Steps to Take to Evaluate Cyber Risk: Part 1 – Assess IT Security

IT AOSI

Reports of cyber data incidents serve as a constant reminder of the growing cyber risks that companies face in the world today. (Photo: iStock)

According to the Identity Theft Resource Center, there were 781 data breaches reported last year, compromising nearly 170 million private records. As these numbers continue to climb, the question for executives and risk managers has become not if you will experience a data breach but when. Response tactics aside, just putting your head around the risks and developing a strategy in a changing environment present their own significant challenges.

To make the best decisions, you need information. The issue isn’t discovering information, but finding the right information and knowing how to use it. Try Googling “cyber security” in a search. You will get approx. 16 million search results. According to Google’s published trends, the term is searched more than 33,000 times a month― a 100% increase from mid-2014.  All that information comes a lot of questions, but not always clear answers.

The past year has seen the surge of Cyber Liability insurance adoption ― and with it a lot of new questions.

Risk managers and C-suite executives across industries want to know: Do I need Cyber insurance? How does it fit into my risk strategy? What’s the right coverage, and how do I prepare for a cyber intrusion or data breach incident?

Before you and your broker sit down with an insurance provider, take some time to assess your potential cyber liability and fill the gaps where you can.

It’s become clear that cyber risk is not a peripheral concern, and certainly not exclusively an IT problem. It’s a business risk, and one that is recognized at the highest levels of the company. According to BDO’s recent Board Survey, more than 2/3 of directors report that their board is more involved in cybersecurity since last year.

What may be reassuring about this realization is that successful companies already address business risks every day. As with any other risk, addressing cyber security concerns starts with a risk assessment. In fact, many Cyber insurance providers require a self-administered risk assessment before extending coverage. The assessment is often factored into policy underwriting.

Property Casualty 360 takes us on a six step list on where  you can follow to evaluate cyber risk and prepare your organization. Step one below.

1. Assess Information Technology security

At first thought, this task can seem overwhelming, particularly for companies with fewer resources. Start by considering the information your company owns, how it’s collected and where it is stored. The process should involve key members across the organization, from management to operations to back of the house. The IT team should be heavily involved in the process.

A proper assessment process identifies the data at risk, and considers both protected data and proprietary data.

Most of the data breaches that make headlines concern cyber incidents involving protected data, such as an individual’s personal health information or credit card information.

For many companies the most valuable data they own, and the greatest data breach risk, is intellectual property such as trade secrets and patents.

Look no further than the examples of Sony or Avid Life Media to understand that some hackers are interested in far more than stealing Social Security numbers.

Motivations can span foreign government-sponsored espionage, extortion or even moral outrage. These types of attacks are seldom in the news because companies are not required to report such incidents, and especially because they often involve criminal investigations.

 

Xerox Research Labs Working on the Future in Retail

Xerox Research

Imagine in the future when you’ll be greeted by a digital wall when you step into a store. Displaying a custom view of products that are personalized to your past purchases and recommended by people who share your interests. Touch any product on the screen, and get more information about it, including a demo video and customer reviews. Or you can request assistance from a store associate.

Add products to your virtual shopping cart, and a fulfillment process places the actual products in a bag waiting for you by the exit.

This scenario may not be possible yet as of today, but at Xerox, we are working on new technologies that will enable these kinds of experiences in the future.

The Xerox vision is personalized, real world, real time optimization will be present — a natively digital experience that digital natives have come to expect through their interactions with companies such as Amazon, Netflix, and Uber. These new types of brick-and-mortar stores will be “phygital” — all the features of an e-commerce website combined with the service and availability of a physical store.

Take a look below at some of the work in Xerox’s labs that will enable retail’s phygital future.

1. Video Analytics

Cameras, image processing and automated analytics will help retailers understand customers’ in-store browsing behavior. These insights will help retailers optimize their layout and merchandising, and it will help them understand the right time to send associates to help their customers.

2. Retail Robot

A robot that scans store shelves, automates signage checks, out of stocks, and merchandising compliance at a lower cost and with fewer errors.

