How to protect your business against cybercrime
The staggering increase in data breach and cybercrime events for large and small businesses is costing billions of dollars in preventive and recovery measures. These malicious events have focused business owners' energies on managing some new, complex and evolving risks. That said, it can be as simple as a slip by a well-intentioned employee to plunge a business into crisis.
In recent years, Maine businesses have experienced cyber events that include theft of funds, theft of computer equipment storing customer information and malware attacks that encrypt data so that it cannot be opened unless a ransom is paid.
According to attorney Tony Perkins of Portland law firm Bernstein Shur, every organization of any meaningful size faces a risk of a breach or misappropriation of its or its customers' or patients' sensitive financial or health information. That includes private businesses, nonprofits, governmental entities and educational institutions.
Identifying the cyber risks that your organization faces is a critical part of developing a cyber risk management program. These risks can be categorized into five major categories:
• Theft of tangible assets: Theft of money or other tangible assets, the most common example being fraudulent bank account transfers.
• “First-party” expenses: The costs that an organization incurs to respond to a cyber event. These include costs associated with data restoration, forensic investigation, public relations, notifications, legal expenses and providing credit monitoring services.
• Business interruption: The impact to a business' bottom line due to its inability to conduct business or its “reputational” risk.
• Third-party liability: Lawsuits brought by affected parties as a result of a breach.
• Regulatory fines and penalties: Industries may face regulatory proceedings in the event of a breach, with resulting legal costs, fines and penalties.
If your business faces any of these risks, you should have a cyber risk management program that addresses the planning and execution of these four components: Prevention, disclosure, crisis management and risk financing.
Prevention consists of the strategies employed to prevent a data breach. These can consist of technical safeguards such as mobile device encryption and employee education with respect to email-related scams.
Disclosure involves knowing your legal responsibilities in the event of a breach. According to Perkins, in the case of financial, health care and other sensitive personal information, there are strict federal and state laws and regulations requiring specific risk-mitigation actions.
Businesses should develop a crisis management and response program in order to pre-plan necessary steps in the event of a breach. According to public relations specialist Linda Varrell of Broadreach Public Relations, clearly identifying spokespeople, establishing communication tools and training on protocols are all pieces of an effective emergency communication plan. Varrell emphasizes that being the first to tell your story or to break the news is vital to controlling the message and the flow of information.
Then comes the question of how a business will finance the costs of a breach. As the majority of businesses do not have the internal resources to pay for a significant cyber event, cyber-risk insurance has become essential over the last few years and is now a core component of many businesses' insurance programs. A skilled insurance agent can help you identify risks and structure the right protection.
For now, the cyber insurance marketplace is “soft,” as premiums are relatively affordable for most businesses and very broad coverage is being offered by a number of competing insurers.
It is important to note, however, that there is a real concern among industry experts that with the high incidence of breaches, the ability of insurance to cover the costs at a reasonable price and retention over the long term is in doubt.
Jeff Lind, a vice president and senior account executive at Clark Insurance, can be reached at jlind@clarkinsurance.com
Most Recent
Most Recent
Comments