L. Keith Burkhardt, VP, Kraus-Anderson Insurance
Picture that scene in every James Bond movie where the evil organizations reveal their next secret plan to disrupt the status quo, cause chaos and wreak monetary or political harm. Unfortunately, Cyber attackers are replicating that scene every day!
Like lipids, pollen and crabgrass, cyber attacks are an unwanted, but endemic fact of American life. And despite the best efforts of spam filters and firewalls, resistance is futile. Some amazingly unsophisticated approaches, like phishing, are still a player in more than two-thirds of all cyber attacks over the past 2 years. Moreover, even if your company has the best prevention systems in the world, your data is still exposed to many business partners, any of whom could be major targets for cyber crime, from healthcare to financial services. Thanks to the marvelous connectivity of our economy, a data breach is as contagious as the common cold.
The bad news is, at some time in the next year, your business will be touched by a cyber breach.
The good news is, you can shorten the duration of the misery and recover quickly. If you’re prepared.
Step One: Admit You Have a Problem
Recognize that, regardless of your size or industry, you are an easy target for a basement genius teenage hacker or an organized network focused on harvesting money from gullible computer users.
We hear about another corporate juggernaut getting scuttled by a cyber breach every few weeks, but those headline-grabbing events are just the tip of the iceberg. In fact, 94 percent of cyber breaches happen to companies of fewer than 1,000 employees; and, in many cases they don’t realize they’ve been compromised until weeks later. By that time, what started as a trickle has erupted into a full-blown dam burst, and the fallout is devastating, in terms of disrupted business, lost sales, shaken confidence, and client exodus. Sixty percent of the companies that suffer a data breach are no longer in business 6 months after the breach.
From Shaming to Sharing
The good news is the sheer prevalence of cyber crime has coaxed the business community away from its earlier pattern of avoidance, shame and denial, into a more proactive stance of information sharing. Today more companies, platforms, and tools are emerging to facilitate the sharing of patterns and approaches of cyber attacks, leading to growing threat intelligence as the business community unites across industries and from multiple perspectives in battling a common foe.
Businesses are trending away from sometimes disjointed IT strategies to using Managed Services Providers who can provide a comprehensive cyber security solution, including Intrusion Detection Systems (IDS), real-time alerts, and effective user education. The burgeoning wisdom is outsourcing cyber security monitoring to alert to any spikes in data system outflow or inflow that may indicate intrusion; with the goal of reducing the time lapse between breach and discovery.
The Race is On
Shared intel on breach experience has also underscored the fact that discovery and response needs to outrun the spread of the attack in order to be effective. Seventy-five percent of attacks spread from victim 0 to victim 1 within 24 hours. In response to these sobering statistics, both houses of Congress have recently passed cyber security information sharing bills. Shortening the time between discovery and response is crucial; which means that, in addition to Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS), you need a financial plan in your Cyber Resilience program. While insurance might be part of this plan, let’s be clear with our terms.
Cyber Liability ≠ Cyber Risk
Businesses often confuse a Cyber Liability program with that of a Cyber Risk program and feel they are resilient to cyber attack. However, legally, the fact you had a breach doesn’t immediately obligate you to make payments to parties affected in terms of lost information: they still have to prove damages. Moreover, a Cyber Liability policy doesn’t cover the effects of the breach on your company.
A proper Cyber Risk program, on the other hand, focuses on simultaneously mitigating the immediate financial requirements and responding to the long term effects of a breach on one’s own company. It addresses the question, how do I finance a cyber-event?
“Sixty percent of the companies that suffer a data breach are no longer in business 6 months after the breach”
Uncomfortable Conversations in Cushy Chairs
To answer that question, IT needs to sit down with the C-Suite and calculate the expenses you’ll need to respond to a cyber attack. Factor in potential lost profit, ongoing non-variable expenses, the impact of not serving your customers or accepting your vendors or being rejected by them, and how long before you can reestablish trust again.
Once you’ve figured out how much money you’ll need, you’ll also need to calculate how quickly you can get your hands on those funds. How fast can your company move $5 million in cash? What would be the impact if you can’t use your system? Prefunding one event may be a workable option. If your cash velocity is slow, then Cyber Risk insurance might be the right path.
Insurance Isn’t Always Sure
While we’re on the subject of insurance, be aware that the industry is experiencing some chaos when it comes to meeting the coverage requirements on cyber-attacks. Traditionally, insurers provide policies that respond to claims with a claim process developed prior to the digital age. Hence, the challenge to the Industry is providing coverage that provides financial resources within the new Cyber Breach claim timeline. There are a handful of insurers with strong financials and claims paying reputations that understand and are experienced in responding to this new risk paradigm with policies that account for restoring the system, including the technical, regulatory, legal, and related communication expenses.
Are you Cyber Resilient? If the answer is yes, then your management team has already war gamed a cyber breach and has a detailed plan for who will need to be contacted externally and internally; what systems may be affected and require replacement; and a disciplined communications process that positions your company to maintain its customer and vendor relationships post-cyber event. If you aren’t accounting for the risk, you are violating one of the fundamental principles of business.
As sure as SPECTRE targets James Bond, an organization is aiming a sneak attack on you. Be ready.