Frequently Asked Questions
Cyber risk is actually a group of risks that impact a company’s computer, network and data security. The definition is always evolving but right now “cyber risk” encompasses the risk of PII, PHI and PCI; lost revenue and/or intellectual property and trade secrets; the risk of reputational loss; and the risk of legal action and/or regulatory fines and penalties for failure to comply with best security or privacy practices.
- Have an internal discussion between senior management and IT staff about cyber risk management. Look at what cyber security practices are in place to safeguard private information and the integrity of your systems. Are they reasonable, given the size and scope of the organization, and is there the proper support from management to sustain these practices? If not, how can these practices be improved? Do you have an inventory of vital personal data from customers and network components and do you know where it resides?
- Conduct an enterprise-level cyber risk assessment—this can be through a third-party consultant or it can be an internal self-assessment. The point is to determine and document how cyber security practices measure up to recognized privacy and security standards, note any weak spots and document them in a remediation plan.
- Revisit your insurance coverage portfolio to determine whether there is cyber liability insurance coverage and, if not, consider either purchasing a cyber policy or choose to cede residual risk through contractual defense/indemnity service-level agreement provisions with third party providers (although this is often difficult).
Assess your current security/privacy posture. Then get cyber liability insurance if you don’t have it. That’s technically two things which, in our view, are equally important, but they are also interdependent. You might not be able to get coverage unless you have a risk assessment that demonstrates your computer security practices and policies, and even then you may still have significant residual risk which might only be offset with a solid cyber liability policy.
In this day and age of corporate governance and state and federal regulations, it’s paramount to demonstrate proactiveness and that you have reasonable cyber security practices in place. This can be accomplished through an enterprise-level cyber risk assessment, preferably by a third party. You want an independent view of how you measure up to industry standards, compare against your peers, and having that information allows you to make strategic decisions about investing in additional security, including finding the right insurance. An assessment gives you both a plan for internal cyber risk management and a document that demonstrates that you’ve taken prudent steps to protect against these risks—proof that any external partners and insurance companies will want to see.
A security assessment looks at traditional security practices, making sure, for example, you have the right firewall controls and backup procedures in place. Typically security assessments adhere to industry standards such as ISO 27001 and NIST. A cyber risk assessment, on the other hand, is broader, covering not only cyber security practices but also privacy violations and other types of network-emanating risk such as media liability (copyright or trademark infringement). You can have privacy liability without a data breach so it’s critical to understand those weaknesses as well.
Some insurers are willing to take on a client without it but there are many advantages to completing a cyber risk assessment. Even if they don’t require it, an insurance company might reward an assessment by offering greater insurance limits or broader coverage.
In theory, it can. However, an insurance company won’t advertise that in writing. We have seen that a favorable cyber risk assessment underscoring a strong computer network/data protection security posture can be taken into consideration in the overall underwriting process and may result in a favorable quote. On the other hand, we have seen that a cyber risk assessment that reveals too many weaknesses or “burning plank” issues can work against you, too. An underwriter might choose not to insure you, or suggest you correct those weaknesses before they will insure you. Or they might choose to insure you but at a higher premium level and insist on revisiting the assessment in a year’s time to see how those issues have been remediated.
An insurance customer can access the Hub through an access pass (or registration instructions) provided by their cyber liability insurance carrier or their insurance broker. Because we allow license holders to customize and brand the Hub, it may appear under a different name and reflect the insurer’s brand, but much of the content—the latest cyber risk news, data breach best practices and insight about the regulatory and legal landscape and often including access to the top cyber security companies and vendors—is maintained by NetDiligence on a daily basis.
The Breach Coach® role is still evolving, but essentially, this invaluable team member is a cyber security expert—most typically, a lawyer—who will act as a crisis manager and walk your organization through the process of immediately responding to a data breach incident. This lawyer is very knowledgeable on state and federal data breach compliance duties. Some Breach Coaches are in demand and addressing new data breach incidents every day. The Breach Coach will also review the response plan, keep everyone calm and begin taking the first steps toward recovery. The Breach Coach also acts as quarterback, engaging experts from computer forensics to credit monitoring to a PR team and assisting the client on a daily basis to keep data breach response in compliance with all regulations. Your organization might retain a Breach Coach or, depending on your coverage, your insurance company might retain one on your behalf.
The cliched but deadly accurate saying in our industry is “not if but when.” Pretending a breach event or cyber attack will never happen to you is not effective risk management nor is it remotely realistic. No matter the size of your company you need to engage in data breach planning to ensure that your internal staff and engaged experts are following the proper protocols so that when that inevitable event occurs you can respond in a rapid and timely manner and hopefully recover while keeping your reputation intact and minimizing any future liability exposure.
A good IRP should be very granular, going step by step through the data breach response process and, of course, it should be in compliance with state and federal laws. Having said that, it should also include an abbreviated checklist view and access to action steps to facilitate an urgent review. Depending on the breach scenario it can include internal IT staff, business managers, and/or counsel but it should also include an external ‘tiger team’ of experts such as a Breach Coach or lawyer, computer forensics, PR, victim notification and others. The IRP should be vetted by a privacy lawyer or security expert who typically acts as a first responder. The document itself should be concise and accessible—a 100-page plan that sits on a shelf will be difficult to use on a Saturday night when a breach is detected. Our Breach Plan ConnectÔ service helps companies build, securely store and easily access their IRP from any computer or device and presents the information in a user-friendly checklist format.
An important component of cyber risk planning and security training, a tabletop exercise allows you to walk through a data breach event before it happens. Typically, the exercise is facilitated annually by an outside expert such as a Breach Coach or forensics expert who goes through the IRP step by step in real time. This exercise effectively tests the IRP and makes sure your staff is acclimated to the data breach response process.
We recommend the following practices for vendor security management:
- Procuring testimonials from past customers
- Asking vendors for insurance certification, particularly a cyber liability policy if the vendor will be touching your network or data in any way
- Requesting proof of the vendor’s security posture in the form of a cyber risk assessment from a third party. You can also ask the vendor to complete a self-assessment using your own security questionnaire. Our QuietAuditÒ service is a web-based self-assessment that produces a summary scorecard that details cyber risk preparedness.
- One-sided service-level agreements
- Lack of knowledge about security in the face of changing technology and third party dependencies.
- Lack of awareness about where your data actually resides and who has access to it
In essence, cloud risk is often tied to service-level agreement-based contractual risk. Make sure you have a service-level agreement in place that has been reviewed by counsel. Often there are caveats in these agreements that make no assurances or guarantees about the safety of your data in a cloud network, and they rarely agree to defend and indemnify you for their mistakes. It is also important to look for outside intelligence, such as security experts’ assessments of the contractor or service provider. When in doubt, ask a potential cloud vendor to participate in the cyber risk assessment that you conduct for your own company.