Tag Archives: ponemon

4 Steps to Achieving Cyber Resilience

We are living in a period of unprecedented technological change. Building resilience to these changes is becoming increasingly imperative.

By 2020, it is expected that there will be tens of billions of devices connected to the Internet of Things (IoT). New technology means new risks. What if someone hacks a car? Or a power plant? By the same token, financial losses incurred through data breaches are likely to reach trillions of dollars. There are also opportunities. GE estimates that IoT devices will be generating $11.1 trillion annually by 2025, touching 43% of the global economy. Meanwhile, it is expected that 4.2 billion people will be online by 2020, or 55% of the global population, exchanging and sharing goods and information. Mitigating the risks while embracing the opportunities is key.

The internet asks a lot of questions of its users. How should the internet interact with nation states? What opportunities can it offer criminals? How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? We are still coming to terms with these issues.

Building resilient firms that can provide solutions and adapt to these new challenges will be a major task in the coming years. Siloed risk management and recovery efforts will come to be seen as increasingly out-of-place in such a digitized world. To become more resilient in this age of continued digital disruption increasingly means understanding the full scope of cyber governance responsibilities. This means starting with a top-down approach in managing risk at the board and executive level, identifying and protecting the organization’s most critical assets and understanding the impact to the enterprise should they be compromised. It means complying with international regulations and understanding organizational blind spots. And it means adapting to the latest techniques and trends in security and being prepared to respond should there be a failure in any of these areas. Cyber security cannot be approached piecemeal but should be considered holistically, as a challenge facing the entire organization.

In Depth

If leaders are to make the most of new technology, then they cannot only think about that technology: They need to take into account the business context in which that technology operates and the impact and risk exposure that it can potentially cause to the organization. There are two key areas to consider: the regulatory environment and organizational culture.

Regulatory Issues

Today’s globalized, digitally integrated world means that most organizations are to some extent international. Whether it’s a business that serves a global market, or a manufacturer hooked into global supply chains, awareness and adherence to local rules and regulations is crucial.

The EU is a good case in point. The EU General Data Protection Regulation (GDPR), due to come into effect in 2018, will require every organization operating in Europe to abide by several regulatory provisions – and this doesn’t just mean companies based in Europe, but also those that offer goods or services to EU markets in a way that involves processing any European-owned data.

“GDPR can impose considerable punitive measures on companies that fail to comply with these regulations,” warns Andrea Garcia Beltran, EMEA Cyber Sales Leader, Financial and Professional Services Group at Aon. “Failure to comply could mean fees of up to 4% of annual global revenues, and intensified investigations and auditing in the future.”

Crucially, this new legislation will affect “organizations of every size, industry and geography that process data of EU citizens,” says Kevin Kalinich, Global Practice Leader, Cyber Insurance, Aon Risk Solutions. “It applies broadly to personal data, including customer lists, contact details, genetic/biometric data and potentially online identifiers, such as IP addresses. Companies must obtain explicit clear and affirmative consent prior to processing personal data – assumptions based on silence do not comply.”

These provisions include the regulation of corporate data protection policies, which means treating data stored on mobile devices with the same precautions as data stored centrally. GDPR also requires the consolidation of data visibility tools and written reporting for data processors, as well as mandating that companies have a data breach notification protocol. However, there are upsides to new regulation. “Compliance will enable firms to update their current process and methodology to assess cyber risks and the related potential business impact,” Kalinich says. “Once compliant, an organization’s total cost of risk could be reduced.”

See also: How to Mitigate Cyber Threats

The scope and potential severity of the legislation mean that liable companies need to move quickly before the law comes into effect on May 25, 2018, to ensure compliance. In practical terms, this could mean the C-suite assessing their company’s readiness for GDPR, and then putting in place teams that can carry out necessary changes before the regulations come into effect.

And the GDPR is just one example, in just one part of the world. Japan’s PIPA, originally implemented in 2003 and due for extension in May 2017, is another. These challenges are global, and regions everywhere will need to come up with appropriate regulatory responses. Understanding legislation like this and building a responsive cyber policy is crucial.

Maintaining Cyber Awareness

The GDPR determines how an organization will manage, protect and administer data. Such regulations are put in place to protect businesses and also consumers from the damage cyber breaches can cause, Garcia Beltran explains. “And they will be most effective if organizations themselves take cultural steps to acknowledge and take appropriate measures to protect against known and unknown cyber vulnerabilities.”

