Take steps to reduce losses from cyber risk: RMS panelReprints
NEW YORK—While there is no way for companies to completely eliminate the risk of data breaches and cyber attacks, there are several steps they can take to reduce their potential financial and reputational losses, a panel of experts said Wednesday at the third annual Business Insurance Risk Management Summit® in New York.
“The fact is that you're going to be attacked. That's the reality,” said Alan Brill, senior managing director of secure information services for New York-based Kroll Inc. A well-crafted cyber risk management program need not be wildly expensive or complex, Mr. Brill said, but should at least strive for “commercially reasonable levels” based on company size and industry.
“There are things you can do that aren't terribly expensive or terribly difficult that can raise the bar in terms of your security,” Mr. Brill said. “It's not going to amount to a 100% perfect security, but you won't be the weakest firm on the block—and that's a good start.”
Above all, the panelists noted, cyber liability cannot be addressed in a vacuum. When contemplating any significant actions or policy implementations, a company would be well-advised to involve leaders from all of major administrative divisions to assess any potential impacts to its data holdings.
Discussions should include department heads in information technology, risk management, legal, finance, human resources, marketing or public relations, procurement, operational units and, when possible, third-party business partners and vendors, experts said.
“When you have companies that involve leadership from various departments within the company in decisions regarding cyber liability issues, the results are so much better,” said Lori Nugent, a Chicago-based partner with Wilson Elser Moskowitz Edelman & Dicker L.L.P.
“All of those different stakeholders will have valuable input that can help you minimize your risk,” said Richard Santalesa, New York-based senior counsel at the Information Law Group.
In terms of pre-emptive risk management, Mr. Brill said companies can go a long way toward reducing their exposure to significant losses resulting from a security breach by putting themselves on a “data diet.”
“Ask yourself if you actually need to collect the information you're collecting,” Mr. Brill said. “There is an enormous amount of information that we never use, but we never get rid of. It's 100% risk and 0% value. As a risk manager, that's the scariest equation you're ever going to hear.”
One key element to successfully navigating a cyber attack or data breach that experts said many companies overlook is the establishment of a clear breach management plan, and a breach response team designated to execute that plan.
“The thing that we see most often are companies that are unclear as to what the firm's management and the board of directors expect of them, who's responsible for what specific tasks, and who has the authority to do what,” Ms. Nugent said.
When crafting a response plan, panelists said companies should place particular emphasis on public relations, as reputational harm often can prove more costly over time than any direct financial losses.
“There are few things that can impact your brand more than a data breach,” Ms. Nugent said, adding that a well-prepared company could enhance its brand depending on its response to a security breach.
“Folks expect attacks to happen, and they know that security is not perfect,” Ms. Nugent said. “What they learn when you respond to a breach tells them a lot about what kind of company you are and whether they want to do business with you.”