Tag Archives: rocco grillo

4 Steps to Achieving Cyber Resilience

We are living in a period of unprecedented technological change. Building resilience to these changes is becoming increasingly imperative.

By 2020, it is expected that there will be tens of billions of devices connected to the Internet of Things (IoT). New technology means new risks. What if someone hacks a car? Or a power plant? By the same token, financial losses incurred through data breaches are likely to reach trillions of dollars. There are also opportunities. GE estimates that IoT devices will be generating $11.1 trillion annually by 2025, touching 43% of the global economy. Meanwhile, it is expected that 4.2 billion people will be online by 2020, or 55% of the global population, exchanging and sharing goods and information. Mitigating the risks while embracing the opportunities is key.

The internet asks a lot of questions of its users. How should the internet interact with nation states? What opportunities can it offer criminals? How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? We are still coming to terms with these issues.

Building resilient firms that can provide solutions and adapt to these new challenges will be a major task in the coming years. Siloed risk management and recovery efforts will come to be seen as increasingly out-of-place in such a digitized world. To become more resilient in this age of continued digital disruption increasingly means understanding the full scope of cyber governance responsibilities. This means starting with a top-down approach in managing risk at the board and executive level, identifying and protecting the organization’s most critical assets and understanding the impact to the enterprise should they be compromised. It means complying with international regulations and understanding organizational blind spots. And it means adapting to the latest techniques and trends in security and being prepared to respond should there be a failure in any of these areas. Cyber security cannot be approached piecemeal but should be considered holistically, as a challenge facing the entire organization.

In Depth

If leaders are to make the most of new technology, then they cannot only think about that technology: They need to take into account the business context in which that technology operates and the impact and risk exposure that it can potentially cause to the organization. There are two key areas to consider: the regulatory environment and organizational culture.

Regulatory Issues

Today’s globalized, digitally integrated world means that most organizations are to some extent international. Whether it’s a business that serves a global market, or a manufacturer hooked into global supply chains, awareness and adherence to local rules and regulations is crucial.

The EU is a good case in point. The EU General Data Protection Regulation (GDPR), due to come into effect in 2018, will require every organization operating in Europe to abide by several regulatory provisions – and this doesn’t just mean companies based in Europe, but also those that offer goods or services to EU markets in a way that involves processing any European-owned data.

“GDPR can impose considerable punitive measures on companies that fail to comply with these regulations,” warns Andrea Garcia Beltran, EMEA Cyber Sales Leader, Financial and Professional Services Group at Aon. “Failure to comply could mean fees of up to 4% of annual global revenues, and intensified investigations and auditing in the future.”

Crucially, this new legislation will affect “organizations of every size, industry and geography that process data of EU citizens,” says Kevin Kalinich, Global Practice Leader, Cyber Insurance, Aon Risk Solutions. “It applies broadly to personal data, including customer lists, contact details, genetic/biometric data and potentially online identifiers, such as IP addresses. Companies must obtain explicit clear and affirmative consent prior to processing personal data – assumptions based on silence do not comply.”

These provisions include the regulation of corporate data protection policies, which means treating data stored on mobile devices with the same precautions as data stored centrally. GDPR also requires the consolidation of data visibility tools and written reporting for data processors, as well as mandating that companies have a data breach notification protocol. However, there are upsides to new regulation. “Compliance will enable firms to update their current process and methodology to assess cyber risks and the related potential business impact,” Kalinich says. “Once compliant, an organization’s total cost of risk could be reduced.”

See also: How to Mitigate Cyber Threats

The scope and potential severity of the legislation mean that liable companies need to move quickly before the law comes into effect on May 25, 2018, to ensure compliance. In practical terms, this could mean the C-suite assessing their company’s readiness for GDPR, and then putting in place teams that can carry out necessary changes before the regulations come into effect.

And the GDPR is just one example, in just one part of the world. Japan’s PIPA, originally implemented in 2003 and due for extension in May 2017, is another. These challenges are global, and regions everywhere will need to come up with appropriate regulatory responses. Understanding legislation like this and building a responsive cyber policy is crucial.

Maintaining Cyber Awareness

The GDPR determines how an organization will manage, protect and administer data. Such regulations are put in place to protect businesses and also consumers from the damage cyber breaches can cause, Garcia Beltran explains. “And they will be most effective if organizations themselves take cultural steps to acknowledge and take appropriate measures to protect against known and unknown cyber vulnerabilities.”

East Asia provides a good example of a region still transforming its attitude toward cyber risks. This can be seen in the gap between the cyber risk faced by leading Asia-Pacific firms and the levels of cyber insurance. Ponemon’s 2015 Asia Pacific cyber impact report found that only 13% of potential losses to intangible assets (i.e., informational and data assets) were covered by insurance in the region, compared with 49% for tangible assets (such as goods or operating technology).

