Tag Archives: data breach

Why Hasn’t Cyber Security Advanced?

Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: Respond and recover. The same vulnerabilities are repeatedly exploited in similar ways, and this trend shows no signs of slowing because current security tools do not actually address the roots of attacks. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency – as though there is nothing we can do but prepare for the worst and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts toward focusing on disrupting adversaries.

In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code – a worm that moved through the user’s computer, overwriting random files and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just 10 days later, the ILOVEYOU worm had spread around the world, infecting over 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated
$5.5 billion to $8.7 billion worldwide.

See also: Quest for Reliable Cyber Security  

Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. The company quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.

Despite significant changes to the state of technology and the internet between 2000 and 2017, these two cyberattacks were very similar. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems, and both were successful because of a lack of proactive cybersecurity.

Not only do the same kinds of attacks continue to work, responses to cyberattacks have not changed much, either. Despite all our advances in technology, cybersecurity is generally still focused on response and recovery: Identify the infected computers, take them offline, rebuild or replace them, file a data breach disclosure… rinse and repeat.

Is it impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily. Response and recovery treats cyberattacks like natural disasters – inevitable, unstoppable and caused by forces outside our control. Meanwhile, adversaries continue to enjoy the fruits of their illicit labors. Popular methods of attack remain consistently successful because cybersecurity has failed to evolve to a posture of true prevention.

A needed evolution

The continued success of these cyberattack methods (and others) hinge on exploiting a limited number of key vulnerabilities that are commonly known to good and malicious actors alike. So, why are they still effective? The answer is that standard cybersecurity methods are designed to respond to incidents but rarely, if ever, actively disrupt the adversary’s attempted attack. For example, cyberattacks or intrusions are generally handled via alerting after a breach has already occurred. The alert triggers a cybersecurity team to go in and clean up the affected systems, then set up or modify a firewall to block future attacks. Afterward, companies are required by law to file a data breach notification.

The most common approach to blocking attacks involves analyzing past and current threats, then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names or hashes of known bad files. These IoCs are fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.

This method aims to prevent attacks that are exactly like prior attacks. This perpetuates the problem, however, as hackers know about these protection methods and adjust. Subsequent attacks are designed to differ just enough from prior attacks to elude being blocked and ensure they avoid the new protections. This process is repeated time and time again. The cybersecurity industry is almost entirely locked in this detect-respond-recover approach, with little to no effort being made to actually prevent cyberattacks in the first place.

Embrace a new approach to stem the flow of cyberattacks

Rather than treat the cyber threat like a natural disaster, the cybersecurity industry needs to embrace a fundamentally new approach. Instead of relying solely on insufficient incident response and recovery methods that have been used for many years, a more sophisticated approach is needed to prevent current cyberattacks and to predict and prevent future ones on a meaningful scale.

At Trinity Cyber, for instance, we provide this preventive assurance by invisibly monitoring threats outside a network’s perimeter and adapting to the adversary’s techniques to intercept and neutralize cyberattacks before they get in.

Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyber-attackers and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of SOAR platforms, which add efficiencies, most tools remain inherently reactive.

See also: Best Practices in Cyber Security  

Cyberattacks or attempts at compromising a system are human-made events within a human-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques and procedures (TTP) and then use those to develop solutions that provide truly preventive cybersecurity.

Why Cyber Strategies Need Personalization

Personalization has taken a variety of industries by storm. Retailers base marketing campaigns on individual customer preferences; financial institutions are revamping their user experiences to cater to specific demographics; and healthcare organizations are offering services based on patient needs and family history. Without the ever-helpful “you may also like” features and individually customized dashboards, companies like Amazon and Netflix would be nearly unrecognizable, and certainly less appealing.

There’s one critical aspect of business — something that affects every industry — that’s woefully behind on personalization, however: cyber protection. With media outlets constantly reporting on the latest large-scale data breach like this summer’s Quest Diagnostic attack or the First American Financial leak, it’s easy to get swept up in all the fear-mongering and reactively incorporate as many cybersecurity tools and services as possible, no matter their relevance. For small and medium-sized businesses (SMBs), in particular, it’s especially tempting to blindly emulate larger organizations’ defense strategies, as most SMBs are understandably short on knowledge and resources when it comes to cybersecurity and cyber insurance.

