“Never before in history has innovation offered promise of so much to so many in so short a time.” – Bill Gates
Last year, I posed the question: “Has technology outpaced our ability to prevent or decrease cybercrime?”
Today, the answer remains a resounding “Yes.”
If you ask a business leader about their main concerns, cyber risk will be on their list.
In fact, cyber risk is now in the top ten of global risks.
In particular, businesses are concerned about damage to their brand and reputation.
The Global Risk Landscape:
For the past decade, the World Economic Forum has published the Global Risks report which highlights the most significant long-term risks worldwide, drawing on the perspectives of experts and global decision-makers. This year’s report underscores potential causes and solutions to global risks, including cyber risk.
From the list of the top ten risks, the likelihood of a cyberattack is tenth, and the impact of a critical information structure breakdown is seventh.
The current rise in hyperconnectivity, with a growing number of objects connected to the Internet, and more sensitive personal data being stored in the cloud, calls for resilience in both our networks and our response to large-scale cyberattacks.
This report illustrates the need for businesses to be prepared for cybercrime.
The Cost of Cybercrime:
According to the 2014 global study of US-based companies by the Ponemon Institute, the average cost of cybercrime climbed more than 9% to $12.7 million for companies in the US, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days in 2014 from 32 days in 2013.
Security Breach Notification Laws:
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.
Are you prepared to meet your legal obligations if your business becomes a victim of a data breach?
Proposed Cyber Legislation:
Information sharing is a basic way to improve cybersecurity by enabling businesses and the government to share information on current cyber threats and vulnerabilities.
In April 2015, the US House of Representatives passed two bills making it easier for private companies to share information about cybersecurity threats with each other and the government without the fear of lawsuits. The first bill, the National Cybersecurity Protection Advancement Act (NCPAA), and the second bill, the Protecting Cyber Networks Act (PCNA), must be passed by the Senate and signed by the President to become law.
Cyber Risk Management Strategy:
Will your business take proactive steps to develop a cyber risk management strategy?
Based on the increased media attention and number of publications covering “cyber”, it is only a matter of time until businesses of all sizes become aware of the risk. Awareness is not enough. Businesses need a strategy.
Cyber liability insurance coverage should be a part of your cyber risk management strategy.
In order to understand your cyber exposure, first you must understand your information and digital assets.
· How much proprietary information do you collect, manage or store?
· What kinds of confidential personal information do you collect, manager or store?
· Do you employ third-party vendors to handle information? If so, what are their vulnerabilities?
If you do not assess your cyber preparedness, how will you handle a cyber crisis?
· Do you have an information security policy and team to carry out your plan?
· Is formal notification of a data breach required?
· How will you fund notification, monitoring and reputation management expenses?
· Businesses of all sizes are being impacted by cybercrime, so it is worthwhile to explore your insurance options.
Once you assess your cyber exposure and preparedness, then you will be in a better position to manage your risk, including the purchase of cyber liability insurance.
Justice Department Guidance:
With the growing cyber threat, businesses have been seeking advice on how to proceed in this risk climate. In April 2015, the US Department of Justice has responded by publishing guidance regarding best practices for cyber risks entitled Best Practices for Victim Response and Reporting of Cyber Incidents.
The Justice Department breaks down the problem into a three-part timeline, namely before, during, and after an incident.
Suggested Steps to Take Before an Incident:
· Identify your business’s mission-critical assets, and prioritize those items in risk management and incident response planning;
· Create an actionable incident response plan;
· Train relevant personnel on the plan, including use of regular exercises
· Acquire, install, and test appropriate technology and services;
· Ensure that appropriate consent is obtained for network monitoring;
· Consult with outside counsel well acquainted with cyber incident response;
· Establish information-sharing relationships.
Suggested Steps to Take During an Incident:
This is when businesses execute their plan by assessing the nature and scope of the incident, preserving relevant evidence, maintaining detailed written records, mitigating further damage, and notifying law enforcement agencies.
Suggested Steps to Take After an Incident:
Businesses should remain vigilant in light of the possibility that the intruder or hacker may continue to have access to your network or information. Furthermore, steps should be taken to prevent similar attacks in the future.
Cyber risks are a growing concern for you and your business. If you have not taken proactive steps to improve your cybersecurity, then you may want to do so now.