3. Human-Computer Teams

Systems that combine the respective strengths of people and computers. Xerox is designing how the interaction between people and computers can make each better and more productive.

4. Virtual Assistants

Automated intelligent virtual assistants that can have conversations with people. Over time, the virtual assistant builds a shared context and understanding with the consumer. This will result in better service.

5. Hyper-Personalization

More than just understanding people by their behaviors and actions, Xerox is designing systems that understand your customers as individuals, including their personalities, so that you can tailor your communications styles.

6. Privacy-Preserving Analytics

Performing predictive analytics on encrypted data can deliver all the value of context-aware, personalized services without actually seeing your customer’s personal data information. Only with these types of advanced security technologies will users allow service providers to access and mine their data. This research is particularly valuable in a world where we use a variety of sensors to understand consumer behavior, ranging from cameras to wearables.

A Digital Native’s World

The future of retail is no doubt natively digital. It is about the integration of the physical and digital worlds to deliver personalized, real world, real time optimization.

So is it inevitable that machines will be replacing people in the future? No, in fact Xerox believe that even as computers get more capable to perform even complex tasks, the future will be about people and computers collaborating together as a team.

It is exciting to see glimpses of this future in the works. The future will surely be interesting.

 

by Lawrence Lee – Xerox Blogs

Edited by AOSI

How Regulation and Homebuyers are Transforming Mortgage Processes

Xerox Digital Processing Mortgage

Digital Processes Gain Traction as Millennials, Regulations Disrupt Home Buying: Xerox Survey

NORWALK, Conn. —  Today’s paper-intensive, home-financing process can seem old-fashioned to millennials and other borrowers accustomed to the effortless nature of today’s many digital services. While a paperless mortgage world remains a dream, an annual Xerox survey reveals an accelerated pace toward making it a possible reality.Three Key findings in the 11th annual Xerox Path to Paperless Survey pointing to a rapidly changing mortgage landscape include:

  • Accelerated Paperless Delivery Adoption: About 78% of the mortgage professionals polled have technology in place for eDelivery of disclosures or other documents to borrowers — an increase of 15% from the past year.
  • More Borrowers to Receive Documents Electronically: An overwhelming majority of respondents; 92% expect an increase in their use of eDelivery as a result of the TILA-RESPA Integrated Disclosures rule, helping offset closing delays as the industry adapts to the new regulation (only 15% cited a smooth implementation of TRID).
  • eMortgage Optimism Rising: More than half of respondents (51%), compared to 33% the prior year, believe that half of all loans will be closed as eMortgages in four years or less.

“While completely digital mortgages are not yet the norm, our survey shows continued movement away from shuffling paper from one desk to another and toward online platforms that enhance communication between all parties at every stage of the loan,” said Jeffrey Nuckols, senior vice president of Xerox Financial Services. “The new regulatory effort to improve the mortgage process comes at a time ripe for engaging today’s borrowers who increasingly demand an interactive, digital experience.”

Additional survey findings supporting the path to paperless include:

  • Millennial Engagement: With millennials representing the largest segment of recent homebuyers[1], the majority (51%) of respondents have applied new business strategies or introduced new technologies to appeal specifically to this tech-savvy generation (common ages 18 to 34). A social media presence (51%) and a consumer portal (43%) are the most popular implementations among respondents to attract millennials.
  • Going Mobile:32% of respondents are leveraging smartphones and mobile tablets in their business transactions – doubling from 16% in 2014.
  • Simplifying Signatures Remains Key: eAcknowledgment and eSignatures is considered “very important” by 61% of mortgage professionals – making it the top-rated feature in technology evaluations for the 2nd consecutive year. This feature allows borrowers to sign a virtual document and eliminates the need for lenders to tote and manually track paper documents.

Xerox’s BlitzDocs® intelligent, cloud-based network simplifies the mortgage process by integrating all parties involved throughout the loans lifecycle – from origination to closing to servicing. Its collaborative, paperless capabilities support the mortgage industry’s path to eMortgage adoption.

