Cyber security is a growing problem for businesses and one for which there is no simple solution. The number of companies, organizations and governmental agencies that have been hacked seems to grow daily, representing a mounting threat to companies' information security. And confronting the issue can be an exercise in frustration, because it often seems that as soon as one vulnerability is addressed, another emerges. But best practices are emerging for managing and mitigating cyber risks, and the insurance market is developing coverages to help limit the bottom-line impact of breaches. ›› More

Among the many issues companies must take into account in evaluating the risks inherent in cloud computing are the potential cloud providers, the provider’s contract language, what data is being stored in the cloud, where that data is located and with whom the virtual space is being shared. ›› More

A recent survey shows that 70% of firms are either using or investigating cloud computing. Meanwhile, a national agency classifies cloud computing into four types: private, community, public and hybrid. ›› More

Risk managers can generally obtain insurance coverage for their cloud computing risks under their cyber risk policies, which will cover it, say experts. It is an important issue, experts say, because cloud service providers accept little, if any, liability. But even a good policy is unlikely to help in the event of a major catastrophe. ›› More

Factors including stringent federal and state regulations, widespread dissemination of patient data and a growing black market for patient medical information make health care institutions particularly vulnerable to data breaches. ›› More

Michael Marcotte

Experts at the 2011 Business Insurance Risk Management Summit said many company executives remain unaware of the cyber risks they face. Indeed, some large companies still do not even require employees to have password protection on their mobile devices. And new technology poses risks as well, including the increasingly popular cloud computing services. Further complicating the situation is that United States remains behind the curve on some technology security issues. ›› More

A white paper issued by a computer security firm identifies massive state-backed advanced persistent threats against dozens of governments and organizations, including a number of companies. While not identified in the paper issued by McAfee Inc., that state is widely believed to be China. These attacks, unlike the widely-publicized ones by Anonymous and LulzSec, are much more insidious and occur largely without the public’s knowledge, says a McAfee vp in his introduction to the report. Most of the attacks were aimed at United States-based organizations, although entities located around the world were targets as well. ›› More

The release of personally identifiable information in a data breach is a critical exposure, and firms face a serious compliance challenge: 46 U.S. states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted laws that require notification of individuals when security breaches involve PII, while a federal law applies to certain data breaches. While the various laws address the same issue, their requirements vary greatly, and organizations must comply with the notice law that applies in the state where the affected individual is located. ›› More

There is still a significant amount of miscommunication between risk managers and their IT departments, which can only hamper both parties' efforts to fight cyber breaches and develop effective risk mitigation and insurance policies. A lack of coordination could result in misinformation on an insurance application and even lead to firms not having the insurance coverage they expected. Part of the problem is simply that risk managers and IT managers talk a different language, say observers. The problem could be organizational as well, with the risk managers and IT managers at some big departments never even having met. There has been some improvement, though, say some observers. Many IT professionals no longer consider the idea that there could be a cyber-related problem a personal affront. ›› More

Michael Marcotte

Speaking at the Business Insurance 2011 Risk Management Summit, Cisco Systems' global risk manager warned that risk is growing with increased computer and Internet usage, while malicious behavior against corporate computer systems is on the rise as well. She highlighted the major threats from companies—including seemingly mundane risks that can create significant exposures—and ways companies can confront the risks. ›› More

Bloomberg

The cyber risk threat to corporations is changing, with attacks increasingly coming from sophisticated and even state-backed hacker groups that seek to obtain vital corporate assets, such as intellectual property and competitive intelligence. The number of companies and entities hit by such cyber attacks seems to grow daily, with the International Monetary Fund, Sony Corp., Lockheed Martin Corp. and the Church of Scientology all experiencing so-called advanced persistent threat attacks recently. APT attacks can be particularly challenging to risk managers, as they often go undetected for long periods of time, allowing hackers to steal corporate information for years. ›› More

The widespread use of third-party providers, and the relative lack of control over them, is a major contributing factor to data breaches involving health care institutions. ›› More

