breached record amounted to about $964.
In the current marketplace, many businesses can amass a great deal of information about customers and employees and
then store the information indefinitely.
The primary cyber-related exposure a
company often faces is a data breach that
results in unauthorized access or release
of an individual’s personally identifiable
information (PII) or protected health
information;(PHI).;PII;includes;such;in-formation as name, address, birth date,
Social Security number, driver’s license
number, and credit card or financial ac-count;information.;PHI;includes;an;indi-vidual’s healthcare policy number, biometric information, medical condition, test
results, prescriptions, and so forth.
As technology continues to advance,
the cyber exposures that companies face
are expected to increase exponentially. To
that end, a company’s management team
needs to consider cyber-related expo-
sures from different perspectives:
•;Cyber as a peril — Businesses are be-
coming more automated and depend in-
creasingly on computers, software, and
the Internet to manage their industrial
control systems. Managers of these criti-
cal infrastructure operations — includ-
ing energy, utilities, communications,
transportation and manufacturing —
need to consider and evaluate the poten-
tial impact that catastrophic events such
as cyber terrorism and cyber war can
have. What would the implications be
for the business if control systems were
to fail or be destroyed? What would the
potential impact be on the company’s
main business operations and those of
its contributors in the supply chain?
• Corporate financial perspective —
When evaluating cyber exposures,
a company must assess its financial
health and ability to survive a threat.
In conducting audits and assessments,
rating agencies may ask the company
how it would react to a cyber threat.
If the company is publicly traded, its
stock price might be affected. A company could face lawsuits from shareholders and customers for failing to
take adequate cybersecurity measures.
Additionally, a company experiencing a cyber incident might experience
reputational harm and loss of business,
even if only for a short period of time.
Lastly, a company has to decide whether to secure cyber insurance.
• Information Technology (IT) perspective — Excellent cybersecurity
measures and dedicated IT resources
are critical to helping protect a company’s assets. Many businesses continually wrestle with whether to invest
more in IT operations to prevent cyber
breaches and better protect their data
or to purchase cyber insurance in the
event of a breach. Many IT experts now
believe that 100 percent prevention is
impossible and that working to mitigate the losses during a cyber incident
may be a prudent course of action.
•;Insurance perspective — Depending
on the extent of its business operations,
a company may have to comply with
multiple federal and state privacy laws
if a data breach is discovered. Currently, 47 states and the District of Columbia, Guam, Puerto Rico, and the U.S.
Virgin Islands have enacted laws re-
Preparing for the Worst
quiring private or government entities
to notify potentially affected individu-
secured the services of a data breach
coach or remediation firm to help ad-
dress those requirements? Is there ad-
equate insurance coverage to help pay
for breach-related expenses?
It’s clear that many companies stand to
benefit when they prepare a cyber strat-egy;before;a;claim;occurs.;Here;are;some
of the steps in developing such a strategy:
•;Identify assets — What constitutes a
critical asset will often vary from company to company. For example, retail
operations, healthcare facilities, and
higher education institutions might
consider their customer data to be a
critical asset. Manufacturing, energy,
and telecommunications firms might
consider their critical asset to be industrial control systems. Financial institutions, on the other hand, might take a
different view and identify the trading
platform to be a critical asset. Regardless, identifying what assets need to be
protected is a crucial first step.
•;Outline a plan of action — Companies need to establish a plan of action
and identify measures to help protect
their assets. Vetting upstream and
downstream supply chain vendors to
inquire whether they employ cybersecurity best practices should be included in any strategy.
• Develop partnerships — Leveraging
the services of a skilled service provider
— professionals who have handled prior data breaches — may make dealing
with a cyber incident an easier process.
This might include a breach coach, typically an external legal counselor skilled
in handling data breaches, or a data
breach resolution service that offers
pre-breach assessment and education
and post-breach remediation services.
•;Train employees — Employees often
pose the greatest internal threat to a
company. While malicious employees
play a part, studies have shown that
more often than not, it’s an honest
employee who causes cyber incidents,
either through human error or by mistakenly doing what the employee believes is right. Developing and distrib-