Devising Cyber Protection Strategies Isn’t One-Size-Fits-All

One could argue that any efforts toward cyber protection should be applauded. Data breaches have become an inevitable part of doing business today, so wouldn’t even a misguided attempt at making an organization more secure be beneficial? Unfortunately, no.

Devising cyber protection strategies isn’t a generic, one-size-fits-all process. Rather, it’s akin to prescribing medicine. Just as physicians base their treatment plan on an individual’s specific symptoms, companies need to institute an approach to cybersecurity that incorporates their organization’s unique characteristics and needs.

See also: Where to Turn for Cyber Assistance?  

Consider the cyber protection needs of, say, a bakery. While a bakery may need to consider implementing defense mechanisms for its business email account(s), CRM solution and digital document storage, its cybersecurity requirements are fairly straightforward. A basic cyber insurance policy could prepare a bakery for any worst-case scenarios in which customer payment records are exposed, for instance, or sales temporarily dip due to a damaged brand reputation post-breach.

Now look at an urgent care clinic, for which cyber protection can literally be a matter of life and death. Any internet-connected healthcare device, such as a heart monitor or IV, needs to be thoroughly secured to prevent patients from undergoing serious harm. Email, phone and text communications between physicians, nurses, specialists and patients should be encrypted. With healthcare organizations required to retain patients’ medical records for anywhere between two and 30 years (depending on the state), secure digital storage and back-up services must also be considered. In addition to all the tactical cybersecurity considerations that an urgent care clinic needs to take into account, it also has various regulations and audits it must comply with, such as HIPAA and HITECH. Steep fines and severe reputational damage await any healthcare organization that fails to comply.

Evolving and Future Business Needs Must Also be Considered

Not only do organizations need to personalize their cyber protection strategies by prioritizing their businesses’ unique needs, they also need to consider how those needs may change. A new law office may not have much client data to secure in its first six months of business, for example, but, once it’s amassed a few years of cases, the firm’s data security and storage requirements will drastically change. The type of data that a growing law office collects could change, as well. After a decade in business, if the firm decides to branch out to handle personal injury cases, for instance, it will have to adjust its data security strategy to accommodate patient health information.

See also: Cyber: No Protection Against Complacency  

Prioritize Personalization to Secure Critical Assets

Rather than getting distracted by what Target or Facebook is doing to protect their digital assets, take the time to assess your business. Conduct a comprehensive evaluation of your current cyber protection efforts to determine what’s working and what’s not. Look for any major vulnerabilities such as insecure websites or lax Bring Your Own Device or Shadow IT practices, and map out how your cybersecurity requirements stand to change over the next one to five years.

Any organization — no matter its size, industry or available resources — can establish a custom cybersecurity and cyber insurance plan and leverage it to more effectively plan for and prevent devastating cyber attacks.

When Are CPAs Liable for Cybersecurity?

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021.

Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

  • 1,579 reported breaches, exposing 179 million records
  • 55% of all breaches involved businesses
  • 59% of all breaches resulted from hacking by outside sources
  • 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s my liability?

“That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.”

Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers.

Federal rules and law

The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols.

Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach?

At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Two recent decisions illustrate these differences:

  • The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim’s fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
  • However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow

In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.

See also: 4 Ways to Boost Cybersecurity  

Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

  • Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company’s individualized risks that are approved by senior management;
  • Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
  • Establish multi-factor authentication for remote access of internal servers;
  • Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
  • Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
  • Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
  • Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

  • Right to know what categories of their personal information have been collected
  • Right to know whether their personal information has been sold or disclosed, and to whom
  • Right to require a business to stop selling their personal information upon request
  • Right to access their personal information
  • Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
  • Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms?

Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

  • Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
  • The regulations create a framework for plaintiffs’ attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now

“If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.”

Here are three tips to get you started:

Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

“Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

Implement best practices. At a minimum:

  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

See also: Cybersecurity for the Insurance Industry  

Legal and insurance considerations

CPA firms should consult with their legal counsel to assess the firm’s risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked.

CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.

How to Create Resilient Cybersecurity Model

As data breaches increase in type, severity and number, more companies plan to purchase cyber insurance. While cyber insurance premiums in 2016 in the U.S. were $5 billion, projections indicate they will increase to $20 billion by 2020. Complex cyber crimes mean insurers find themselves facing contentiously complex relationships with their insureds. To create a resilient business model, both of these parties need to communicate effectively and understand the overt and hidden risks they face.