East Asia provides a good example of a region still transforming its attitude toward cyber risks. This can be seen in the gap between the cyber risk faced by leading Asia-Pacific firms and the levels of cyber insurance. Ponemon’s 2015 Asia Pacific cyber impact report found that only 13% of potential losses to intangible assets (i.e., informational and data assets) were covered by insurance in the region, compared with 49% for tangible assets (such as goods or operating technology).

“Cyber risk awareness and understanding is still very low, but awareness is growing rapidly over time with incident frequency,” says Sandeep Malik, Asia CEO, Aon Risk Solutions. Numerous studies have shown that the APAC region is the leading source of malicious cyber traffic, and organizations within the region are more likely to be targeted by hackers than in other parts of the world.

Despite this growing risk, and with the exception of regulatory initiatives like PIPA, organizations are still working to adapt their strategies to improve their resilience to the threat. In the meantime, the discrepancy between coverage and risk level means that information and system assets are too often exposed without appropriate protection. This problem is compounded by an insurance sector that has historically underserved the Asia-Pacific market in comparison with North America; the reason being that there is much less litigation in AsiaPac, Kalinich says. “While companies in the region are adopting technology at a rapid pace, cyber insurance purchases lag way behind property and general liability insurance even though there are increased cyber exposures, such as business interruption, which could be equal to losses in North America,” he says. Due to this lack of demand, “cyber insurance companies have not flocked to Asia – yet.”

The difficulties facing APAC regions are just one example of how approaches to cyber risk need to be understood in terms of organizational culture. Cyber teams would do well to understand any blind spots that might be inadvertently opening vulnerabilities in cyber policy. Not only will this reduce the potential risk, but it should also reduce the cost of cyber insurance.

Companies also need to make sure their C-Suite and their cyber teams are speaking the same language – this seems straightforward, but what might seem rudimentary for a cyber specialist may be too technical for a C-level executive. “Experts in this space sometimes tend to use technical language when describing cyber security, which sounds like a foreign language when presented to CEOs and boards. It’s important for information security experts to communicate with executive leadership in terms they can understand and for leaders to become more knowledgeable about cyber security concepts and issues,” says Jim Trainor, Senior Vice President, Aon Risk Solutions and former Assistant Director of the FBI’s Cyber Division in Washington, DC. Making sure an organization can face risks effectively means making sure that the nature and scale of those risks is effectively communicated.

Four Steps to Reducing Your Cyber Vulnerability

There are a number of strategies that can help organizations ensure smooth operations. Leaders should keep the following cybersecurity tips for leaders in mind as they operate in today’s digital, connected and regulated world.

  1. Identify your critical assets. Organizations need to identify their most critical assets and have alignment with the board and executive team down to the individuals who are responsible for protecting them. Organizations must assess what data is critical, where it is stored, how it flows across the organization and who really needs access to it. This could include customer data and intellectual property that could be stolen, or operating and manufacturing technology that could be sabotaged. This can help to serve as the foundation for any organization as they develop, test and validate their security program. Furthermore, organizations must recognize the impact to the business should these critical assets be compromised and be prepared to respond to limit the impact to the organization while restoring normal business operations.
  2. Conduct a comprehensive risk assessment. Once alignment on critical assets has been established from the top down, it will be easier to pinpoint vulnerabilities and assess cyber preparedness. Organizations should review cybersecurity deficiencies and vulnerabilities across all key enterprise areas including business practices, information technology, IT users, security governance and the physical security of information assets. Risk could also manifest itself as losses due to business interruption or reputational damage.
  3. Take a holistic approach to cyber governance. Mitigating cyber risk is not just an issue for tech teams. The scope of risk means that guarding against attacks should involve key players across all enterprise functions and entities. Educating employees and leaders at all levels on the scale of risk and getting in place provisional crisis plans will help build a truly cyber-resilient organization.
  4. Keep your defenses sharp. A secure environment requires continuing validation and can become vulnerable in an instant. Deploy techniques such as pen testing or red teaming exercises to ensure your applications, networks and endpoints aren’t vulnerable.

