Cyber Risk Assessment and Management
Proper cyber security risk management is more than a technology solution. A company, led by its CEO, must integrate cyber risk management into day-to-day operations. Additionally, a company must be prepared to respond to the inevitable cyber incident, restore normal operations and ensure that company assets and the company’s reputation are protected.
- Understand what information you need to protect: identify the corporate “crown jewels.”
The first step in assessing an organization’s cyber risk is to understand what company assets you are trying to protect and why. Ask yourself, what are your most critical assets? Identify your most important information, assets, and legally protected information.
- Identify Threats to Crown Jewels
- How do you store the information?
- Who has access to the information?
- How do you protect your data?
- What steps are you taking to secure your computers, network, email and other tools?
- Forecast the consequences of a successful attack
If you have an information technology staff or chief information security officer, ask them to walk you through the above analysis. Ask them to quantify the risk. Also ask them to explain what could happen as a result of a fully successful cyber attack against your company.
For more information please see, NCSA – Assess Your Risk
Cyber Risk Mitigation – Implement a Cybersecurity Plan
Most experts recommend that businesses have a strategic approach to cybersecurity.
The Federal Communications Commission created the Small Biz Cyber Planner to help businesses evaluate their current cybersecurity posture and create a plan. See http://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Planning%20Guide_1.pdf
A comprehensive cybersecurity plan needs to focus on three key areas:
- Prevention: Solutions, policies and procedures need to be put in place to reduce the risk of attacks.
- Resolution: In the event of a computer security breach, plans and procedures need to be in place to determine the resources that will be used to remedy a threat.
- Restitution: Companies need to be prepared to address the repercussions of a security threat with their employees and customers to ensure that any loss of trust or business is minimal and short-lived.
For more information:
Cyber Insurance – Risk Transfer
The cyber insurance market has evolved significantly since the first policies were introduced in the late 1990’s. Today, there are more than 25 carriers in the market providing up to $300M in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber attack. Insuring agreements vary by insurance company. Options may include:
- Security & Privacy Liability – defense and indemnity for failure to keep information private, failure of third-party affiliates to keep information private and failure of systems to prevent a network security failure (including transmission of a virus). Information includes corporate confidential information (CCI), personally identifiable information (PII) or protected health information (PHI) and can be in electronic or tangible form.
- Crisis Management – expenses incurred by the insured stemming from a security failure. Covered expenses include costs to respond to adverse publicity, comply with regulatory requirements and voluntarily and proactively provide notification and credit monitoring services to affected parties.
- Regulatory Proceedings – covers defense of a proceeding or action brought by a privacy regulator (Federal Trade Commission, Health Insurance Portability and Accountability Act (HIPAA), State Attorney General) or fines for breach of a privacy regulation. Limited coverage for “PCI” fines is available.
- Business Interruption – costs incurred by the insured stemming from a material business interruption directly caused by a security failure.
- Data Recovery – costs incurred by the insured to restore, recreate or recollect electronic data stored on the insured’s computer system that becomes corrupted or destroyed due to a computer attack; including disaster recovery and computer forensic investigation services.
- Cyber Extortion – costs incurred, and extortion monies paid, due to a threat related to the interruption of the insured’s computer system, or the release or destruction of private information.
With the increasing frequency and costs associated with cyber attacks, your company’s risk management strategy should include cyber insurance to help mitigate financial loss and protect your company’s balance sheet.
For more information:
Evaluation A designated team or individual should follow-up to ensure that the cyber security plan has been implemented and that the plan is protecting the company’s assets. The CEO and board of directors should engage in evaluating the company’s cyber security plan. Audit committees should consider the cyber security plan as a standing agenda topic, like cash management (see Getting Started Guide and Board Oversight).
Who Can Help
While many IT security product and service firms exist to support the CIO and his staff, they are less likely to address the needs of the CEO and board. This may change with time.
Performing risk management responsibilities may inherently reveal sensitive information about the firm’s risk posture. Most firms are concerned with such information being discoverable in a lawsuit that results from a security breach and thus working against the firm whether the risks were caused intentionally or accidentally. For this reason, it is advisable to work through internal or external counsel so the data may be controlled under attorney-client privilege.
Managed Services and Cloud Providers
The scale and the pace of the escalation of threat that small and medium-sized businesses face can be the same as for large businesses, but scaling defenses to the same level as large businesses can be out of reach. One way of achieving the scale and scope of a large business is through the use of managed security services, which are offered by a range of vendors. Managed security service providers (MSSPs) can have the perspective across many customer accounts to see attack patterns more clearly and quickly, allowing them to design a response and defenses. Moving systems to the cloud can also allow SMBs to leverage scaled security resources. For example, some cloud providers will have a large scope of examples of attacks, including data from user reports, instances of email Phishing, monitoring of virtual machines that detect compromised servers rapidly, and in-place event logging for forensics and response. There is an emerging class of technologies to allow business data to remain encrypted and in some cases even be processed in the cloud. In choosing among MSSPs and cloud providers, the company must also balance benefits versus the risks of single points of failure among providers and pay attention to service level agreements (SLAs), jurisdictions and geographic locations in which data and services will be implemented.
For More Information