Regular risk assessments can help mitigate cyber exposuresReprints
NEW YORK — Employees and third-party services are most likely the weakest links in a company’s cyber security system, but regular risk assessments can help prevent information leaks, a financial services regulatory attorney said last week.
“Employees are the sources of many compromises within companies, much more so than the Chinese hackings that we read about every day,” said Jeffrey Taft, a partner with Mayer Brown during a conference Wednesday at the firm’s New York office. “It’s probably 20 times more likely that somebody in this room will be penetrated by employee malfeasance or negligence than any Chinese hacker. There’s a heck of a lot more you can do to keep your employees from leaking information than the Chinese hackers.”
Mr. Taft gave the attendees an overview of the New York State Department of Finances Cyber Regulations, which became effective March 1.
The regulations require cyber security standards for any entity licensed or similarly authorized by the department to operate in New York, including insurance companies, agencies and brokerages, as well as certain banks, licensed lenders and money transmitters. The covered entities would have 180 days, or until Sept. 1, to comply with most parts of the regulation.
The most key element of the regulation, Mr. Taft said, is the risk assessment that companies conduct.
“Everything effectively keys off the risk assessment you do and how you handle the information gleaned from that assessment,” he said. “So obviously, it’s important that people do a risk assessment. Unless they do a risk assessment, they’re not going to be able to basically tailor their policies and procedures to the risks that have been identified.”
Insurer Travelers Cos. Inc. lists several suggestions on its website for training employees in cyber security. Among other things, companies should emphasize the critical nature of its data to employees, stress that they are not permitted to install unlicensed software, and train them to select strong passwords.
Since cyber threats are constantly evolving, Mr. Taft said the risk assessment must be done regularly, it must be documented, and “it has to include specific steps that you’re going to take mitigate the risks that were identified.”
How to respond if an event happens
During a session on how to respond to a cyber security event, Jason Straight, senior vice president and chief privacy officer for cyber risk solutions at UnitedLex Corp., an Overland Park, Kansas-based legal services provider, said companies should not expect much sympathy in the event of a cyber incident, even if they are the victim.
“You have to put yourself in a position to make good strategic decisions,” he said. “Now it sounds obvious, but it is difficult, it is stressful, and there will be panic. Part of that is getting the right people in the room to make decisions.”
Mayer Brown's guide "Preparing and Responding to a Computer Security Incident: Making the First 72 Hours Count," recommends that companies have well-prepared response team in place to respond to cyber incidents quickly. Companies are also advised to have a written response plan so the team can make the best decisions for the organization.
After the incident has been addressed, Mr. Straight said to “make sure there’s a formal process for digesting lessons learned from the incident.”
“Some incidents have this way of seemingly dragging on forever,” he said. “They just seem to trickle out at the end. What happens is that they just to drift away, nobody ever goes back and reflects on what are the things we need to do as an organization.”
Compliance is key
Martin Schwartzman, a principal with SBL Solutions L.L.C., a New York-based consultancy, warned about the dangers of not complying with the DFS requirements.
“You don’t want to be the first one out of the box to be caught not in compliance,” said Mr. Schwartzman, former first deputy superintendent of the New York State Insurance Department and senior adviser to the superintendent of the DFS. “Probably one of the most significant deterrents, other than the financial penalty, would be the publicity. Nobody wants to be front and center on the home page of DFS and in news articles (saying) that this company has failed to comply with cyber regs or is not protecting their insureds.”
Mr. Schwartzman also said that noncompliance with the DFS regulations could have an impact on other operations of the company, such as introducing new products or new lines of business, or mergers and acquisitions.
“If DFS feels you don’t have adequate cyber protection,” he said, “that can hold up many other divisions within the company, and it’s yet another significant cost. It has a lot of ramifications outside the civil penalty you have for noncompliance.”