Tag Archives: Data Breach

Immediate Vault Immediate Access

Tom Ridge Tells Cyber Conference Insurance Should Incentivize Risk and Resilience Planning

Posted on by

tom ridge advisen cyber risk conference

More Americans worry about being hacked than they are of mugging, burglary, sexual assault, murder, or physical harm of a child, according to a new Gallup poll. While hacking concerns did increase with household income, they impacted a majority of Americans in every income and age bracket, while no other form of violent crime surpassed 45% of those polled.

A new survey from Advisen and Zurich found that this fear is nearly universal for companies as well. Across industries, 88% of businesses view cyber as at least a moderate risk – up to 93% among larger businesses and 81% among small. Despite this widespread recognition, however, fewer businesses have a breach response in place than just a year ago. In 2014, only 62% have a response place – a 10% decrease from 2013. Yet 66% now use cloud services, presenting a 20% jump from last year.

“Clearly, security concerns are being outweighed by the benefits of technology,” said Erica Davis, Zurich vice president and assistant national manager for E&O, while presenting the findings on Tuesday at Advisen’s Cyber Risk Insights Conference.

Throughout the conference, consensus was clear: the 69% of Americans and 88% of businesses are on the right track, as their fears are well-founded. “There are two types of banks today: those that have been breached, and those that will,” Roc Starks, senior vice president and director of corporate insurance at Citizens Bank, said at one of the day’s panels. “First response is the critical difference in how banks and customers will fare.”

Keynote speaker and former Director of Homeland Security Tom Ridge (now of Ridge Insurance Solutions) shared this outlook on cybersecurity across industries. “There are going to be breaches,” he said. “Resilient companies are the ones that are prepared to respond.”

Yet breach response without risk management and an eye toward mitigation is no longer sufficient. “Those prepared to organize around risk and resilience are those that will withstand and lead,” he added. “By the time we get here next year, the risks will be different – the digital sun will never set.”

The landscape of cyberrisk and hacking schemes is constantly evolving, and changing at a scale and speed unlike anything seen before, Ridge said. For attendees, there was little doubt about this insight, as panelists throughout the day detailed new phishing schemes seen, top areas of emerging vulnerability, and the myriad breaches they or their industry colleagues have navigated. More companies are investigating the most useful forms of coverage for their unique exposures and exploring what management structures and risk owners are most effective to monitor and mitigate cyber. The recognition is there, and so are some of the solutions, but the insurance landscape must still evolve, as must the strategies. “We’ve seen a mind-shift,” Ridge said. “CEOs get it, but they do not know what to do and who the threats come from.”

To that end, there is more the industry can do to help. Ridge lauded the idea of “intelligent insurance,” arguing that, in addition to devoting greater resources to investigating cyber threats, the insurance industry should turn its attention to incentivizing companies to manage cyberrisk more effectively.

Much as in insurance disciplines like kidnap and ransom, some of the greatest benefits of insuring cyberrisk may come from the processes of evaluation and contingency planning. According to Ridge and other conference speakers, finding out how to oversee and incentivize those processes may be the next adaptation for cybersecurity insurers.

Strength in Numbers: Internet Risk Detection and Brand Protection

Posted on by

Many of the attacks launched against today’s brands are as covert as they are debilitating. In today’s connected age, savvy cyber criminals often blitz companies with a flurry of activity across an array of online channels.

To make matters worse, employees who are using the Internet casually or personally create a vulnerability for businesses: workers could click on a phishing link sent to their personal account and unknowingly be exploited by cyber criminals, or they could bring harm to the business via a social media post they thought to be harmless.

And, let’s not forget that brands can also inflict damage on themselves, such as through executive scandals, accounting errors or failing to protect customers and investors.

buy cymbalta online www.phamatech.com/wp-content/uploads/2023/10/jpg/cymbalta.html no prescription pharmacy

Even though these events may not involve a malevolent, third-party attacker, the resulting fallout can be just as severe as if they fell prey to one.

Given these circumstances, companies could face a barrage of both external and internal threats to their brand, customer loyalty and bottom line.

