Reduce hack fallout with foresightReprints
Cyber attacks have been dominating the news, with stories about breaches at Equifax Inc., Yahoo Inc. and Sabre Systems Inc. and the damage done by ransomware such as WannaCry and NotPetya — but the best time to respond to a cyber breach is long before it happens, experts say.
Insurance executives and risk management analysts warn that organizations cannot afford to plan their response to a breach after it has occurred, as regulators, shareholders and clients will be demanding immediate answers.
“You really can’t talk about breach response without first talking about how an organization should be prepared, what they should be doing, what they should be thinking about as an organization and then putting a plan in place,” said Joe DePaul, New York-based cyber/errors and omissions practice leader for FINEX North America at Willis Towers Watson P.L.C. “It really has to come from the top down, from the board, from the C-suite executive team down through the organization. Having that culture in place that’s very focused in this area is very important.”
The key elements for any incident response plan involve preparation and practice, Mr. DePaul said.
“If you don’t prepare, if you don’t practice, ultimately your response plan will fail,” he said. “You really need to understand what that response says, who’s involved, and make sure that plan is really up to speed.”
“Ironically, the key to an effective response is what you actually do before the breach ever occurs,” said Jeffrey Dennis, managing partner and cyber security practice lead with Newmeyer & Dillion L.L.P. in Newport Beach, California. “Having an effective rapid response plan — what we call a cyber incident response plan — is really the key.”
Mr. Dennis recommended a four-step approach to dealing with a breach: do an initial assessment, take steps to minimize further damage, record and collect the data related to the type of breach, and then notify law enforcement, regulators, employees and affected consumers (see related story).
“Underwriters who are writing cyber policies are looking at what types of plans and procedures you have in place,” Mr. Dennis said. “And if you’ve got a cyber incident response plan or already worked on one, I think you’ve got a pretty good shot of actually being able to secure effective insurance, and it should reflect favorably on the rates you’re going to get.”
Preparation also has financial benefits. The Ponemon Institute L.L.C.’s 2017 Cost of Data Breach Study found that programs that preserve customer trust and loyalty in advance of the breach will help reduce lost business and customers.
“In this year’s research, more organizations worldwide lost customers as a result of their data breaches,” the report says. “However, as shown, having a senior-level leader, such as a chief privacy officer or a chief security officer, who is able to direct initiatives that improve customers’ trust in how the organization safeguards their personal information will reduce churn and the cost of the breach.”
Forty-eight states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands require private or governmental entities to notify individuals of security breaches of information involving personally identifiable information, according to the Denver-based National Conference of State Legislatures. Alabama and South Dakota do not have these requirements.
Regulations vary, but the conference says these states and territories “have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.”
“The broker typically gets the first phone call, whether it’s a fire or a data breach,” said John Farley, New York-based vice president and cyber risk practice leader at Hub International Ltd. “We get the call at the broker’s level, and we have to help our clients make decisions that day. My role is to make sure a bad day does not become a catastrophic day.” Coordinating the response can sometimes be challenging, Mr. Farley said.
“You may have a spokesperson on your team and you may have general counsel on your team, and it gets interesting,” he said.
“A spokesperson will want to tell people what happened. They’re communicators by nature, whereas you have general counsel who are hard-wired not to say a word if they’re not legally obligated to do so.” Katherine Keefe, Philadelphia-based global focus group leader for breach response services with Beazley P.L.C., said the company’s cyber liability product, Beazley Breach Response, exists because “many organizations have never been through a data breach before, or maybe they have but they haven’t realized it.”
The Beazley team has “managed over 7,000 incidents, and every single one of them is different,” she said. “While we can’t say we’ve seen it all, we’ve seen a lot.”
In an email, Ms. Keefe said: “On a daily basis, we receive notifications of incidents involving ‘unintended disclosures.’ These include emails containing personally identifiable information or protected health information sent to the wrong recipient, mailings gone awry, or sensitive information accidentally left open to the internet after network maintenance. The second most frequent category of incidents is ‘hack or malware.’ Common hack or malware incidents include ransomware, as well as successful phishing attacks where bad actors gain user credentials or the recipient downloads malware from the phishing email.”
Ms. Keefe said the team organizes such things as mail houses, call centers, credit monitoring and crisis management so the company doesn’t “have to be running around in the heat of the moment looking for these services” and can also connect the company with a data breach law firm where the lawyers “eat, breathe and sleep data breach investigations.”
Zach Olsen, San Francisco-based president of Infinite Global Inc., said the communications firm helps companies plan for breaches.
“We’ll go in and do a crisis communications audit, essentially, where we’ll look at who the organization is, what they care about and who all their audiences are, both internal and external,” Mr. Olsen said. “And we’ll help them build a plan so that if something does go down, they know what to say, who to say it to and how to do it, so they’re not leaving people in the dark.”