Complete results of the Path to Paperless Survey are available online herewww.xerox-xms.com. The blind, online survey was conducted within the US in October of 2015 on behalf of Xerox Mortgage Services and surveyed professionals who work in origination, servicing and other mortgage areas.

 

Xerox

Bright Ideas for Dark Days this Winter: CFLs and LEDs

Winter is here, which means the sun is out for less time and the lights in your home start putting in some longer hours. Take a look at your lightbulbs around the house and make sure that you are using energy-efficient options like CFLs and LEDs. Energy-efficient bulbs are a great way to save energy, reduce your carbon footprint and help save the environment. Did I mention it’s pretty easy too?

The New Normal

Incandescent light bulbs that are inefficient are being phased out in the US since the Energy Independence Security Act of 2007. More energy-efficient solutions have become widely available and are great options for lighting in your home. These bulbs have a much longer life span than standard incandescent bulbs and use a fraction of the energy. Compare facts about bulb types to see which option is best for you and keep in mind that the purchase price is a little more, they last significantly longer which ends up saving you money longterm.

Why CFLs?

Compact Fluorescent (CFL) Bulbs use up to 75% less energy and last up to 10x  longer than incandescent bulbs. Because they contain a small amount of mercury, they can’t be placed in the garbage or recycling bin, but they can be recycled at many locations including county household hazardous waste drop-off sites and retail store “take back” programs. The mercury will only escape if the bulbs are broken, so store and transport them carefully.

Broken CFLs

If you break a fluorescent bulb, don’t just rush into cleaning it up since you could be exposed to mercury. The United States Environmental Protection Agency has a great guide for cleaning up CFLs to ensure that you, your family, and your home stay safe and that the affected area is treated quickly.

Why LEDs?

LED or light-emitting diode bulbs use 25% of the energy and last up to 25x longer than traditional incandescent bulbs. That is up to 50,000 hours of light! LED bulbs remain cool and give off less heat which is not only more energy efficient, but a lot safer too. LEDs don’t contain any hazardous material and can be placed in the garbage when they burnt out.

Shedding Light on Energy-Efficient Bulbs

LED and CFL bulbs provide many benefits when used in your home. Seek out the best option by doing some comparisons on everything from lifespan, watts per bulb and cost per bulb. According to the Minnesota Pollution Control Agency, lighting accounts for close to 20% of the average home’s electric bill. Switching to LED or CFL bulbs is a great way to save money.

 

by Rethink Recycling

Retail Data Breaches: 3 Lessons Companies Have Learned

The holiday shopping season is in full swing, it’s ‘Cyber Monday’ and retailers need to take extra precautions.

Although the retail sector has by no means seen the greatest frequency of cyber attacks in recent years, several that have occurred have accounted for a huge percentage of the records actually stolen.

Compounded with the sensitivity of the information typically taken in such a breach (credit card details, passwords and personal information) and its appeal on the black market, major breaches such as those at Target, Home Depot and eBay in recent years have landed concern about commercial data security — and questions about who should be held liable for failures — front and center in the minds of retailers and consumers alike.

What can be done about the security of customer information? How are criminals slipping through seemingly secure systems? What can be done to thwart them? And who is responsible for the resulting financial losses when these efforts fail?

According to cybersecurity experts, the outlook is, frankly, a little bleak, but not hopeless — so long as organizations take serious strides to not only implement but vigilantly maintain stringent, systematic plans to keep data secure. This means ensuring that their systems as well as those of their partners, vendors and subsidiaries are secure from data leaks. IT security teams must be provided with adequate resources, both human and financial, and security education and awareness must become a part of company culture. The C-suite has to make data security a top priority. Given the increasing frequency and effectiveness of such breaches and how much such breaches can cost, it should be getting easier to convince the top brass that a boost in attention and resources flowing to cybersecurity efforts is well worth it.

As the holiday shopping season gets underway, let’s take a look at three of the major retail data breaches in the past few years to see what we’ve learned:

1. Target and Home Depot lesson learned: Vet your third-party vendors

According to cyber crime reporter Brian Krebs investigations found that the Home Depot registers involved in the attack were infected with a variation of the same malware found on compromised Target registers. This software is designed to grab data from cards swiped at an infected point-of-sale system. In both cases, criminals accessed the retailers’ networks through that of a third-party vendor. Once in, the criminals were able to exploit a vulnerability in Windows, the operating system running the registers, to upload the malicious program.

