Mark Greisiger is president of Philadelphia-based NetDiligence, which provides cyber risk assessment and data breach response services for insurers and risk managers to help them better understand if an insured organization deploys reasonable and prudent security and private safeguards in order to mitigate data breach loss and liability risk. He spoke recently with Business Insurance senior editor Judy Greenwald. Edited excerpts follow.
Q: What are some of the key cyber liability risks that concern risk managers?
A: There's been an awakening in general about private information being the holy grail that needs to be safeguarded, and some of that awakening is that they have paramount protection duties when it comes to safeguarding customers' private information. They understand now that there are actual class action lawsuits starting to happen. They're seeing their peers being sued for significant data breaches, and that impacts both the bottom line and their reputation. The other major driver of the past couple of years is regulatory risk wrapped into cyber liability. Federal and state regulators, especially state attorneys general, are very, very aggressive when it comes to enforcing data breach events. There's some 46 states that have laws on the books that require ... things companies must do following a data breach event. A number of attorneys general will actually sue companies when they feel they're negligent in safeguarding private information, and the fines can be significant — millions of dollars, hundreds of dollars per record.
Q: What data protection safeguards are often weak or missing?
A: In general, it's challenging for big companies as well as small companies to safeguard their information in the many places within their company they have to safeguard it ... and that can be, for example, in their own servers and databases, it can reside in laptops that they entrust with consultants, it can be in backup tapes and storage facilities, and it can be — increasingly so — in a third-party service provider such as a cloud operation. So that's understanding where your data is. Secondly, are there reasonable safeguards surrounding that data to protect it in a prudent matter? The things that tend to be missing are ... encryption for data at rest and weak intrusion detection capabilities. Most companies fail to detect a breach in a timely manner ... Oftentimes, there's poor management of the third-party vendors. They ... don't property manage their vendors, whom they entrust with their data.
Q: What new trends do you see on the horizon?
One last point on just trends in general: Clouds, just the massive amount of outsourcing, whether it's for storage or business applications — it's the dependence on clouds, and that impacts not only the risk manager but also the underwriters.
Q: What industries are particularly vulnerable to cyber risk and why?
A: The health sector is No. 1, and I think some of that is driven by the fact they're increasingly going digital in their operations, and they have very strict laws governing how health care sectors need to protect patient information and, when something bad happens, how they must notify the federal government and the patients.