Steps to Take to Evaluate Cyber Risk: Part 2 – Quantify Risk

If your customers’ credit card information is stolen, do you know how much that will cost you? (Photo: iStock)

Property Casualty 360 takes us on a six step list on where  you can follow to evaluate cyber risk and prepare your organization. Here is step two.

2. Quantify risk

With guidance from key department personnel and IT, seek to develop two to three data breach scenarios that could affect your organization. The goal is to quantify the potential financial impact.

  • Leverage any IT security assessments that have been performed in the past, such as penetration testing or white-hat modeling.
  • Consider the costs in the following categories: computer forensics, crisis management, notification costs, credit monitoring, data restoration, defense costs, fines and penalties, and business interruption.
  • Use this assessment as an opportunity to line up potential vendors to assist with a breach by seeking cost estimates for the response to your scenario. For example, if you have a breach affecting 150,000 records of credit card numbers from customers living across 12 states, your attorneys should be able to provide a fee estimate of the legal and notification costs.

After you’ve developed scenarios and response cost estimates, your company can develop a strategy to address the risk and better quantify the potential benefits of Cyber coverage.

 

BY MATT HANSON, DREW OLSON

Related: Step 1 Assess IT Security

Steps to Take to Evaluate Cyber Risk: Part 1 – Assess IT Security

IT AOSI

Reports of cyber data incidents serve as a constant reminder of the growing cyber risks that companies face in the world today. (Photo: iStock)

According to the Identity Theft Resource Center, there were 781 data breaches reported last year, compromising nearly 170 million private records. As these numbers continue to climb, the question for executives and risk managers has become not if you will experience a data breach but when. Response tactics aside, just putting your head around the risks and developing a strategy in a changing environment present their own significant challenges.

To make the best decisions, you need information. The issue isn’t discovering information, but finding the right information and knowing how to use it. Try Googling “cyber security” in a search. You will get approx. 16 million search results. According to Google’s published trends, the term is searched more than 33,000 times a month― a 100% increase from mid-2014.  All that information comes a lot of questions, but not always clear answers.

The past year has seen the surge of Cyber Liability insurance adoption ― and with it a lot of new questions.

Risk managers and C-suite executives across industries want to know: Do I need Cyber insurance? How does it fit into my risk strategy? What’s the right coverage, and how do I prepare for a cyber intrusion or data breach incident?

Before you and your broker sit down with an insurance provider, take some time to assess your potential cyber liability and fill the gaps where you can.

It’s become clear that cyber risk is not a peripheral concern, and certainly not exclusively an IT problem. It’s a business risk, and one that is recognized at the highest levels of the company. According to BDO’s recent Board Survey, more than 2/3 of directors report that their board is more involved in cybersecurity since last year.

What may be reassuring about this realization is that successful companies already address business risks every day. As with any other risk, addressing cyber security concerns starts with a risk assessment. In fact, many Cyber insurance providers require a self-administered risk assessment before extending coverage. The assessment is often factored into policy underwriting.

Property Casualty 360 takes us on a six step list on where  you can follow to evaluate cyber risk and prepare your organization. Step one below.

1. Assess Information Technology security

At first thought, this task can seem overwhelming, particularly for companies with fewer resources. Start by considering the information your company owns, how it’s collected and where it is stored. The process should involve key members across the organization, from management to operations to back of the house. The IT team should be heavily involved in the process.

A proper assessment process identifies the data at risk, and considers both protected data and proprietary data.

Most of the data breaches that make headlines concern cyber incidents involving protected data, such as an individual’s personal health information or credit card information.

For many companies the most valuable data they own, and the greatest data breach risk, is intellectual property such as trade secrets and patents.

Look no further than the examples of Sony or Avid Life Media to understand that some hackers are interested in far more than stealing Social Security numbers.

Motivations can span foreign government-sponsored espionage, extortion or even moral outrage. These types of attacks are seldom in the news because companies are not required to report such incidents, and especially because they often involve criminal investigations.