Insurance Companies (Even Small Ones) Are Not Immune from Cyber Risk

By Paul Dzielinski

It seems as though every time you read the newspaper or watch the evening news, there is a story about another corporation’s website being hacked and their customer data compromised. Many business owners, especially small ones, take a head-in-the-sand approach and think, “This won’t happen to us. We’re a small company and hackers aren’t interested in us.” The truth is, every business is a target. As a business owner, you need to be aware of the threats and proactive in protecting your corporate and customer data. It takes more than firewall and malware protection software to prevent information breaches.

Company IT staff and management are still learning how to combat these attacks. In fact, most companies only become aware their system has been compromised when an FBI agent notifies them. Reacting to an attack after it happens is one thing, but preventing attacks is the much harder part.

Part of the problem arises from within the companies themselves. First, executives may not want to invest a substantial amount of money in security if they don’t think an attack may happen to their company. Second, the chief information security officer may be reporting to the wrong person. The chief information security officers should report directly to the CFO. The CFO “owns” risk management in most companies and information security is part of enterprise risk management.

Cyber threats constantly evolve with higher levels of intensity and complexity. The ability to achieve objectives and operate business functions is increasingly reliant on information systems and the Internet, resulting in increased risk that could cause severe damage to a company’s business functions and operations.

Key Cyber Risk Management Concepts

Management of cyber risks needs to be incorporated into existing risk management and governance processes. This is more than just a checklist of requirements; rather it is managing cyber risks to an acceptable level. The Department of Homeland Security has published a list of key risk management concepts:

Cyber risk management discussions should be elevated to the CEO level. CEO engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks that is aligned with the business needs of the organization. Regular communication between the CEO and those held accountable for managing cyber risks is a must.

The CEO of a corporation should take an intense interest in the firm’s cyber security. Here are five questions CEOs should ask about cyber risks:

  1. What is the current level and business impact of cyber risks to our company?
  2. How is executive leadership informed about the current level and business impact of cyber risks to the company?
  3. How does our cyber security program apply industry standards and best practices?
  4. How many and what types of cyber incidences do we detect in a normal week? What is the threshold for notifying executive management?
  5. How comprehensive is our cyber incident response plan? How often is it tested?

Implement industry standards and best practices, don’t just rely on compliance.

A comprehensive cyber security program leverages industry standards and best practices for IT systems to detect potential problems. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities. Using a risk-based approach to applying cyber security standards and practices allows for more comprehensive and cost effective management of cyber risk than compliance activities alone.

Evaluate and manage your organization’s specific cyber risks. Identifying critical assets and associated impacts from cyber threats are critical to understanding a company’s specific risk exposure, whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, form long-term investments, and develop policies and strategies to manage cyber risks to an acceptable level.

Provide oversight and review. Executives are responsible for managing and overseeing enterprise risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top level policies.

Develop and test incident response plans and procedures. Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, a CEO should be prepared to answer the question, “What is our Plan B?” Documented cyber incident response plans that are exercised regularly help to enable timely response and minimize impacts.

Coordinate cyber incident response planning across the entire enterprise. Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the chief information officer, business leaders, continuity planners, system operators, general counsel, and public affairs personnel.

Maintain situational awareness of cyber threats. This involves timely detection of cyber incidents, along with the awareness of current threats and vulnerability specific to that organization and associated business impacts. Analyzing, aggregating, and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.

What steps should company management take to avoid a security breach?

  • Incorporate the Latest Security Protection
  • Establish and Enforce Employee BYOD Security Policies
  • Have an Action Plan in Place to Respond to a Breach
  • Obtain Cyber Insurance Coverage Incorporate the Latest Security Protection. Rick Munoz, a senior IT executive for a major international management consulting firm, says there are certain key elements of security software defenses to provide in-depth secure data. “The most secure system in the world is a computer network unplugged from the internet, and powered off. This is obviously impractical, so we need to develop systems that will give a firm the most protection.” He continues, “There is no one-step solution to protecting data, you must use a variety of tools. I use the ‘Swiss cheese’ analogy with my clients. I tell them to think of IT security like a block of Swiss cheese. In its normal state it’s not transparent, but if you can line up all the holes in the cheese, you would be able to penetrate the cheese. So your IT security prevention needs to be designed to avoid situations where the holes are aligned.”

One strategy Rick promotes is to use a web application firewall. This is a network type device between the external firewall and the internal web servers. Rick describes how this firewall works. “The web application firewall inspects all data as it goes through the network. It has the ability to identify common web exploits before they can penetrate into your system.”

For companies that handle a great deal of customer-sensitive data, Rick recommends that his clients implement an entire suite of products to detect data loss prevention (DLP). DLP products examine exfiltrated data to look for patterns, both on an individual and aggregate basis. Rick gives the example of Social Security numbers. “If the DLP detects Social Security numbers being transmitted out of the company, it sends an alarm to the IT department,” he explains. He also mentioned that these systems need to be properly calibrated to avoid false positives. Rick believes this type of protection can prevent a “Snowden” problem:

“Anyone requesting 20,000 data items in a short period of time would raise an alarm if the normal data request in the same time period is substantially smaller.”

Establish and Enforce Employee

BYOD Security Policies. Many organizations allow employees to use their own personal computers, laptops, smartphones and other personal mobile devices (Bring Your Own Device) for storing, transmitting and receiving sensitive company and customer data. Allowing devices from multiple manufacturers using multiple operating systems creates an inherent lack of control by the IT and security personnel over the security of data. This lack of control invites more frequent data breaches, privacy violations and exposure to computer viruses, malware and data theft. What makes this even more troublesome is the fact that most people do not implement even the most rudimentary security precautions, such as using a secure password.

Have an Action Plan in Place to

Respond to a Breach. If you wait until you have a data breach to decide how to handle one, then you are way behind the eight ball. Your organization needs to have a plan in place which is clearly spelled out and supported throughout the organization.

Prepare and distribute an outreach plan to all of the organization’s constituents: customers, law enforcement and the general public. Internal coordination is essential to make sure that accurate information about a potential breach can be shared without adding to any legal or brand liabilities.

Obtain Cyber Insurance Coverage.

Data breaches can have serious financial effects. In addition to business interruption losses, regulatory and credit card company fines, legal defense costs and civil damages, there are also potential Federal and state laws which can impose fines for data disclosure, and outline requirements to publicly disclose data breaches to the affected parties and law enforcement.

Cyber insurance is now readily available for both first party (e.g. breach notification costs) and third party risks (e.g. litigation defense and indemnity).

In the past, this coverage in some limited form may have been available under various insurance contracts. But in recent years, many insurers have incorporated cyber exclusions in their policies, so the best form of protection is a standalone policy specifically designed for the unique exposures of cyber liability.

Now that you understand the seriousness of cyber threats to your organization and the risk management steps you can take to protect your data, you should look at whether or not this exposure can be an opportunity to develop new products for your customers. Cyber insurance is a rapidly growing market with huge growth potential. According to Experian, less than one-third of all corporations in the U.S. buy any cyber insurance coverage, and according to an article published in June 2013 by Betterley Risk Consultants, the current cyber insurance premium is over $1.3Billion.