Bloomberg

A high-profile hacker attack last year on the popular Twitter microblogging site, which led to many users being hit by a worm, underscored the major risk companies continue to face in using third-party-run social media sites in their marketing and outreach efforts. Experts say many of these risks are inherent in using a third-party provider whose security and crisis management they cannot control, but steps can be taken to minimize the danger. ›› More

Bloomberg

Companies should be prepared for the threat of denial-of-service reprisal attacks on corporate websites, as they were reminded in 2010 by attacks that were launched by supporters of the controversial WikiLeaks website. PayPal, MasterCard Inc. and Visa Inc., among others, were hit by denial-of service attacks by WikiLeaks' sympathizers after the companies cut business ties with the secret-revealing nonprofit website. ›› More

Hackers may be one or two steps ahead of firms when it comes to advanced persistent threats, but there are steps risk managers and their IT departments can take to make it much harder for hackers to gain access to company data and computer systems. And concerted efforts to manage this risk are critical, as companies' most valuable intellectual and competitive assets can be at stake. ›› More

Careful planning, education, and identifying a key person with accountability and responsibility, are among the steps risk managers at health care institutions can take to minimize data security problems. ›› More

Data thieves are no longer happy with just stealing the identities of a company's customers and employees and instead are zeroing in on the more valuable information that makes up the corporation's identity. Merger and acquisition activity, for instance, can be used for insider trading, while a product plan can be brokered to another company. One tactic data thieves use to obtain such information is to create legitimate-looking emails that are planted on the corporate web site. Learn how to minimize the risk. ›› More

To work tougher to address cyber threats, risk managers and information staff first need to start talking to one another, say experts. It is preferable the risk manager makes the first move because he has the broader responsibilities. In any case, however, is important the IT department feels it has a voice in the process. One effective way risk managers and IT people can communicate with one another is through the use of accepted, industry-wide standards, which helps risk managers who do not have their IT staff’s technical expertise. It is still incumbent upon risk managers, though, to at least have some basic knowledge of their computer system’s architecture. They should also be sure they have top management’s support in their efforts. ›› More

For all its benefits, cloud computing raises several critical data-related operational and liability risks for organizations, which means they should first carefully weigh the benefits and risks associated with moving systems to the cloud. Risk and IT managers should also be aware that, as with everything else, you get what you pay for, and be wary of relatively cheap services. The structure of the cloud provider contract is particularly crucial, and firms should not be lulled into complacency even if the provider is a well-known name. ›› More

Companies received a wakeup call about the increasingly complex world of data breaches when hackers obtained the names and email addresses of customers of dozens of businesses as a result of the data breach at Epsilon Data Management L.L.C. A key potential danger from the breach was “phishing” attacks, where hackers send emails to company customers in an effort to obtain financial and other personal data. ›› More

Bloomberg

Headline-grabbing leaks by the controversial WikiLeaks website highlighted for companies the complex and fast-changing nature of cyber risk exposures. WikiLeaks founder Julian Assange, for instance, boasted he had enough information to make the head of a major bank resign. But cyber risk experts say there are steps that can be taken to prevent information leaks by employees. ›› More

Risk managers need a complete understanding of their organizations' exposures to select the right liability insurance in a competitive marketplace. One advantage for companies is that insurers' appetite for modifying policy forms remains strong, and for the most part insurers are willing to work with companies in modifying the coverage. But to gain the full benefit of the insurance coverage, a risk manager needs to construct the cyber liability policy around their organization's risks. Firms must understand the kind of data they collect, how long it is kept and how it is destroyed. ›› More

While underwriters' information needs and internal company politics can make buying cyber risk insurance a challenging process, it has become necessary as the frequency of data breaches increases, experts say. While the initial process is painful, renewals have become a lot easier, and the marketplace has matured a great deal over the past five years. ›› More

Everyone is vulnerable to a security risk, but companies will be in a better position to respond when their systems are attacked if they do some advance planning, experts say. Furthermore, underwriters look more favorably upon companies that have a detailed response plan. A proper response plan, which is basically a checklist that takes away a lot of the decision-making that has to be done, will also guide a company's actions after a breach. ›› More

