The insurance industry has a large role to play in helping companies gird for cyber attacks, panelists said Tuesday at the Property Casualty Insurers Association of America’s annual meeting in Boston during a roundtable discussion.
Michael DuBose, founder and president of cyber security advisory firm CyDefense L.L.C., said one of the most basic things insurers can do for their clients is to disabuse them of the presumption that their corporate data is safe.
“There is no such thing as 100%-secure network” he said. Indeed, Mr. Dubose said the security industry maxim that there are only two types of companies — “those that have been hacked and those that will be” — should be now updated to “those that have been hacked and know it and those that have been hacked and don’t know it.”
Mr. Dubose recommended three protective steps that companies could take to protect their sensitive data: having an outside vendor perform a thorough security audit; crafting an incident response plan that has buy-in from all levels of the organization; and developing a well-thought-out data architecture that delineates who is privy to sensitive data and includes features such as encryption. “Make sure that somebody in your organization knows where the most sensitive data is. During our investigations, we are often struck by how many organizations don’t know who has the keys to the kingdom,” he said.
Indeed, fellow panelist Douglas H. Meal, partner with law firm Ropes & Gray L.L.P., urged companies that have been subject to data theft to rely on outside help, including insurance companies, forensic services and outside counsel to help manage data theft.
He also said companies must strike a balance between informing consumers and regulators about a breach and divulging too much information, which could make the company the target of class action lawsuits.
“It’s almost like three-dimensional chess in how these breaches play out,” he said.