In Managing Cyber Exposure: 2020 and Beyond – Part 2, Host and Director of Faculty Development, Jay Williams, CIC, CRM, CRIS, MLIS, AIP, AAI, ACSR; interviews Paul Burkett, J.D., CIC, CRM, CPCU, ARM, ALCM, about risk management as it relates to clients. Listen as they discuss the risk management elements affecting business executives, presidents, and everyone else who manages a business. With increased regulatory pressure, insurance agents are being forced to understand a highly technical and rapidly changing cyber threat landscape. As the industry witnesses more and more unique security breaches, how should agents manage risks in the cyber world?
Tune in to hear why it’s crucial to think like a cybercriminal, how there’s a whole lot more to confidential assets than we think, and what the C.I.A method can teach you about information security, and so much more.
Don’t miss this insightful podcast!
More on Managing Cyber Exposures
Due to increased regulatory pressure, unique security breaches, and significant challenges managing business in the cyber world, we are learning that we must understand a highly technical and rapidly changing cyber threat landscape. In response, agents should consider implementing the risk management process:
- Analysis of Risk
- Control of Risk
- Financing of Risk
- Practice of Risk Management
- Principles of Risk Management
Those of us who have the CRM designation understand the process of risk management and that the first step is to identify the problem. That’s kind of what it’s all about. This article includes part of the conversation between Paul Burkett and Jay Williams. Listen to the entire podcast here.
Is avoidance still the best technique?
Avoidance is not an option anymore since having assets means there are also vulnerabilities to keep in mind. Where there’s value, there are thieves, and cyber-criminals know the value of your information. Today, r isk professionals can no longer afford to underestimate the value of information or ignore cyber risks as major threats to an organization. Instead, they should implement a thorough and robust risk management program.
What should agents consider during the process of risk analysis?
- Identity theft is the largest and fastest-growing crime in the world.
- Data is difficult to protect and even more difficult to replace.
Data is an important competitive advantage for every enterprise. Knowing what customers want, what they like, and what market interests they have gets enterprises ahead of the curve and attracts dollars.
The appeal of mining data forces us to find solutions to replace it once an enterprise is compromised. But how do you replace the irreplaceable?
- Cyber Warfare
We are now seeing cyber warfare over the rights of information. There is a reason cybercriminals want to expend resources, including artificial intelligence, to steal information: it has value, and they want that value. We must know that in order to start understanding the severity of this problem.
- Is your information secure? Remember: C.I.A.
The three critical qualities of information security include the confidentiality of the information, maintaining the integrity of the information, and making sure the information is available at a certain time.
Confidentiality: What information needs to be kept confidential and protected?
Integrity: Make sure that information can’t be changed.
Availability: Is the information available to the proper people at the proper time?
If you’re an agent conducting an analysis of exposure, here’s what you should look for:
- Remember: C.I.A.
- Protect the three principal categories of information: public, confidential, and “internal use only”
- Think like a cybercriminal
Cyber criminals today need only to steal a password or a credential to sabotage a business. The risk of these criminals getting caught is very low, and the rewards are high.
They want to acquire financial records, wire transfer records, credit card information, health records, and medical history. They will then use that information for identity theft and to obtain intellectual property as well as copyrights, patents, trademarks, trade dress, and trade secrets.
Before you begin to Control Risk, understand what’s floating below the iceberg.
There are many hidden costs that risk managers need to consider as they bring a program together:
- Credit monitoring
- Breach notification
- Identity restoration
- Forensic analysis
- Data restoration costs
- Business interruption
- Brand and reputation protection
- Hiring an outside public relations firm
Risk Control & Prevention
Things to consider:
The assault is from all angles on the inside.
Good risk control and risk prevention locates, classifies, and protects critical information assets and either encrypts them or protects them with firewalls or limited access. However, securing the perimeter of the business enterprise is not enough. How do we get intruders out of the network? How do we quarantine a breach? How do we figure out the extent of the damage?
BYOD: The Bring Your-Own-Device Movement
We’re now allowing smartphones and other devices to access private servers, which creates portals and potential entrances into a database. Risk managers should manage, control, and back up valuable assets while also enforcing proper recognition of who can get in and who can’t.
Don’t rely solely on vendors or your IT department.
Everybody must be involved in, aware, and understanding of risk management. People should be hired and properly trained to understand security protocols.
The biggest asset is your employees.
Train them to know what a phishing attack is and what malicious attacks look like.
There are challenges to properly training employees.
COVID-19 and the rapid transition of people working from home have created many challenges for risk managers. Management has become lax and must strengthen the way they manage exposures successfully when people work from home. We must have a consistent control program. Ask yourself: Is it adequate? Is it satisfactory? Is it upgraded yearly? Do employees adhere to it? Is it effective?
- Care about cybersecurity
- Conduct a vulnerability assessment
- Test vulnerabilities regularly
- Make sure that security is everybody’s business
- Make sure everybody is trained in cybersecurity awareness
- Understand what’s open, how to allow the door to be open, and what the key to open the door is
- Security controls are the saws and hammers that get the job done
How can insurance help?
There are three basic elements included in most complex cyber insurance programs:
- Legal liability: protects against lawsuits as a result of a data breach
- Business interruption: replaces lost revenue as a result of downtime
- Breach notification costs: includes credit monitoring, notification costs, elements related to brand reputation, and forensic costs.
Tune in next time for Part 3 of the Cyber Liability podcast for an in-depth conversation regarding these important components of the risk management process.
For deeper dives into cyber liability, register for the Online MEGA Seminar. Cyber courses are available in January, May, and June.
Want to take your professional development further? Learn about our Certified Risk Manager program.
Cyber extortion is growing. Risk Management professionals are dealing with the issues of unintentional disclosure of data, damaged and stolen data, data restoration, and malicious breaches. We are also witnessing more unauthorized data collections of intellectual property which cause significant losses that are typically not covered under cyber policies.
In addition, we are aware that devices are constantly fighting phishing, spoofing, farming, and smishing attempts. We must also account for vendor errors as well as the technology errors and omissions claims that come with them, not to mention losses caused by business interruption, extra expenses, and expediting expense exposures. As the world of cloud computing continues to explode and data remains at risk, what are we to do in response to these evolving exposures?