Going after corporate data through vendors or less-protected subsidiaries is becoming a more common practice of cyber criminals. Smaller vendors and recently acquired smaller companies sometimes struggle to keep on top of data security. Organizations whose systems contain the personal and financial data of millions of customers have a responsibility to vet the vendors they work with (and the companies they acquire) meticulously to ensure that digital security protocols are up to standard and are enforced. Vendors and employees should only be able to access what is necessary for them to carry out their work, and the security measures on their own systems should be robust and reliable.

What makes for a robust and reliable protocol? Here are some things to consider:

  • Procedures for granting and removing access to employees should guard against unauthorized access to the company network.
  • Monitoring of security logs must be routine and consistent to ensure that attacks or breaches are identified quickly.
  • Companies should have a password security protocol and it should be enforced. Employees should change passwords regularly and be well-educated on the importance of password security, the methods criminals use to acquire login and password information and how to create a secure password. Two-factor authentication is a great indicator that a company takes password security seriously.
  • Bring-Your-Own-Device policies should be clear, comprehensive and carefully enforced.
  • Companies should ensure that the connection between networks is entirely secure. If sensitive data is being passed back and forth, make sure both you and your vendor have the capability to properly encrypt it.
  • Adequate firewalls, anti-virus and anti-spam software should be in place and kept up to date. Don’t forget the security of physical terminals — all the data protection in the world is useless if someone can access the system on-site or pick up hardware that hasn’t been properly decommissioned.
  • There should be a process in place for ensuring that frequent patches from software vendors are applied as soon as they are made available.

We in the insurance industry have long been advised — and often required — to vet third-party vendors regularly and carefully. It has now become clear that retail organizations would do well to follow the same advice.

2. eBay lesson learned: Data protection at all levels must be prioritized

A report from the International Business Times following the 2014 attack on eBay’s network indicated, with regard to an investigation by the relevant regulatory bodies:

Of particular interest will be the lack of encryption used to protect customer names, email addresses, physical addresses, phone numbers and dates of birth. Investigators will also analyze why it took eBay nearly three months to detect the hackers, how long it took to fix the breach and how long the company waited to notify authorities and customers.

Recent increases in identity theft and new account fraud tell us that encrypting personally identifiable information can be as important as encrypting financial information. Breaches like the one at eBay highlight how difficult it can be to detect attacks if the right systems are not in place to make sure relevant data is reviewed in a timely manner. Just like any other business process, log reviews, protocol revisions and security updates can become an automated part of a company’s workflow. Well-thought-out systems help to ensure that every feasible measure is taken to protect sensitive information and that new protocols are smoothly integrated as new threats arise and new solutions are found.

Cyber crime is advancing quickly. It is imperative that companies move plans for pervasive data security systems from the “intention” stage to the “in action” stage, and quickly.

3. PNI Digital Media lesson learned: Get the board on board

PNI is a company that operates an on-demand photographic printing service for CVS, Sam’s Club, Costco, Rite Aid, Wal-Mart Canada and others. So far, relatively little is known about the PNI breach, but there has been much speculation as to how it happened, why it was allowed to happen and why it went undetected for nearly a year. We don’t like to give too much credence to speculation; however, the theories put forward can give us some insight into some of the overarching problems of data security, as identified by cybersecurity experts.

When news of the PNI breach broke in July of this year, Brian Krebs noted that the company had been acquired by Staples Inc. around the time that the breach is thought to have been initiated. This was worth mentioning because Staples itself had suffered a breach in mid-2014 that went undetected for some six months and exposed more than a million customer credit card records. This may or may not stand as evidence that the company is giving inadequate attention to cybersecurity, but it does seem to indicate that boardroom support for Internet security efforts is one of the problems security experts have identified.

