Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile
of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to
a company and its reputation is very real.
While companies can purchase cyber
insurance to help manage the risks associated with a breach, there are also steps a
company can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.
Here are five factors to consider when
it comes to managing a company’s cyber
attack or data breach.
1. Assess the risk
So how does a company prepare for such
an eventuality and what steps should be
taken after a breach occurs?
“Start with what you will face if a
breach occurs,” advises Anthony Ro-
man, president of Roman & Associates,
a global investigation, risk management
and computer security consultation firm.
“Corporations of all sizes that hold any
information that can be deemed private
or personal are going to face a number of
very serious hurtles in a breach that will
encourage them to have a breach plan.”
Roman says this includes class action
suits for the “undue release or allowing
the release of personal and private infor-
mation. The average class action suit is
settling for $2.9 to $3 million.” He esti-
mates the legal costs to defend a company
in a class action suit will range anywhere
from several hundred thousand dollars to
well over one million.
“You may face government sanctions
for local, state, federal or legal violations,
some of which are criminal in nature and
some which are civil in nature,” he ex-
plains. Criminal violations can pierce the
corporate veil and involve specific indi-
viduals within the corporation.
There could also be regulatory sanctions if the company violated any Federal
Communications Commission (FCC)
regulations or any other regulatory agency’s regulations regarding cyber security.
“That should be a wonderful motivator
for anyone to have a robust and compliant breach program,” he adds.
Roman recommends that companies
work with their brokers to craft coverage that will reduce their risk, review the
policy exclusions, and ensure that they
are insured to cover the types of information that will be affected and the resulting
exposures from a breach.
2. Avoid these mistakes
The saying goes, “Fail to plan and plan to
fail,” and nowhere is that more true than
with cyberattacks and breaches. “Not
having a well thought out and documented roadmap for the ‘what, when, where,
who and how’ of responding to a suspected data breach is a recipe for disaster,”
says Paul Nikhinson, Esq., privacy breach
response services manager for Beazley.
“Most post-incident mistakes could be
avoided or mitigated by implementing
appropriate pre-incident prevention and
response plans,” adds Kevin Kalinich at
Aon. He says that some of the major mistakes companies make include:
• Internal company denial regarding the
potential magnitude of the incident. Appropriate resources and attention must
be allocated immediately to determine
the magnitude of the incident. The financial impact of cyber incidents is not
always directly correlated with the size
of the incident, but the financial statement impact is often correlated to the
effectiveness of the response.
• Automatically characterizing an “
incident” (no immediate legal liability
connotations) as a “breach” (
immediate legal liability connotations under
various laws, regulations and insurance
• Passing the buck rather than developing
a comprehensive coordinated response.
5 Keys to Managing a
By Patricia L. Harman, PropertyCasualty360.com