See also: How to Determine Your Cyber Coverage  

Rising to the Challenge

Addressing ever-changing cyber threats could be a complex task, not least because of the challenges of ensuring sufficient levels of technical knowledge. “Since most lines of insurance base risk, pricing, limits, retentions and coverage on 10 to 20 years’ worth of actuarial benchmarking and specialized underwriting expertise, there is not a lot of cyber risk management experience,” Kalinich says. “Cyber risk management expertise requires a combination of technology acumen, insurance knowledge, understanding of legal and regulatory concepts, quantitative awareness and critical thinking. Given the growing demand, there are unprecedented opportunities in the global jobs marketplace for many new cyber resiliency champions to ensure organizations protect their balance sheets from cyber exposures.”

As with everything, a holistic understanding of the challenges – be they regulatory or organizational – and a holistic application of the right solutions will be essential in building resilient companies that can adequately meet the demands of a rapidly changing cyber landscape.

Cyber Measures Starting to Pay Off

Organizations pay a hefty price for a data breach, but the cost, for the first time, has dropped, a 2017 IBM Security study conducted by the Ponemon Institute has found.

The study, which interviewed more than 1,900 individuals at 419 organizations in 11 countries, found the average cost of a data breach is $3.6 million—a 10% decrease from IBM Security’s 2016 study.

Incidents with fewer than 10,000 records compromised cost, on average, $1.9 million, and incidents with more than 50,000 compromised records cost, on average, $6.3 million. Incident costs in the 2016 study averaged $2.1 million for the smaller breaches and $6.7 million for the larger ones.

See also: How to Measure Data Breach Costs?  

I was pleasantly surprised to see this was the first year in the history of the study that the global cost of a data breach has declined,” says Diana Kelley, IBM Security’s global executive security adviser. The Ponemon Institute has tracked the cost of U.S. data breaches for 12 years and other countries’ breaches for as long as 10 years.

This year’s decrease, Kelley says, “may be an indication that the expertise and processes being put in place to optimize security measures are more effective than ever before.”

What’s working

The new study found that incident response, encryption and education had the most impact—and business continuity programs also helped—in reducing the cost of a data breach.

The faster a data breach can be identified and contained, the lower the costs, the study revealed.

For the 419 companies in the study, the average time to identify a data breach was 191 days, and the average time to contain a breach was 66 days. The average time to identify and contain a breach was highest when a malicious or criminal attack was involved.

People, not glitches, cause most problems

Successfully responding to a breach is all about speed and limiting the window of access and damage to an organization’s IT environment and data,” Kelley says. “The more quickly a security team can identify what has happened, what the attacker has access to and how to contain and remove their access, the more successful they will be in keeping costs down.”

Hackers and criminal insiders cause the most data breaches. The study found that 47% of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $156. In comparison, system glitches were resolved at an average cost of $128 per record, and human error or negligence breaches were fixed for $126 per record.

Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack. U.S. organizations spent, on average, $244 per record, and those in Canada spent $201 per record. In comparison, companies in India spent much less—$78 per record.

A single record compromised, of course, would be a manageable expense, but organizations with data breaches usually are faced with hundreds to thousands of compromised records.

The numbers add up quickly when you consider all the resources and elements affected by an attack,” Kelley says. “Detection and escalation costs alone can include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and the board of directors.”

See also: Aggressive Regulation on Data Breaches  

The bill “continues to rise,” she says, with the cost of notifying victims, help-desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

For some small- or medium-size companies,” Kelley says, “a data breach could cost them their business if not effectively addressed.”

This article originally appeared on ThirdCertainty.com. It was written by Gary Stoller.

Healthcare Firms on Hit List for Fines

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website.

But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form.

And the threat landscape has been evolving, as well.

“Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools.

See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels.

In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients.

The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law.

Settlements send a message

And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers.

“There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.”

The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year.

In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches.

And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data.

The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution.

Sinking teeth into the law

“HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.”

Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.”

The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements.

See also: Will You Be the Broker of the Future?  

What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates.

The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents.

Risk management more important

The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations.

Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend.

“The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says.

Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.).

And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57.

Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy.

“Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says.

See also: Can InsurTech Make Miracles in Health?  

In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says.

“It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.”

More stories related to HIPAA and health records:
Hospital hacks show HIPAA might be dangerous to our health
Encrypting medical records is vital for patient security
Healthcare data at risk: Internet of Things facilitates healthcare data breaches

This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

SMBs Need to Bulk Up Cyber Security

Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.

I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.

New market emerges

One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.

