Why is the phone ringing?
This is one of the most important questions I ask anyone looking to purchase a business. There are several factors that will contribute to this answer but for now we are going to focus on risk management. To understand better we will look at a recent lawsuit Gestation F Lessard. v. Bourneville, where several defects had a negative impact on the purchase of a business.
What can we learn:
1. Avoid - In risk management, avoiding a risk can be the most effective strategy. Sometimes we need to take a step back and analyze things before making a commitment.
Solution: Ask a third party to analyze the business from an unbiased perspective. If you can’t gather all the information they need you are better off avoiding the risk than taking a chance.
2. Control - Terms and conditions can be a life saver when making any type of transaction. By controlling the risk, you are taking the necessary steps to reduce or prevent bad outcomes from happening
Solution: Consider a diligence review and subjectivities while doing a deal. This is something your legal council and business consultant can help with during the purchasing process
3.Retain - Part of owning a business is taking chances. Sometimes you will have exposures which you cannot avoid and you will need to accept that.
Solution: Understand what type of risks you are willing to and can afford to absorb. A good financial plan can help with planning for unexpected expenses.
What do you think?
Malwarebytes released a study suggesting too many businesses are oblivious to the realities of cyber crime. Almost 40% of business reported having experienced some form of ransomware in the last year and another 40% reported having paid a ransom amount to unlock their data. With an alarming 259% increase in the last year it is hard to imagine how big the impact has been on businesses.
When working with executives on risk management, cyber risk can one of the hardest areas understand. Often CIOs, CISOs and IT directors are stuck with limited budgets to handle such large threats to an organization. Not to mention the communication between highly technical IT personnel can be very difficult for other executives to understand.
From an insurance perspective cyber is one of those risks we can anticipate and handle accordingly. Organizations who take an active approach towards cyber strategy should engage their IT personnel with security and insurance professionals in order to tackle cyber risks holistically.
We wanted to take this opportunity to share a ransomware infographic posted by Malwarebytes.
The Privacy Commissioner Of Canada released a follow up to the investigation on the Ashley Madison (ALM) cyber breach and executives should be familiar with the results. The commissioner commented “It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
Here are 3 takeaways for executives on Cyber Security:
1. Harm extends beyond financial impacts:
Harm from data breaches is often focused on identity theft and credit card fraud. The commissioner notes “While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long-term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.” This is important given the recent court rulings coming out of the United States ruling otherwise.
Here is the story: Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm.
It is possible an organization could be held liable for harm caused by a data breach. A standard Commercial General Liability policy will not cover these damages and a separate Cyber Liability policy needs to be purchased to cover this exposure.
2. Safeguard should be supported by a coherent and adequate governance framework
The privacy commission mentions a security framework should be “consistently understood and effectively implemented.” In Ashley Madison’s case, regulators found 75 percent of the company's staff had not received general privacy and security training. Not to mention they supported a “Trustmark” to consumers, implying information was being protected when in fact it was not.
Executives should have written security policies and procedures for the entire organization. Not only will this protect an organization and its consumers, but it will assist with documentation in the event of legal proceedings. .
3. Documentation of privacy and security practices can itself be part of security safeguards
The commissioner notes “Having documented security policies and procedures is a basic organizational security safeguard”. It is surprising how many organizations have nothing in place, especially when free resources are available such as this Cyber Liability Toolkit.
Every executive should place an organization’s attention to security as a priority. The commissioner notes this helps an organization to identify and avoid gaps in risk mitigations, provides a baseline against which practices can be measured, and allows the business to reassess practices in an evolving threat landscape.
From a Directors and Officers liability perspective we can’t stress how important it is for executives to take a proactive step towards cyber security. Something as simple as documentation of privacy and security practices can help executives if there is ever a lawsuit.
Don’t wait until your company shows up in the headline of a local newspaper, start engaging in a cyber strategy today.
See the full release by the Privacy Commissioner here: https://www.priv.gc.ca/cf-dc/2016/2016_005_0822_e.asp
Almost 15% of systems remain vulnerable two years after the identification of the "Heartbleed Bug". Researcher Robert David Graham reported his results after completing scans on the 1.5 million systems that supported the bug. What should you be thinking?
What is the problem with this scenario? Most IT personnel will tell you the bug compromises security for applications including web and email, basically allowing cyber criminals to watch what you are doing. If two years have passed and systems are so vulnerable, what are the chances you or your third-party vendors are being impacted by this bug?
Can't my IT team detect this?
If you read the article (http://heartbleed.com/) "exploitation of this bug does not leave any trace of anything abnormal". Quite concerning to think someone could be tracing your actions undetected. This vulnerability can only be fixed as patches become available.
From an insurance standpoint
Unlike most types of crimes insurance professionals deal with, cyber crime can be mysterious. Unfortunately, cyber criminals are not breaking into your building and can't be easily caught by the police. This means most cyber activity goes undetected for a very long time.
When we work with business on cyber insurance, most are unaware of the IT infrastructure they have in place. This can make purchasing coverage difficult when it is hard to comprehend what type of exposure the organization is open to. These problems only mount when you consider the increasing number of clients and vendors interacting with a business every day.
Talking with an insurance professional about your cyber exposure should be a top priority. This exposure can have a large financial impact on your business and can be very hard quantify. It's time to start thinking about how cyber exposure might impact your business.
What do you think?
What should you do about employees when it comes to cyber?
Human resource management focused on cyber is the process of training and educating employees on the cyber strategy. Keep in mind poor human resource activity can lead to compromised systems and increased costs for an organization.
What steps can your human resources take towards an effective cyber strategy:
1) Planning - Human resource management needs to come from the strategic plan of an organization. If cyber is not part of the strategic plan then the organization will struggle to implement any initiatives and the strategy will ultimately fail. Having the entire executive team as part of the planning process is very important when it comes to cyber strategy.
2) Selecting - This can be one of the most difficult parts of any cyber strategy. Deciding a balance between security and functionality can be difficult. Often the more secure a cyber strategy is, the harder it can be for the entire organization to use the system. I suggest it is better to restrict access and grant permission on a case-by-case basis.
3) Orienting - The entire organization needs to understand the cyber strategy and their role in it before a plan is implemented. Just like orientating an employee to a new role, the onboarding process for a cyber strategy needs to be clear and communicated effectively. Once performance expectations are understood, it becomes easier for the entire organization to implement the cyber strategy.
4) Training - The long-term success of a cyber strategy depends on the strength of its users. Training should be viewed as an investment, in the same way that major purchasing decisions are made for an organization. The more people that understand and buy-in to the cyber strategy, the more likely the plan is to succeed.
5) Terminating - Unfortunately human resource management requires making difficult decisions. If circumstances present themselves where an employee is not following the cyber strategy, termination may be necessary. Employment standards should be followed to give an individual the proper opportunity to buy-in to the cyber strategy. In the event an improvement plan is not working; an employee should be terminated to prevent the entire cyber strategy from being compromised.
What do you think?
The Base Team
Insurance made easy. How we can make insurance better for you?