The Underwriting Communication Gap

Information forms the basis of strong underwriting. With traditional general liability policies, insurers can easily gather information on a company’s financial solvency by reviewing publicly available documents such as annual financial reports or credit ratings. With cybersecurity policies, attack vectors extend in a variety of directions, making information less tangible for underwriters.

With a compounded annual growth rate of 41%, cyber insurers need insight into the full range of their insureds’ risks. The present model relies on questionnaires from applicants; however, when insureds misrepresent or misunderstand their risks, insurance companies suffer billions in losses. Often, the cost of a breach exceeds the limits of a policy’s liability, meaning that even those companies with insurance find themselves underinsured. Because courts generally agree that general liability policies do not cover cyber loss, business continuity plans require appropriate insurance aggregates to fully cover losses.

Even the most sophisticated companies find themselves unaware of their biggest cyber risks. When insureds lack data, underwriters cannot effectively write policies. Thus, the communication gap poses a risk for both the insureds that remain underinsured and the insurance companies that may be overextending their books of business. Security ratings act as a tool that allow better communication between insurers and their insureds when establishing a cyber security policy relationship, similar to credit ratings in the general liability arena.

See also: Roadblocks to Good Customer Relations  

The Claims Communication Gap

Insureds use insurance to protect their internal and external stakeholders. However, the communication gap creates a claims problem for insureds. Coverage litigation costs and a sense of betrayal ruin relationships between companies that share the economic ecosystem.

The Equifax breach offers a contemporary example. Most recent estimates place Equifax’s breach costs at $275 million, but the company retained only $75 million in cybersecurity insurance. A single employee’s failure to patch a known vulnerability in the Apache Struts Java application created an opportunity for hackers. Equifax’s failure to understand its own patching cadence led to its underinsured status and, ultimately, its severe losses.

Information Enables Resilience

The information security community focuses on resilience. When a distributed denial of service attack causes a company to shut down services for days or weeks, the company lacks cybersecurity resilience.

An insurance company’s resilience requires setting aside financial reserves to cover claims costs. Because cyber policies often cover business interruption costs, businesses that lack cyber resiliency too often claim losses and file insurance claims. Security ratings provide insight into an insured’s resilience. Because data breaches are inevitable, even companies with strong security ratings may be hacked, but their continued attention to their environments means they will have strong disaster recovery protocols limiting business interruption. To remain financially stable and resilient, insurance companies need to adequately estimate potential losses so that premiums adequately align with their risk acceptance.

Insurance companies and their customers need shared visibility into the protected cyber ecosystem. Otherwise, insurers continue to dissuade financial safety by overestimating premiums while companies risk their solvency by underinsuring their business. This business model promotes neither economic stability nor resiliency.

Continuous Monitoring Builds Continuous Relationships

Remedying the information and communication gap between insurers and insureds provides the only solution to the current resilience problem. Companies often prove, through audit reports, that they engage in information security, yet those documents show proof of only a single moment in time. Insurers need tools providing visibility into their insureds’ ecosystems on a continual basis, such as security ratings.

Organizations face data security threats from both their IT environments and those of their vendors. One breached vendor creates a domino effect of cyber insurance claims as the damage travels through the supply chain. Insurers and insureds need to be able to communicate both visible and hidden cyber risks. Security ratings continuously monitor insureds’ endpoint security, IDS and antivirus, while also providing a shared language so they can effectively communicate with insurers. Insurers, conversely, can use the shared language of security ratings to communicate to insureds the impact that security vulnerabilities have on insurance premiums and coverage.

See also: The New Agent-Customer Relationship  

In the cyber insurance space, increased claim complexity degrades the symbiotic relationship. As insureds shop around for better premiums, insurers lose valuable business. To promote continued business relationships, the two parties can both benefit from automated tools that enable continuous communication about continuous monitoring. Tools to facilitate visibility help establish metrics for the appropriate pricing of risk to cover potential losses and set reasonable premiums.

Insureds must communicate with their insurance companies; however, companies focusing on the daily tasks of conducting business lose track of communication and time. Therefore, insurance companies need to protect themselves by monitoring their insureds. Security ratings are poised to help promote resiliency between, as well as within, industries by offering publicly facing data. With the right continuous monitoring metrics, SaaS platforms can enable continuous relationships that reinvigorate the insurer-insured symbiotic relationship.

