Private sector lags on cyber securityReprints
CHICAGO — Despite the recent spate of highly-publicized data breaches, companies and their insurers are still struggling to get their arms around the risks represented by cyber crime, speakers said at the 10th annual Symposium given by Minneapolis-based brokerage Hays Companies in Chicago.
Delivering Thursday's keynote address, Sean Joyce, Washington-based principal in U.S. advisory forensics services practice at PricewaterhouseCoopers L.L.P. and former deputy director of the FBI, said that although the “sky is not falling”, he sees much room for improvement in how cyber risk is addressed in the corporate environment.
“I am amazed at the lack of preparation I see in the private sector, compared to what I saw in my old job,” Mr. Joyce said. “A lot of the information is classified, but I can tell you the threat is real and happening each and every day.”
One common mistake companies make when addressing cyber security is viewing it solely as a technology problem to be solved by the information technology department, Mr. Joyce said. “When I ask companies about what they are spending on cyber security, usually they refer me to somebody in IT,” he said. “However, I would argue that we are talking about an enterprise risk.”
The travails of Target Corp., which suffered a data breach in 2013 after crooks gained access to systems through a computer system used by an outside HVAC vendor, are illustrative of how even companies with top IT professionals and security protocols can fall victim to cyber crime, Mr. Joyce said.
“We used to have a quarterly meeting at the FBI, and companies would come to get a classified briefing about the cyber threat,” he said. “I can tell you that Target was an excellent company and did great work on the security front, but they were compromised through a third party. So, it's not just about what you are doing but also about what the people that you are connected with are doing.”
Despite the scale of the Target breach, the cyber attack on Sony Corp. in the wake of the controversial movie The Interview was in many ways more troubling, Mr. Joyce said. Believed to be the work of hackers avenging North Korean leader Kim Jong Un, the hack signifies a company targeted by hackers working for a nation state, as opposed to traditional bad actors such as organized crime, “hacktivist” organizations and disgruntled insiders.
“This was a watershed, unprecedented attack,” Mr. Joyce said, noting that the attack went far beyond theft of data to include the deletion of sensitive data, weeklong disabling of corporate computer systems, extortion and even threats to Sony employees and their families. “Thank God this was just an entertainment company and not an energy provider or bank.”
Accordingly, Mr. Joyce suggests that companies develop robust business continuity plans and work to develop in-house expertise in areas such as security and cloud computing.
Companies should also investigate the growing market for standalone cyber coverage for first-party and third-party liabilities, said Armando L. Vilches, Nashville, Tennessee-based managing director and professional lines broker for RLA Insurance Intermediaries L.L.C. “About three years ago, there were about 35 markets available providing standalone, broad forms,” Mr. Vilches said. “Now, there are well over 75 available to me, so there's a lot of competition in the market.”
However, Mr. Vilches said companies need to chose their insurer carefully as there is a great deal of variance in risk appetite, capabilities and pricing, noting that he can receive widely varying quotes on the same business from different insurers.
“That tells me that the carriers are not really 100% sure what the good risks and bad risks are,” he said. “Cyber is a newer product, and the market doesn't yet have a good feel for what the pricing model should be.”