Malwarebytes released a study suggesting too many businesses are oblivious to the realities of cyber crime. Almost 40% of business reported having experienced some form of ransomware in the last year and another 40% reported having paid a ransom amount to unlock their data. With an alarming 259% increase in the last year it is hard to imagine how big the impact has been on businesses.
When working with executives on risk management, cyber risk can one of the hardest areas understand. Often CIOs, CISOs and IT directors are stuck with limited budgets to handle such large threats to an organization. Not to mention the communication between highly technical IT personnel can be very difficult for other executives to understand.
From an insurance perspective cyber is one of those risks we can anticipate and handle accordingly. Organizations who take an active approach towards cyber strategy should engage their IT personnel with security and insurance professionals in order to tackle cyber risks holistically.
We wanted to take this opportunity to share a ransomware infographic posted by Malwarebytes.
The Privacy Commissioner Of Canada released a follow up to the investigation on the Ashley Madison (ALM) cyber breach and executives should be familiar with the results. The commissioner commented “It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
Here are 3 takeaways for executives on Cyber Security:
1. Harm extends beyond financial impacts:
Harm from data breaches is often focused on identity theft and credit card fraud. The commissioner notes “While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long-term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.” This is important given the recent court rulings coming out of the United States ruling otherwise.
Here is the story: Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm.
It is possible an organization could be held liable for harm caused by a data breach. A standard Commercial General Liability policy will not cover these damages and a separate Cyber Liability policy needs to be purchased to cover this exposure.
2. Safeguard should be supported by a coherent and adequate governance framework
The privacy commission mentions a security framework should be “consistently understood and effectively implemented.” In Ashley Madison’s case, regulators found 75 percent of the company's staff had not received general privacy and security training. Not to mention they supported a “Trustmark” to consumers, implying information was being protected when in fact it was not.
Executives should have written security policies and procedures for the entire organization. Not only will this protect an organization and its consumers, but it will assist with documentation in the event of legal proceedings. .
3. Documentation of privacy and security practices can itself be part of security safeguards
The commissioner notes “Having documented security policies and procedures is a basic organizational security safeguard”. It is surprising how many organizations have nothing in place, especially when free resources are available such as this Cyber Liability Toolkit.
Every executive should place an organization’s attention to security as a priority. The commissioner notes this helps an organization to identify and avoid gaps in risk mitigations, provides a baseline against which practices can be measured, and allows the business to reassess practices in an evolving threat landscape.
From a Directors and Officers liability perspective we can’t stress how important it is for executives to take a proactive step towards cyber security. Something as simple as documentation of privacy and security practices can help executives if there is ever a lawsuit.
Don’t wait until your company shows up in the headline of a local newspaper, start engaging in a cyber strategy today.
See the full release by the Privacy Commissioner here: https://www.priv.gc.ca/cf-dc/2016/2016_005_0822_e.asp
Almost 15% of systems remain vulnerable two years after the identification of the "Heartbleed Bug". Researcher Robert David Graham reported his results after completing scans on the 1.5 million systems that supported the bug. What should you be thinking?
What is the problem with this scenario? Most IT personnel will tell you the bug compromises security for applications including web and email, basically allowing cyber criminals to watch what you are doing. If two years have passed and systems are so vulnerable, what are the chances you or your third-party vendors are being impacted by this bug?
Can't my IT team detect this?
If you read the article (http://heartbleed.com/) "exploitation of this bug does not leave any trace of anything abnormal". Quite concerning to think someone could be tracing your actions undetected. This vulnerability can only be fixed as patches become available.
From an insurance standpoint
Unlike most types of crimes insurance professionals deal with, cyber crime can be mysterious. Unfortunately, cyber criminals are not breaking into your building and can't be easily caught by the police. This means most cyber activity goes undetected for a very long time.
When we work with business on cyber insurance, most are unaware of the IT infrastructure they have in place. This can make purchasing coverage difficult when it is hard to comprehend what type of exposure the organization is open to. These problems only mount when you consider the increasing number of clients and vendors interacting with a business every day.
Talking with an insurance professional about your cyber exposure should be a top priority. This exposure can have a large financial impact on your business and can be very hard quantify. It's time to start thinking about how cyber exposure might impact your business.
What do you think?
What should you do about employees when it comes to cyber?
Human resource management focused on cyber is the process of training and educating employees on the cyber strategy. Keep in mind poor human resource activity can lead to compromised systems and increased costs for an organization.
What steps can your human resources take towards an effective cyber strategy:
1) Planning - Human resource management needs to come from the strategic plan of an organization. If cyber is not part of the strategic plan then the organization will struggle to implement any initiatives and the strategy will ultimately fail. Having the entire executive team as part of the planning process is very important when it comes to cyber strategy.
2) Selecting - This can be one of the most difficult parts of any cyber strategy. Deciding a balance between security and functionality can be difficult. Often the more secure a cyber strategy is, the harder it can be for the entire organization to use the system. I suggest it is better to restrict access and grant permission on a case-by-case basis.
3) Orienting - The entire organization needs to understand the cyber strategy and their role in it before a plan is implemented. Just like orientating an employee to a new role, the onboarding process for a cyber strategy needs to be clear and communicated effectively. Once performance expectations are understood, it becomes easier for the entire organization to implement the cyber strategy.
4) Training - The long-term success of a cyber strategy depends on the strength of its users. Training should be viewed as an investment, in the same way that major purchasing decisions are made for an organization. The more people that understand and buy-in to the cyber strategy, the more likely the plan is to succeed.
5) Terminating - Unfortunately human resource management requires making difficult decisions. If circumstances present themselves where an employee is not following the cyber strategy, termination may be necessary. Employment standards should be followed to give an individual the proper opportunity to buy-in to the cyber strategy. In the event an improvement plan is not working; an employee should be terminated to prevent the entire cyber strategy from being compromised.
What do you think?
How do cyber breaches effect you?
This question is asked often, which is why we wanted to do a mini case study for our readers. In this example, we are going to look at the Home Depot breach and discuss the ongoing implications.
Most corporate directors and officers are aware of some of the cyber breaches that have occurred over the last couple of years. In Home Depots case 50 million customer records were stolen form the system causing a significant impact on their business. Following the breach various lawsuits followed against the company for breach of privacy. What we want to highlight is the derivative suit that followed the breach.
What is a derivative suit? A derivative suit is a lawsuit brought by shareholders on behalf of the corporation. In this case the shareholders are claiming there was a breach of duty and waste of corporate assets by certain company officers and directors.
Why is this relevant? The shareholders allege the directors and officers of Home Depot knew the company's systems were vulnerable and failed to act. In this case several warnings signs should have been acted upon prior to the breach?
Now what? The first question a director or officer might ask is "how does my insurance respond"? In this case, it is important to understand a director and officer’s liability may respond differently to consumer protection laws and deny coverage in this situation. A commercial general liability policy will exclude electric data as cyber products have been developed to pick up this exposure. A cyber policy will generally contain language such as "warranties" or "subjectivities" which require basic security steps be taken to prevent a breach.
As you might now be understanding there are several factors to take into consideration when considering the implications of a cyber event. Adequate protection for the directors and officers may be used up as more people look for defence under the policy of the corporation. This can leave directors and officers personally liable for lawsuits against the corporation.
The Take Away: Make sure you work with a professional team when purchasing insurance for your business. A specialist is better than a generalist and can give advice that will provide tremendous value before, during and after a claim.
What do you think?
The Base Team
Insurance made easy. How we can make insurance better for you?