Can Potential GDPR Fines Be Insured?

The General Data Protection Regulation (EU) 2016/679 (GDPR) revolutionizes the data protection regime and significantly affects how organizations worldwide collect, use, manage, protect and share personal data that comes into their possession. As personal data increasingly represents an important new class of economic asset for organizations, the regulatory environment across European member states is undoubtedly shifting, and regulators have greater powers of enforcement.

Aon and DLA Piper’s guide “The price of data security,” reviews the insurability of GDPR fines across Europe, which can reach up to €20 million or, if higher, up to 4% of a group’s annual global revenue.

The scale of these fines has understandably generated concern in boardrooms. GDPR replaces a regime under which fines for a data breach were limited and enforcement actions infrequent. Moreover, the consequences of GDPR noncompliance are not limited to monetary fines. There are also the costs associated with noncompliance. These costs, potentially resulting from a data breach, could include, legal fees and litigation, regulatory investigation, remediation, public relations and other costs associated with compensation and notification to affected data subjects. Furthermore, the potential damage to an organization’s reputation and market position can be significant.

The guide also looks at insurability of costs associated with GDPR non-compliance, including litigation, investigation and compensation, as well as the insurability of non-GDPR regulatory fines. It highlights that there are currently only a few jurisdictions in Europe where civil fines can be covered by insurance, and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured. Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also allows European member states to impose their own penalties for personal data violations.

See also: Data Security Critical as IoT Multiplies  

Key findings include:

  • GDPR fines were found to be insurable in only two of the countries reviewed – Finland and Norway;
  • In 20 out of 30 reviewed jurisdictions, GDPR fines would generally not be regarded as insurable, including the U.K., France, Italy and Spain;
  • In eight of the jurisdictions, it is unclear whether GDPR fines would be insurable. In these jurisdictions, specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.

The role of insurance

The magnitude of GDPR fines means organizations are keen to know whether these fines can be insured. Typical cyber insurance policies only insure fines when “insurable by law” and stipulate that the insurability of fines or penalties shall be determined by the “laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties.” Organizations also need to consider other costs and liabilities that could result from GDPR non-compliance. Given the size of the potential financial impact of GDPR non-compliance, it is important for organizations to understand how the insurability of fines, legal and other costs and liabilities following a data breach is approached in different jurisdictions.

While the insurability of fines may be limited, insurance forms a key component of an organization’s GDPR risk management strategy to manage costs associated with GDPR noncompliance and resulting business disruption losses. In addition to insurance, there is significant business advantage to taking privacy and data protection seriously. Properly securing the data you hold is critical, but a robust data retention strategy is essential.

The scope of GDPR is broader than most insurance policies, which are often triggered by privacy or security incidents, whereas GDPR violations can also be triggered by non-compliance separate from a privacy or security incident. To the degree an existing insurance policy is intended to cover wrongful collection or usage of private data and cyber-related regulatory fines, penalties and assessments, the same intent should apply with respect to GDPR. Similarly, to the extent an existing insurance policy excludes wrongful collection or use of private data and excludes cyber-related regulatory fines, penalties and assessments, the same should apply with respect to GDPR.

Reviewing GDPR preparedness on an enterprise basis can increase an organization’s overall cyber resilience and help to reduce their total cost of risk – from insurance.

See also: Global Trend Map No. 12: Cybersecurity

Next steps

There is no doubt that GDPR is a continuous challenge for organizations, but there are steps that you can take to help manage the potential impact through risk governance, insurance review and incident response.

Risk governance

  • Carry out a security audit to check personal data is secure against unauthorized access or processing
  • Put in place a plan for ensuring continuous monitoring and follow up of data compliance efforts
  • Ensure that contracts with all third-party processors contain at least the minimum terms stipulated by GDPR
  • Adopt a privacy-by-design methodology when initiating projects or developing tools

Insurance review

  • Ensure adequate cyber insurance coverage is in place
  • Review your existing insurance coverage for GDPR noncompliance, especially fines, penalties and lawsuits, with assistance from qualified coverage counsel

Incident response

  • Ensure you have an incident response plan in place, including data security breach notification procedures
  • Review your existing enterprise-wide incident response plan to ensure that it incorporates escalation plans and nominated advisers covering all required stakeholders. This includes business operations, legal, PR and key third parties such as IT service providers.

Access the complete findings of the guide here.