So, how can they defend themselves? The same crisis management procedures brands use following an external attack should also extend to self-inflicted events. Every reliable, robust brand defense strategy should begin with an Internet Reputation Management Council (IRMC).

The Power of Many

No one stakeholder within a company can be solely responsible for online brand reputation management. Instead, businesses need to bridge the gap between departments, creating an environment in which employees across the marketing, security/IT, finance and legal departments unite and share resources to defend the brand—and it all begins with an IRMC.

Council members representing departments throughout the organization will become Internet reputation champions who work collaboratively, from within their individual departments, to ensure that ownership and management of the brand is carried out across the enterprise.

As such, an IRMC has the range and visibility to combat the multitude of Internet-based threats. To borrow a term from the military, an enterprise that deploys an IRMC is essentially following a “defense-in-depth” strategy, by creating a redundant, layered web of defenders.

The Members of an IRMC

Once a company decides to launch a cross-departmental IRMC, who makes up its members? Executive-level sponsorship will provide the vision for an Internet reputation strategy, facilitate cross-functional and resource collaboration, and build a brand-aware organizational culture. A team leader is responsible for executing that vision on a day-to-day basis and marshaling the resources needed to protect the brand. Area leaders will protect the brand from various departments within a business, including marketing, legal, investor relations, compliance, e-business, human resources, public relations, security and fraud, and IT.

Although all IRMC roles are important, it’s these area leaders who can make or break a brand’s Internet reputation.

buy rogaine online www.phamatech.com/wp-content/uploads/2023/10/jpg/rogaine.html no prescription pharmacy

A successful response demands the full participation of every member of an IRMC. Even though response actions may be centered in one department, these crises are full-company situations.

buy lipitor online www.phamatech.com/wp-content/uploads/2023/10/jpg/lipitor.html no prescription pharmacy

After all, it’s not as though the public would only render judgment in isolation, for example, against “Target’s security team” or “Yahoo’s executive search committee”—the entire brand is put under a microscope following an incident.

A Defender at Every Position

With an effective IRMC, companies like these can use the “power of many” to combat such Internet-based threats to their brand, even when they’re self-inflicted. An IRMC operates by:

  • Identifying key internal stakeholders and inviting them to collaboratively establish the guidelines of Internet reputation management within the company
  • Meeting regularly to keep abreast of industry and technology changes, as well as emerging forms of Internet-based threats
  • Establishing goals and targets, such as building a structure to set up a “Best of Breed Governance Policy,” and setting metrics to track performance
  • Preparing emergency response protocols
  • Implementing training policies and communication within each department
  • Reviewing, measuring, evaluating and managing progress against objectives

Although a fairly new concept, there are already real-world examples of effective IRMCs. AstraZeneca’s reputation council, for example, comprises a diverse group of those with “stakeholder responsibilities,” including representatives from sales, marketing, finance, human resources and communications. It reports directly to the CEO, and because of this structure, long-term risk management and prevention are infused into the company’s corporate focus.

Ultimately, the true value of an IRMC like AstraZeneca’s isn’t in how many attacks it directly neutralizes, but that it creates an organizational culture of Internet reputation management excellence, starting with the heads of core departments and working its way throughout the rest of the enterprise.

By the time the IRMC is engaged responding to an incident, significant damage has already occurred. The best-protected brands are those that have identified brand protection as a central part of their mission statements. Their investment in a culture of excellence, led by their IMRC, mitigates risks before they become reality, improves profits and creates value for customers, employees and other stakeholders.

U.S. Policymakers Renew Focus on Data Breach Laws

Posted on by

If we have learned any lessons from the last few years, it is that data breaches present a significant business risk to organizations, often resulting in high financial cost and impact on public opinion. According to a recent study, the average cost of a data breach incident is approximately $3.5 million. With reputation management and a complex regulatory landscape as additive organizational concerns, security and risk professionals face the tough task of ensuring their companies successfully manage the aftermath of a data breach.

A crucial aspect to data breach preparedness is having a strong understanding of the legislative and regulatory framework around data breach notification. However, set against a patchwork of 47 existing laws from nearly every U.S. state, risk and compliance professionals are challenged with understanding and communicating rights for their business and customers. The recent mega breaches experienced by several large companies in the United States has resulted in heightened consumer, media and policymaker awareness and concern, making the potential for new requirements and legislation a hot topic.

