Steps to Take to Evaluate Cyber Risk: Part 1 – Assess IT Security
Reports of cyber data incidents serve as a constant reminder of the growing cyber risks that companies face in the world today. (Photo: iStock)
According to the Identity Theft Resource Center, there were 781 data breaches reported last year, compromising nearly 170 million private records. As these numbers continue to climb, the question for executives and risk managers has become not if you will experience a data breach but when. Response tactics aside, just putting your head around the risks and developing a strategy in a changing environment present their own significant challenges.
To make the best decisions, you need information. The issue isn’t discovering information, but finding the right information and knowing how to use it. Try Googling “cyber security” in a search. You will get approx. 16 million search results. According to Google’s published trends, the term is searched more than 33,000 times a month― a 100% increase from mid-2014. All that information comes a lot of questions, but not always clear answers.
The past year has seen the surge of Cyber Liability insurance adoption ― and with it a lot of new questions.
Risk managers and C-suite executives across industries want to know: Do I need Cyber insurance? How does it fit into my risk strategy? What’s the right coverage, and how do I prepare for a cyber intrusion or data breach incident?
Before you and your broker sit down with an insurance provider, take some time to assess your potential cyber liability and fill the gaps where you can.
It’s become clear that cyber risk is not a peripheral concern, and certainly not exclusively an IT problem. It’s a business risk, and one that is recognized at the highest levels of the company. According to BDO’s recent Board Survey, more than 2/3 of directors report that their board is more involved in cybersecurity since last year.
What may be reassuring about this realization is that successful companies already address business risks every day. As with any other risk, addressing cyber security concerns starts with a risk assessment. In fact, many Cyber insurance providers require a self-administered risk assessment before extending coverage. The assessment is often factored into policy underwriting.
Property Casualty 360 takes us on a six step list on where you can follow to evaluate cyber risk and prepare your organization. Step one below.
1. Assess Information Technology security
At first thought, this task can seem overwhelming, particularly for companies with fewer resources. Start by considering the information your company owns, how it’s collected and where it is stored. The process should involve key members across the organization, from management to operations to back of the house. The IT team should be heavily involved in the process.
A proper assessment process identifies the data at risk, and considers both protected data and proprietary data.
Most of the data breaches that make headlines concern cyber incidents involving protected data, such as an individual’s personal health information or credit card information.
For many companies the most valuable data they own, and the greatest data breach risk, is intellectual property such as trade secrets and patents.
Look no further than the examples of Sony or Avid Life Media to understand that some hackers are interested in far more than stealing Social Security numbers.
Motivations can span foreign government-sponsored espionage, extortion or even moral outrage. These types of attacks are seldom in the news because companies are not required to report such incidents, and especially because they often involve criminal investigations.