Stay safe online

Proper cyber security risk management is more than a technology solution. All companies should integrate it into day-to-day operations and be prepared to respond to potential cyber incidents. CLAIRE RENCKEN reports

According to www.staysafeonline.org the first step is to do a comprehensive cyber assessment:

• Identify the corporate “crown jewels”  
The first step in assessing an organisation’s cyber risk is to understand what company assets you are trying to protect and why. Identify your most important information, assets and legally protected information.

• Identify threats

• How do you store the information?

• Who has access to the information?

• How do you protect your data?

• What steps are you taking to secure your computers, network, e-mail and other tools?

• Forecast the consequences of a successful attack

If you have information technology staff or a chief information security officer, ask them to walk you through the above analysis and to quantify the risk. Also ask them to explain what could happen as a result of a fully successful cyber attack against your company.

The next step is to implement a cyber security plan, which needs to focus on three key areas:

• Prevention: Solutions, policies and procedures need to be put in place to reduce the risk of attacks.

• Resolution: In the event of a computer security breach, plans and procedures need to be in place to determine the resources that will be used to remedy a threat.

• Restitution: Companies need to be prepared to address the repercussions of a security threat with their employees and customers to ensure that any loss of trust or business is minimal and short-lived.

Last, but not least, is the issue of cyber insurance. The cyber insurance market has evolved significantly since the first policies were introduced in the late 1990s. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber attack. Insuring agreements vary by insurance company. Options may include:

• Security and privacy liability – defence and indemnity for failure to keep information private, failure of third-party affiliates to keep information private and failure of systems to prevent a network security failure (including transmission of a virus).

• Crisis management – expenses incurred by the insured stemming from a security failure. Covered expenses include costs to respond to adverse publicity, comply with regulatory requirements and voluntarily and proactively provide notification and credit-monitoring services to affected parties.

• Regulatory proceedings – covers defence of a proceeding or action brought by a privacy regulator, or fines for breach of a privacy regulation.

• Business interruption – costs incurred by the insured stemming from a material business interruption directly caused by a security failure.

• Data recovery – costs incurred by the insured to restore, recreate or recollect electronic data stored on the insured’s computer system that becomes corrupted or destroyed, due to a computer attack; including disaster recovery and computer forensic investigation services.

• Cyber extortion – costs incurred, and extortion monies paid, due to a threat related to the interruption of the insured’s computer system, or the release or destruction of private information.

With the increasing frequency and costs associated with cyber attacks, your company’s risk management strategy should include cyber insurance to help mitigate financial loss and protect your company’s balance sheet.