See also: Ransomware: Growing Threat for SMBs  

The main growth driver: regulatory requirements.

Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

SMBs in hackers’ cross-hairs

To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.

“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,

Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.

Vendors lack knowledge

Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.

“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”

It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.

See also: Cyber Attacks Shift to Small Businesses  

However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.

But the potential for elevating internet security, in the longer run, is palpable.

This post originally appeared on ThirdCertainty.

The Need to Educate on General Liability

In a perfect world, insurance buyers would understand their products just as well their insurance agents. This would save a few headaches for everyone involved, and it would probably streamline the process on all ends. However, the reality is that most business owners don’t understand the extent of the insurance products they purchase. Then again, no one should expect them to.

Insurance products are highly complex vehicles. Few business owners have the time to invest in becoming experts in the field or in the products they purchase. Even the best insurance agents spend years learning about the products they sell, many of which change frequently as the economy changes.

That being said, no business owner should simply buy a product without understanding the most important aspects regarding what it does and does not cover. In truth, a highly skilled insurance agent should never let them, either. Here’s where there can be a gap between how much insurance a business purchases and how much it actually needs, showing why educating business owners on the extent of their insurance really matters.

False Perceptions of General Liability Are Common

Many customers tend to believe their insurance covers more than it actually does. This situation could probably be applied to any insurance product, but general liability policies are often the most frequently misunderstood by buyers.

See also: What to Expect on Management Liability  

To put it simply, far too many businesses are purchasing less insurance coverage than they should. In a sense, many are taking a huge gamble, believing their risk exposure is less than what it actually is or that their preventative measures, such as employee training, can shield them from those risks. While risk prevention definitely helps, it’s ultimately far from the bulletproof shield many companies think it is. Most companies do it to help themselves get a better rate on their insurance, while maintaining the false perception that their general liability coverage protects them against a multitude of risks not actually defined in the policy.

As a company scales in size, so, too, does its likelihood of experiencing losses related to cyber liability, employee fraud, fiduciary liability, directors and officers (D&O) or workplace violence. Yet many companies seem not to realize their exposure.

This would, of course, be less troubling if companies were purchasing policies that actually covered those kind of risks. Overwhelmingly, they’re choosing to avoid those insurance products altogether. According to Chubb’s survey on private company risk, non-purchasers believed their general liability policy covered:

  • Directors and Officers Liability (65%)
  • Employment Practices Liability (60%)
  • Errors & Omissions Liability (52%)
  • Fiduciary Liability (51%)
  • Cyber Liability (39%)

Businesses aren’t failing to purchase enough liability coverage because they’re unnecessary risk takers. Most, it seems, simply have false perceptions about what their general liability will and won’t do.

A small business may think its general liability policy covers a server hack. Yet, lo and behold, when a server gets hacked and the ensuing liability claims start pouring in, that small business may quickly find itself underwater. In fact, the U.S National Cyber Security Alliance found that the 60% of small companies went out of business within six months of a cyber attack. This seems extreme, but the average cost for a small business to clean up after a hack is $690,000, according to the Ponemon Institute. How many small- or medium-sized businesses can easily absorb that kind of cost without insurance coverage? Not many.

Similarly, mid-sized companies may believe their general liability policy covers directors and officers, leaving the company with unnecessary risk exposures should an incident occur. If, for example, a company begins operating internationally and fails to effectively meet one of the federal regulations governing its industry, a general liability policy won’t help protect the company from impending lawsuits. Any directors held personally responsible may find their own personal assets at risk. Given what we learned from the Chubb survey, it’s quite likely that most directors may think they’re fine with the minimal coverage they receive from a general liability policy. A costly mistake, to be sure.

Who’s to Blame?

We’ll leave the finger pointing aside for now and settle on this: The customer is always right, but he’s not always well-informed. As every insurance agent knows, the amount of time it takes to fully understand an insurance product can be extensive. Business owners, in general, lack the time to invest in fully understanding the products they purchase. It should come as no surprise, then, that misunderstandings arise over what general liability policies actually cover and what risks they simply won’t mitigate.

See also: ISO Form Changes Commercial General Liability  

Insurance agents have a responsibility to use their knowledge to help business owners better understand and sift through those misconceptions. More needs to be done to help decision-makers understand what they are and are not getting from their insurance.

Helping businesses better understand the ins and outs of their general liability policy is a win-win all around.