Cyber security makes headlines regularly as more and more large companies have become the targets of cyber attacks. In a recent BDO survey, twice as many public companies disclosed having experienced a cyber related security breach in 2014-2015 compared to 22% in the previous two years. Gartner reports that 60% of the companies that lost data are out of business five years later. And thus, at last, boards are becoming more involved in cyber security with 87% of directors confirming that they are briefed at least once a year on this topic. As board become more mature in understanding cyber risk, they will be compelled to get involved in cyber mitigation to ensure comprehensive mitigation plans are in place. This post will explore two emerging key mitigation measures that boards should both be aware of, and be preparing to implement: cyber resiliency and cyber liability insurance.
It is not a question now of if you will experience a cyber breach but of when and most importantly, how you will contain the damage. This leads boards to move from a cyber security philosophy to a cyber resiliency approach. Cyber resiliency is a framework wherein threats are anticipated, critical business functions are identified, and can withstand, recover from, and evolve in the face of persistent, stealthy, and sophisticated attacks. Your line of defense is not simply about protecting against threats, it is about effectively minimizing the impact of breaches, therefore lowering your residual risk. This approach is based on four primary points:
Clear identification of the key data assets of your business, i.e. those that if breached will significantly affect your reputation and income.
Continuous active threat assessment.
Aggressive security operations monitoring.
Proactive incident response in the form of a cyber breach response plan.
A well planned response plan is a critical key to minimizing reputational, financial, and operational impacts. It must be kept up-to-date and integrated across business units and, most importantly, it should be rehearsed regularly to guarantee immediate and effective response. The pro-active involvement of the board in discussing cyber resiliency will ensure that appropriate focus and budget is placed on minimizing the impacts of any and all security breaches.
Cyber liability insurance coverage
It is usual for mitigation plans to include contracting insurance coverage against the loss caused by the occurrence of a key risk. This is also true for cyber risks. Cyber liability coverage is a growing segment of the insurance market. Cyber risks usually require specific insurance as most standard E&O and general liability insurance do not offer coverage for cyber incidents. Cyber liability insurance usually includes coverage for data breach/privacy crisis management, multimedia/media liability, extortion liability and network security liability.
Cyber liability is a relatively new type of insurance policy and it’s important to be extremely careful when selecting a policy and carrier. One measure of the quality of the policy is the extent to which the underwriter assesses your systems, your risks, and your response plans before submitting a proposal. Pricing can also vary widely. You have to ensure the company has clearly identified the costs, expenses, and types of incidents they want to cover to ensure optimum pricing. These policies also usually carry important exclusions that impact the effective coverage. For example, some policies do not cover business interruption if it’s caused by a third party. Boards should ask careful questions about cyber liability insurance and understand its limitations so it can be complemented by other mitigation measures.
As cyber security moves to the top of the agenda of board of directors and because cyber breaches have had major impacts on many renowned companies like Sony and Target, directors have to stay alert to emerging trends in the oversight and mitigation of cyber risks. Cyber resiliency and cyber liability insurance are two measures that are becoming mainstream. Directors have to be ready to ask questions about these measures and ensure the strength of their company’s cyber mitigation plan. In general, keep in mind that a lot of work still needs to be done in many companies to get adequate mitigation planning in place. Be sure to consider all the various sources of cyber risk. For example, only one third of respondents in the BDO survey report having cyber risk requirements for third-party vendors, even though this is a major source of risk to critical data assets.
Do you have a clear understanding of your cyber mitigation plan? Is your cyber liability coverage up to date with your growing needs and increasing risk? What important elements do both include? What do you need to do to further investigate and add to strengthen your company’s plan to handle this incredibly volatile and dangerous form of risk?
Remember, it’s not if, …it’s when.