This has been highlighted by the recent breach at Experian that resulted in the theft of personally identifiable information records — including Social Security numbers — of 15 million T-Mobile customers. During his investigation of that case, Krebs interviewed several security experts who had left the Experian security team specifically because the folks at the top refused to dedicate adequate resources to securing the credit bureau’s extremely sensitive digital files.

Following the massive breach at Target in 2013, similar concerns were raised, and, in the end, the company’s chief information officer resigned. A new CIO, chief information security officer and chief compliance officer were sought to take her place. Whether more leadership at the top is a solution to the problem remains to be determined, but the need for the C-suite to understand and keep a watchful eye on its digital security protocols is becoming clear.

4 cyber security tips for retailers

Here are four tips for retailers on maintaining cyber security, based on some recurrent themes that have emerged from the retail data breaches.

>> Educate employees

Cybercriminals have become particularly fond of phishing to gain access to otherwise secure networks. With a little social media skulking and email contact, they are able to obtain much of the information they need to access login and password information that grants them broad access to corporate networks. Employees have to be informed of the methods criminals use to obtain this information. From clerical workers to the CEO, every employee and vendor needs to understand basic preventative measures — such as how to recognize a phishing attempt or how to create and maintain a secure password — and corporate policy needs to make clear the necessity of following security protocols.

>> Get help

Another theme that seems to recur in cyber crime prevention conversation is the possibility that data security may be a task best left to experts. Even in very large companies that can afford to maintain full security teams, those teams often struggle to acquire the resources they need in a timely manner, because their success is generally not the top priority for the company. A security agency, on the other hand, relies on this strength to stay in business — this is their core competency. In addition, external agencies are able to be more objective about how to prioritize security and to draw on a broad range of experience and a much deeper well of knowledge.

This is one of the benefits companies seek in migrating to the cloud. A reputable cloud host is well aware that the security of its servers and its ability to protect the data entrusted to it is indispensable if it is to compete and survive. As a consequence, cloud servers will likely be some of the most secure places to store data into the future.

>>Crackdown on cyber criminals

Opinions are divided on whether governments are really in a position to stem the tide of cyber crime, which is by its nature heedless of national borders. Nevertheless, some experts believe governments will have to become more involved in the investigation and criminal prosecution of cyber crime. Without such a large, international effort, they say, the cost of securing data and recovering from attacks will eventually outstrip the benefits of conducting business in cyberspace. Suggestions include an international governing body that would work not only to stop cybercriminals, but also to regulate security measures, requiring companies around the world to adopt a universal baseline of prevention and detection methods.

>>Make individual cyber hygiene a habit

The time has come for all of us to accept that we have to step up our personal online protection if we want to keep our financial and personally identifiable information safe from criminals. Just as we once had to accept that we should lock our doors and keep the children in the yard, we now have to realize that certain inconveniences such as using a different password for everyonline service and storing those passwords in a secure app or, better yet, in our memories, must become a matter of habit. Credit card and loan offers that could once be discarded with the junk mail should be shredded, and credit card statements need to be reviewed every month. Individuals have to be more diligent about avoiding emails from unfamiliar addresses or clicking on mysterious links. Even phone calls that seem to come from benign solicitors or even familiar institutions like banks and workplaces may be phishing attempts.

The more consumers are acquainted with methods to protect themselves from fraud and identify theft — and the consequences if they choose not to — the fewer claims a company has to cover and the less a store loses on fraudulent purchases that no one — not the credit card holder, the credit card company nor the credit card fraudster — is going to pay for. What’s more, customers who know they have protected themselves will have greater confidence in the security of their information as they venture out to make purchases. A better informed consumer will always be a benefit to the market.