The Obama administration has unveiled a cyber security proposal that would replace the current patchwork of state laws with a national standard on notifying consumers about data breaches. Cyber security and risk management experts welcome the proposal because notifying consumers under the many state laws has become a nightmare for firms, leading to hassles and significant legal expenses. Elements of the proposal, which was initiated because of the repeated cyber intrusions on the nation's critical infrastructure, include national data breach reporting and penalties for computer criminals. ›› More

Any commercial entity that has a computer network and maintains confidential information is exposed to cyber risks, with top perils including hacking, laptop loss with client data, backup tape loss, staff mistakes such as data leaks, denial of service attacks and business partner mishaps and breaches. Contributing to the problem is companies collecting more data than they need for marketing purposes and then storing the data for too long. But risk management that takes such issues into account can minimize exposures. ›› More

Good data is hard to find when evaluating cyber breaches and the need for insurance to protect a business. About half of data breaches are not reported, which makes it more of a challenge for risk managers to convince top company executives of the need for this coverage. And when they do decide to purchase coverage, companies need to take into account a wide range of factors about their exposures and needs. ›› More

Data thieves increasingly are looking beyond financial data and sensitive customer information and zeroing in on the very heart of a corporation: its most vital intellectual assets. In such advanced persistent threats, hackers establish a long-term occupying presence within a company's network, planting malware that can lay dormant for years before problems begin. In this free Business Insurance webcast, experts explore how APTs work, how they can be detected and what risk managers can do to about them. ›› More

The biggest security problems associated with mobile devices stem from their portability and the amount of data they are capable of storing. Such devices are easily lost or stolen, and criminals can then use the information obtained from such devices to hack into personal or corporate information. Other issues include the growing use of mobile payment applications and the privacy issues that can arise if employers track their employee's locations. ›› More

Practical solutions for protecting computer data include developing a written information security plan, says the Risk and Insurance Management Scoiety, Identity Theft 911 L.L.C. and USLAW NETOWRK Inc. in a special report, “ERM Best Practices in the Cyber World.” Meanwhile, a report issued by a unit of Lockton Cos. L.L.P. says most data breaches occur because of human error or a glitch in the system. ›› More

Companies experiencing data breaches face difficult decisions as to when to let their clients know about the problem. ›› More

Risk managers are finding best practices to help them limit their companies’ financial exposure to a data breaches. These include improved methods of assessing vendors’ security measures and insurance. But getting in front of the issue is important. ›› More

Perhaps because of vendors’ recognition of and response to the issue, as well as concern about their reputation, in contrast to the situation with corporate systems, there have been relatively few data breaches involving cloud computing data, experts say. ›› More

Establishing a data breach response plan before a problem occurs will help firms navigate the delicate issue of when they should inform those affected by a breach. ›› More

A uniform federal law governing notification of data breaches would be welcome, but it should pre-empt related state laws if it is going to be helpful to employers, observers say. ›› More

Almost half of corporate board members are dissatisfied with their ability to oversee the risks posted by information technology, according to a survey. In addition, while virtually everyone agreed information technology will significantly affect their organizations within five years, more than half said there is insufficient information and communication at the board level to perform their duties effectively. The survey also found that only a relatively small percentage of board members had previous experience as an information technology executive or chief information officer. ›› More

Cyber liability plaintiffs are experiencing more victories in the courts, which significantly increases potential costs for companies that have suffered data breaches. One factor contributing to this trend is the increasing amount of legislation and regulation related to data breaches at the state and federal level. Plaintiff attorneys have also become more adept at surviving motions to dismiss and moving cyber liability cases to the discovery stage, at which point cases can become very costly for firms. ›› More

The data breaches suffered by Sony Corp. earlier this year offer several cyber risk management lessons for companies. These include the importance of frequently monitoring systems' security and obtaining cyber insurance. Companies need to understand information security is not a commodity but an ongoing process that goes to the very heart of the enterprise's continuity and value. ›› More