Tag Archives: ponemon institute

Security of Medical Devices Needs Care

Medical devices, such as pacemakers, insulin pumps and defibrillators, could become lethal in the hands of a hacker tampering with them remotely. A new study that shows medical devices—and patients—are vulnerable to cyber attacks is a wake-up call for manufacturers, according to a Silicon Valley software company that sponsored the study.

Device manufacturers must change their culture and look at security as an equal to patient safety, says Chris Clark, principal security engineer of strategic initiatives for Mountain View, Calif.-based Synopsys.

The company’s study, which surveyed about 550 employees of device manufacturers and healthcare delivery organizations (HDOs), found that nearly 70% of manufacturers and nearly 60% of HDOs believe an attack on a device built or in use by them is likely to occur during the next 12 months.

The most surprising finding, Clark says, is that about 40% of manufacturers and 45% of HDOs—despite being aware of the risks—take no steps to prevent medical-device attacks.

See also: How to Make Smart Devices More Secure  

There are, however, some positive takeaways, he says. The study, conducted by the IT research organization Ponemon Institute, showed that “a significant percentage” of HDOs are concerned about the risk of insecure medical devices, and many are taking measures to test them for vulnerabilities. That’s a good sign, Clark says, because most study respondents work for small organizations “with limited resources and expertise in this area.”

Security painfully lacking

About 60% of respondents work for organizations with fewer than 1,000 employees, 10% said they had no budget for device security and 40% said their annual budget was less than $500,000.

The study found that 59% of respondents employed by HDOs rated the importance of medical device security as very high relative to all other data and IT security measures deployed. Yet, only 37% of those who work for manufacturers consider such security of very high importance.

A cyber attack on a medical device can manifest in various ways. This tells us the manufacturers still operate under the pretense that security is an HDO issue, and medical device security will be a lower priority for the foreseeable future, Clark says. “This statistic alone should be of great concern and a critical lesson for HDOs who are truly interested in protecting their infrastructure.”

An attacker could take control of a device to administer inappropriate or harmful treatment to a patient, Clark says. The attacker could dispense the wrong dosage of medication via an infusion pump, manipulate the electrical output of a pacemaker, crash or render a device inoperable, access the data stored or transmitted by a device or use it to pivot to other systems or devices within the same network.

Hospitals risk erosion of patient confidence

Each of these scenarios has a physical impact to a device or group of devices, but the real danger is a loss of confidence in the ability of HDOs to deliver quality care and protect patient information, Clark says. “A breach could be catastrophic for a hospital system.”

The Synopsys study found that 80% of respondents who work for medical device manufacturers or HDOs say medical devices are very difficult to secure. The top reasons cited for device vulnerability include accidental coding errors, lack of knowledge/training about secure coding practices and pressure on development teams to meet product deadlines.

Security an afterthought

Securing medical devices also is difficult, Clark says, because security is not a primary consideration early in the design process. “This, along with the need for flexible communications that are often unencrypted or have no security characteristics, create a wide range of challenges.”

Respondents in the Synopsys study were surveyed before the WannaCry ransomware attack in May. The worldwide cyber attack targeted computers running the Microsoft Windows operating system and, within a day, reportedly infected more than 230,000 computers and medical devices in more than 150 countries.

See also: Can Your Health Device Be Hacked?  

Healthcare organizations are “some of the most commonly targeted cyber attack victims, second to only the banking and financial industry,” Clark says. “If you couple that trend with the results of this survey showing how little is being done to protect medical devices, it’s not unreasonable to expect things to get worse before they get better.”

Most stakeholders, though, are “genuinely concerned” about the impact of insecure medical devices—“both in terms of patient safety and risk to their organizations,” Clark says. “What remains to be seen is whether the industry steps up to voluntarily address these challenges or the U.S. Food and Drug Administration takes a more aggressive stance.”

This article originally appeared on ThirdCertainty. It was written by Gary Stoller.

The Current State of Risk Management

The Ponemon Institute recently shared the results of its survey on risk management: The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management. The results are disturbing, but unfortunately what I had anticipated.

The 641 who answered the survey were involved in risk management within their organization, so the results are skewed toward having some level of formalized risk management. In other words, the respondents are better than the general population. Most of the respondents are IT folk, and some of the questions reflect the author’s IT orientation, as opposed to a general business one.

See also: 4 Steps to Integrate Risk Management  

The report, as so many, has to define risk management in its own way. But, frankly, the definition isn’t bad. The report splits the issue into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language and effectively use real-time information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. Ponemon doesn’t define what it means by a risk management strategy, so I can’t comment further.

But this is key:

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire:

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53% of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8% of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30% of respondents say no one person has overall responsibility to ensure the risk management program is well executed.”

See also: A Revolution in Risk Management  

The appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

SMBs Need to Bulk Up Cyber Security

Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.

I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.

New market emerges

One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.

See also: Ransomware: Growing Threat for SMBs  

The main growth driver: regulatory requirements.

Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

SMBs in hackers’ cross-hairs

To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.

“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,

Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.

Vendors lack knowledge

Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.

“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”

It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.

See also: Cyber Attacks Shift to Small Businesses  

However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.

But the potential for elevating internet security, in the longer run, is palpable.

This post originally appeared on ThirdCertainty.

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.