Currently, legislation that would establish a national data security and breach standard remains undefined.

However, there has been a renewed focus from policymakers and support from the Obama administration to adopt a national notification requirement – offering clarity and guidance for organizations following a data breach. While legislation awaits, experts expect continued data breach enforcement from the federal level, such as the FTC, alongside state governments.

Additionally, as more data is being stored in the cloud and shared across international borders, standard data breach notification requirements are also being evaluated and established on a global level. For example, the European Union’s (EU) new data breach requirements for telecommunication operators and internet service providers (ISPs) were implemented in August 2013. Now, these entities are required to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. Based on that legislation, the EU is now also considering expanding the 24-hour notification requirement be applied to all commercial sectors as part of the larger update of the region’s data protection law.

A federal standard is likely on the horizon, but in the meantime, there are a few recommended steps risk managers should evaluate now as part of their preparedness plan:

  • Understand the current notification requirements and enlist legal counsel. Once the details of a data breach are identified, organizations will need to assess which laws apply to the incident. Identifying the right group of experts, including outside privacy counsel, ahead of time can help risk managers quickly navigate this process. However, be aware that within the United States, certain state laws have consumer notification requirements as short as 30 or 45 days. This means there is no time to waste verifying consumer addresses; writing, printing and mailing notification letters; or setting up a call center and other services for affected individuals. To complicate things further, multiple state laws may apply to a single data breach due to the jurisdiction of the affected individuals, not where the business is located. For more information on notification requirements, Experian has developed a guide with tips on data breach response available for download at http://www.experian.com/data-breach/response-guide.
  • Offer identity theft protection. Though laws and industry regulations vary regarding if and when an organization needs to notify victims following a data breach, affected consumers have also expressed their expectation that organizations will offer credit monitoring and identity theft protection services in the aftermath of an incident. In fact, 63% of respondents from a recent survey indicated breached companies should be obligated to provide free identity theft protection to affected customers. Organizations that provide fraud monitoring and identity protection are better positioned to improve compliance and maintain consumer’s trust. Policymakers have also made clear as they evaluate data breach legislation that they expect for companies to take steps to further protect consumers from identity theft following a breach.

As legislation for data breaches continue to be shaped, risk managers preparing for their response plans should ensure they partner with legal counsel to understand various notification requirements, across national and international borders. It is also important to remember data breaches cannot be managed solely as a compliance issue, and to take into account consumer needs and expectations. As part of having a well-practiced pre-breach preparedness plan, risk professionals should focus on clear notification and guidance, along with offering identity theft or fraud protection to protect consumers and ultimately maintain their trust following a breach. With these measures in place, regulators will likely recognize that a company is demonstrating established and responsible procedures for managing and responding to a breach.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

Cybercrime Costs Global Economy Up to $575 Billion

Posted on by

Cybersecurity

Cybercrime costs the global economy about $445 billion every year, though the damage may be up to $575 billion, according to a new report from the Center for Strategic and International Studies and software company McAfee. Further, the damage to businesses exceeds the $160 billion loss to individuals.

“Cyber crime is a tax on innovation and slows the pace of global innovation by reducing the rate of return to innovators and investors,” said Jim Lewis of CSIS. “For developed countries, cyber crime has serious implications for employment.”

Indeed, the biggest economies have suffered the most – the losses in the United States, China, Japan and Germany totaled at least $200 billion.

Businesses are sitting up and taking notice. A recent survey from Munich Re found that 77% of mid-size to large companies have or will have cyberinsurance in the next year. Yet, of the 23% that do not plan to buy insurance, nine out of 10 said this was because current coverage available does not meet their needs or would not be relevant for their business.

What are companies doing to manage cyber risk? Munich Re found:

Munich Re graph

Reputational damage has emerged as one of the biggest sources of loss from cyberbreach. Respondents said the biggest risk an incident would have pose to their business’s reputation is:

Munich Re reputational risk of cyberbreach