“Cyber risk awareness and understanding is still very low, but awareness is growing rapidly over time with incident frequency,” says Sandeep Malik, Asia CEO, Aon Risk Solutions. Numerous studies have shown that the APAC region is the leading source of malicious cyber traffic, and organizations within the region are more likely to be targeted by hackers than in other parts of the world.

Despite this growing risk, and with the exception of regulatory initiatives like PIPA, organizations are still working to adapt their strategies to improve their resilience to the threat. In the meantime, the discrepancy between coverage and risk level means that information and system assets are too often exposed without appropriate protection. This problem is compounded by an insurance sector that has historically underserved the Asia-Pacific market in comparison with North America; the reason being that there is much less litigation in AsiaPac, Kalinich says. “While companies in the region are adopting technology at a rapid pace, cyber insurance purchases lag way behind property and general liability insurance even though there are increased cyber exposures, such as business interruption, which could be equal to losses in North America,” he says. Due to this lack of demand, “cyber insurance companies have not flocked to Asia – yet.”

The difficulties facing APAC regions are just one example of how approaches to cyber risk need to be understood in terms of organizational culture. Cyber teams would do well to understand any blind spots that might be inadvertently opening vulnerabilities in cyber policy. Not only will this reduce the potential risk, but it should also reduce the cost of cyber insurance.

Companies also need to make sure their C-Suite and their cyber teams are speaking the same language – this seems straightforward, but what might seem rudimentary for a cyber specialist may be too technical for a C-level executive. “Experts in this space sometimes tend to use technical language when describing cyber security, which sounds like a foreign language when presented to CEOs and boards. It’s important for information security experts to communicate with executive leadership in terms they can understand and for leaders to become more knowledgeable about cyber security concepts and issues,” says Jim Trainor, Senior Vice President, Aon Risk Solutions and former Assistant Director of the FBI’s Cyber Division in Washington, DC. Making sure an organization can face risks effectively means making sure that the nature and scale of those risks is effectively communicated.

Four Steps to Reducing Your Cyber Vulnerability

There are a number of strategies that can help organizations ensure smooth operations. Leaders should keep the following cybersecurity tips for leaders in mind as they operate in today’s digital, connected and regulated world.

  1. Identify your critical assets. Organizations need to identify their most critical assets and have alignment with the board and executive team down to the individuals who are responsible for protecting them. Organizations must assess what data is critical, where it is stored, how it flows across the organization and who really needs access to it. This could include customer data and intellectual property that could be stolen, or operating and manufacturing technology that could be sabotaged. This can help to serve as the foundation for any organization as they develop, test and validate their security program. Furthermore, organizations must recognize the impact to the business should these critical assets be compromised and be prepared to respond to limit the impact to the organization while restoring normal business operations.
  2. Conduct a comprehensive risk assessment. Once alignment on critical assets has been established from the top down, it will be easier to pinpoint vulnerabilities and assess cyber preparedness. Organizations should review cybersecurity deficiencies and vulnerabilities across all key enterprise areas including business practices, information technology, IT users, security governance and the physical security of information assets. Risk could also manifest itself as losses due to business interruption or reputational damage.
  3. Take a holistic approach to cyber governance. Mitigating cyber risk is not just an issue for tech teams. The scope of risk means that guarding against attacks should involve key players across all enterprise functions and entities. Educating employees and leaders at all levels on the scale of risk and getting in place provisional crisis plans will help build a truly cyber-resilient organization.
  4. Keep your defenses sharp. A secure environment requires continuing validation and can become vulnerable in an instant. Deploy techniques such as pen testing or red teaming exercises to ensure your applications, networks and endpoints aren’t vulnerable.

See also: How to Determine Your Cyber Coverage  

Rising to the Challenge

Addressing ever-changing cyber threats could be a complex task, not least because of the challenges of ensuring sufficient levels of technical knowledge. “Since most lines of insurance base risk, pricing, limits, retentions and coverage on 10 to 20 years’ worth of actuarial benchmarking and specialized underwriting expertise, there is not a lot of cyber risk management experience,” Kalinich says. “Cyber risk management expertise requires a combination of technology acumen, insurance knowledge, understanding of legal and regulatory concepts, quantitative awareness and critical thinking. Given the growing demand, there are unprecedented opportunities in the global jobs marketplace for many new cyber resiliency champions to ensure organizations protect their balance sheets from cyber exposures.”

As with everything, a holistic understanding of the challenges – be they regulatory or organizational – and a holistic application of the right solutions will be essential in building resilient companies that can adequately meet the demands of a rapidly changing cyber landscape.

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.