Cyber Security breaches are a painful reality for organizations of all kinds and at all levels. As we showed last month, all businesses have exposure to some level of Cyber intrusions.
Annually over 16 million confidential records are exposed through more than 600 “reported” security breaches according to the national nonprofit Identity Theft Resource Center (ITRC). 63% of these breaches were at companies with 100 employees or fewer. 95% of these breaches were caused by either hackers, rogue employees, or loss/theft of equipment.
Following is valuable information on methods to minimize or avoid a security breach and manage the related potential financial impact on your operations.
Cyber Risks Management Options
Avoid
When faced with risk, the first consideration should be whether your business can eliminate the risk by not performing particular activity(ies). Relating to Cyber exposures, considerations would be:
- Do you need smartphones for email?
- Are laptops or tablets necessary within your organization?
- Can your business thrive without a website presence?
- Do you need to allow purchase transactions via your website?
- Do you need social media means for your sales to thrive?
Prevent & Mitigate
Understandably you may not be able to eliminate all risk causing activities but you may be able to reduce your Cyber risk by:
- installing firewalls
- installing the most current anti-virus and anti-spam software
- implementing a strict password policy requiring regular changes and complex passwords
- utilizing data leakage detection tools
- encrypting email communication, files, flash drives, mobile devices, and laptops
- closely monitor social media postings
- limiting access to rewritable media drives
- performing penetration testing of your network
- performing on-going security assessments of your system
Finance
After you take all steps to minimize your risk and have a firm understanding of how your business is clearly exposed, you can then determine if you can retain either all or part of the potential negative financial impact of the activity/risk. To determine your financial tolerance, you must consider the worst case scenario and then perform a close analysis of your records including assets, cash flow, future business needs, etc.to determine the “healthy” amount of risk that you can retain.
Transfer
There are risks that are too large for your business to solely absorb the full potential financial impact. You can seek to share the burden of these losses with another party. The most common practice is transferring the risk to an insurance carrier through the purchase of a Cyber & Data Security Liability policy. Usually you will still hold some financial responsibility at the time of a loss either via a deductible or retention; or an uninsurable cause of loss.
Another means of transferring some risk would be to a party other than an insurance company via a contract including a hold harmless and indemnity agreement, etc. This may include a vendor that designs, maintains, or hosts your website, email, or data.
Breach Related Expenses
Notification
State laws require businesses that maintain individual’s personal identifiable information (PII) to notify those individuals if such information is lost, stolen, or otherwise compromised. Differences in costs arise based on how the state specifies the individuals must be notified – whether by US Postal Service, certified mail or other special delivery – and how often.
Many companies hire third party law firms or consultants to assist in determining the applicability of state notification laws after a breach has occurred. If the breach occurs in multiple states, you would need to comply with each applicable State’s data security laws.
Costs can vary depending on the number of records or individuals affected. Charges range from $.50 to $5 per notice.
Public Relations
A data breach may bring immediate negative impact on your business’ reputation as well as long-term loss of confidence among customers and business partners that can impact sales and revenue. Because of this, businesses may hire an external PR firm that specializes in damage control to respond quickly and help mitigate harm to its’ reputation.
Loss of corporate reputation is incalculable, however Zurichna has indicated that the average total cost per breached record attributed to PR expenses to reduce the reputation impact is approximately $141.
Forensics
Forensic examination is necessary to determine the source and severity of the breach and often done by third-party examiners to ensure quality and maintain objectivity. Depending on the size of the breach, State law may mandate this examination.
The costs of a forensics exam greatly vary, with average fees ranging from $200 to $2000 per hour.
Legal
The use of a specialized attorney to advise you on compliance, crisis management and contingency planning following a data breach is vital. Consumers whose PII has been compromised as a result of a breach may file suits alleging a number of violations including:
- Negligence
- Breach of warranty
- Failure to protect data
- Failure to disclose defects in products or services regarding capabilities of protecting data
- Unreasonable delay in remedying suspension of service or loss of data
- Violations of various applicable state/federal laws
- False advertising
Legal expenses are one of the highest breach related expenses averaging around $200,000 per breach with the number expected to exceed $500,000 this year per NetDiligence.
Credit Monitoring
Many state laws require that credit monitoring services be provided to individuals affected by a data breach. Per Zurichna, statistics show that this is the second largest expense relating to breaches averaging approximately $10-$30 per breached record.
Lost Revenue
A data breach incident, either internal or to a third party service provider, can pose serious and extremely expensive threats to any business’ operations-both immediate and long term. Immediate impact would be greatest on those whose core business operations are contingent upon e-commerce.
The lost revenue will vary based on the nature of the business, the severity of the breach, and the effectiveness of the breach response.
Insurance Transfer Solution
Most businesses cannot successfully and aggressively operate in today’s fast moving commerce without exposing their business to some Cyber risk making a Cyber & Data Security Liability policy a necessity of their insurance program. Cyber & Data Security Liability policies have evolved and premiums have become more affordable.
When considering purchasing Cyber & Data Security Liability insurance, one must consider the cost of not purchasing. Cyber & Data Security Liability insurance may provide coverage for:
- Notification Costs
- Computer forensic services
- System and data recovery
- PR Expenses
- Legal expenses
- Defense costs
- Civil awards and settlements
- Lost of Revenue and Extra Expenses
- Consultative services – including assistance with breach notifications, credit monitoring, etc.
Are you aware of the legal requirements you would be imposed with at the time of a breach? Do you have a written policy in place on how to respond to a breach? Would you be able to respond immediately to meet legal timeframes and reduce the reputation and financial impact?
Do you have the personnel and capital to handle all this in the absence of an insurance policy?
How we can help you…
Partnering with an insurance carrier, we can provide resources to help you develop a “Cyber Data Breach Continuity Plan” and proactive preventative breach reduction procedures. We can further align you with an insurance policy that provides coverage for your specific cyber risks. Contact me to begin the process to add this valuable coverage to your insurance program.
