can be considering by the Director and Officers liability policy. In most cases Directors and Officers policies have not been modified to consider cyber based claims, opening a big "grey area" when it comes to paying for legal defense.
Most boards should consider taking the necessary steps to ensure they are adequately protected from a cyber breach. Allegations for failure to properly prevent a cyber breach can be costly Here are some steps to take:
1. Start the discussion - Surprisingly many organization have neglected to start the conversation around cyber security. It is time to bring the IT team to the discussion table to understand what is being done to proactively prevent cyber threats. Involve a professional risk manager in the conversation and consider using them for implementing a cyber strategy.
2. Update security practices - What is your organization doing to stay up-to-date when it comes to cyber security? Could you show all stakeholders you have taken the adequate steps to protect the organization from a cyber breach?
3. Insurance- It is surprising how many decision makers within an organization have no idea how their insurance policy will respond to certain events. A lot of that must do with finding the right professional to administer a Directors and Officers liability insurance policy. Even then, most, if any of the expenses from a cyber breach will not be covered by a Directors and Officers liability policy. There are various other products available in the market to cover for first and third party related incidents occurring from a cyber breach.
Has your board started or considered any of these points? As a director or officer of an organization personal assets can be on the line and that is the last thing you want to happen. Make cyber security personal and have your board start the discussion around cyber strategy.
What do you think?
Public and private companies are starting to have real conversations around cyber and it is great!
The insurance industry is starting to get some real traction around cyber and we have the media to thank for that. Unfortunately, too many organizations are unaware of their exposure until something goes wrong. With all the high-profile hacks, it can be hard to ignore the real possibilities of a breach occurring at any time.
We found some interesting videos by Zurich and wanted to share them with our network. Some interesting points that should be noted:
- Only 37% of boards are briefed on cyber risks once per year and 13% are never briefed
- Only 66% of directors have identified their critical digital assets.
-Only 35% of board members say their company has cyber risk requirements that must be met by third-party vendors, 31% don't have third-party requirements.
Corporate governance is truly the starting point of any cyber strategy. Understanding people, process and technology is essential to protecting any organization. Put your board in action when it comes to managing cyber risk, don't wait until it's too late.
The Base Team
Insurance made easy. How we can make insurance better for you?