The time has come for everyone to recognize cyber crime as a serious threat to economic security for both individuals and corporations. We may not yet know how to shut down cyber criminals completely, but there is a long way to go before we can say that we have done all we can.

by Lance Spellman – Property Casualty 360

Hacked! The cost of a cyber breach (Part 5) – Manufacturer Industry

Company Profile:  A manufacturer with 400 employees

The Internal Revenue Service discovered that hundreds of fraudulent tax returns were filed on behalf of employees that work for the same manufacturing company. They notified the FBI, and the FBI alerted the manufacturer. The investigation determined that the personnel files of 298 past and current employees had been accessed.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs of the 298 lost records for the manufacturer could be:

Incident Investigation Costs: $180,000
Customer Notification and Crisis Management Costs: $29,000
Fines & Penalties: $6,000
Total Costs: $215,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type impacts 28,000 records, driving the average cost to a business to $1,728,000.

Detection Costs: $610,000
Notification Costs: $560,000
Legal Settlement Costs: $558,000

Risk Management Tips:

  • Establish an information retention policy and include guidance on what types of information should be retained, how long it should be retained and procedures for destruction of unneeded data.
  • Establish new hire training and regularly scheduled refresher training courses in order to instill the data security culture of your organization.
  • Create, implement and test an incident response plan.

As Tim Francis likes to remind business owners and risk managers, all businesses are vulnerable: “It’s not a matter of if, but when.” Be sure to review your insurance coverage with your agent, broker or carrier to understand what cyber coverage you have and what you might need.

Read part 1 of Hacked! The cost of a cyber breach – Retail Industry
Read part 2 of Hacked! The cost of a cyber breach – Healthcare Industry
Read part 3 of Hacked! The cost of a cyber breach – Financial Industry
Read Part 4 of Hacked! The cost of a cyber breach – Technology Industry

by Rosalie L. Donlon, Property Casualty 360

Hacked! The cost of a cyber breach (Part 4) – Technology Industry

Company Profile: Software as a Service (SAAS) provider of human resources and membership management software for gymnasiums countrywide

An employee opened up a phishing e-mail that infiltrated the company’s centralized network. Anti-virus software failed to keep out the malicious code, exposing names, addresses, dates of birth, Social Security numbers and financial information, such as credit card and bank account numbers. A computer forensics investigator was hired, who determined that personally identifiable information had been compromised. This included information related to the customers’ employees as well as the company’s own employees.

According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the software service provider could be:

Incident Investigation Costs: $291,000
Customer Notification and Crisis Management Costs: $504,000
Fines & Penalties: $550,000
Total Costs: $1,345,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $2,810,000 for a business.

Detection Costs: $610,000
Notification Costs: $560,000
Post Breach Costs: $1,640,000

Risk Management Tips:

  • Implement vendor security into your Information Security policies and procedures.
  • Add provisions that address cybersecurity into your vendor contracts.
  • Practice cyber-attack response drills with your vendors.

Read part 1 of Hacked! The cost of a cyber breach – Retail Industry
Read part 2 of Hacked! The cost of a cyber breach – Healthcare Industry
Read part 3 of Hacked! The cost of a cyber breach – Financial Industry

by Rosalie L. Donlon, Property Casualty 360

Hacked! The cost of a cyber breach (Part 3) – Financial Industry

Company Profile:  A Community Bank, $350 million in assets

Computer hackers commenced a distributed denial-of-service attack (DDoS) to the bank’s website as a smoke screen to hack into its network. This malicious attack shut down the bank’s online banking for three days.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs for this event for the Community Bank could be:

Incident Investigation Costs: $192,000
Customer Notification and Crisis Management Costs: $475,000
Fines & Penalties: $132,000
Total Costs:* $799,000
*Not including the loss of business income the bank suffered during the attack.

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $2,810,000 for a business.

Detection Costs: $610,000
Notification Costs: $560,000
Post Breach Costs: $1,640,000

Risk Management Tips:

  • Create, implement and test a business continuity plan and disaster recovery plan.
  • Implement an intrusion detection system on your network.
  • Have a secondary system available for online access, and ensure this system is regularly tested for functionality.

Read part 1 of Hacked! The cost of a cyber breach – Retail Industry
Read part 2 of Hacked! The cost of a cyber breach – Healthcare Industry

 

by Rosalie L. Donlon, Property Casualty 360

Hacked! The cost of a cyber breach (Part 2) – Healthcare Industry

Hack in the healthcare industry

Company Profile:  A Nonprofit Hospital, $100 million in annual revenue

An employed physician of the hospital accidently left his hospital-issued laptop on a train.  The laptop contained an unencrypted database of current patient records that included protected health information with the name, Social Security number, credit card, insurance ID and limited medical information of 550 patients. The data stored on that laptop was completely unsecured as it did not contain remote take-down capabilities nor was it password protected.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs of the 550 lost records for the Nonprofit Hospital could be:

Incident Investigation Costs: $180,000
Customer Notification and Crisis Management Costs: $34,000
Fines & Penalties: $167,000
Total Costs: $381,000

According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type impacts 28,000 records driving the average cost to a business to $3,149,000.

Detection Costs: $610,000
Notification Costs: $560.000
Regulatory Costs: $1,979,000

Risk Management Tips:

  • Implement procedures for using effective passwords and mandate periodic changes.
  • Consider implementing security measures including encrypting protected health information (PHI) that may be stored on the laptops and having remote disabling capabilities.
  • Consider storing PHI on a central server and accessing the information via a secure connection.

Read part 1 of Hacked! The cost of a cyber breach – Retail Industry

 

by Rosalie L. Donlon, Property Casualty 360

Hacked! The cost of a cyber breach (Part 1) – Retail Industry

We’ve all read or heard about the many data breaches and cyber “incidents” in the news, including Sony, the U.S. government’s Office of Personnel Management, and several airlines. To put those data breaches—a more accurate term than cyber attacks—in perspective, Tim Francis, Enterprise Cyber Lead, Travelers, speaking at a recent cyber media event, “Hacked: The Realities of a Cyber Event,” held Oct. 1 in Washington, D.C., provided an overview of the threat landscape. He explained that according to the Symantec Internet Security Report, there are 34,529 known computer security penetration incidents per day. Not all the incidents result in the theft of personally identifiable information but the huge numbers are troublesome.

The panel, moderated by Joan K. Woodward, President, Travelers Institute and Executive Vice President, Public Policy, also included

  • Tom Finan, Senior Cybersecurity Strategist and Counsel, U.S. Department of Homeland Security
  • Chris Hauser, 2nd Vice President, Cyber Fraud, Travelers Investigative Services and former FBI agent responsible for cyber investigations
  • John Mullen, Managing Partner, Lewis Brisbois Bisgaard & Smith LLP, and Chair, U.S. Data Privacy & Network Security Practice
  • Melanie Dougherty-Thomas, Managing Director, Crisis Communications Management, Inform

The panelists agreed that small to mid-sized businesses are the most vulnerable, and one successful attack can shut those businesses down completely. But what types of claims are the most common and what do they really cost?

Travelers’ cybersecurity experts have developed common cyber claims scenarios across five industries, part 1 discusses the retail industry. The costs add up quickly, often reaching more than $1 million.

 

1. Hack in the retail industry

Company Profile:  A local retailer, $30 million in revenue

A credit card company identified 50,000 credit cards that were used legitimately at a retailer and then were subsequently compromised. The retailer also needed to hire a law firm to serve as counsel and breach coach. Costs included required notifications to the 50,000 victims as well as on-going credit monitoring. As a result of this incident a class action lawsuit was filed.

According to the NetDiligence® Data Breach Cost Calculator the estimated costs for this event for the retailer could be:

Incident Investigation Costs: $158,000
Customer Notification and Crisis Management Costs: $920,000
Class Action Lawsuit Costs: $689,000
PCI Related Costs: $783,000
Total Costs: $2,550,000

 According to the Ponemon 2015 Cost of Data Breach Study, an average event of this type could drive the average costs up to $5,920,000 for a business.

Lost Business Costs: $3,720,000
Post Breach Costs: $1,640,000
Notification Costs: $560,000

Risk Management Tips:

  • Maintain and frequently review compliance obligations under the Payment Card Industry (PCI) Agreement.
  • Consider implementing end-to-end encryption of credit card transactions.
  • Employ a chief information security officer (CISO) to develop and implement your business-wide data privacy procedures.

by Rosalie L. Donlon, Property Casualty 360