What Steps Can the C-Suite Take To Mitigate Data Breaches in 2015?
Written by Mary Beth Borgwing and Evelyn de Souza
The year 2014 saw more frequent data breaches than ever before, and events so far in 2015 point to a worsening of that trend. That’s also the conclusion drawn from global information Services Company Experian’s 2015 Second Annual Data Breach Industry Forecast that gives predictions on how data breach trends will develop this year.
Increasingly, today’s executives are realizing that if they have not already suffered a data breach, it’s only a question of when. Savvy executives have begun investing in risk mitigation programs that often include cyber insurance as a way to be prepared for, and quickly respond to and recover from, the effects of a data breach. However, many executives are struggling to understand what risk factors they need to be aware of when building their programs and how to navigate a largely unprepared cyber insurance market.
As company executives find themselves having to take on greater accountability and ownership for data breaches, the role of the governance board becomes pivotal. It can be a great conduit for connecting executives with security-related operational realities and, furthermore, can help with correlating security operational risk against business, financial, and other strategic risk factors.
Even in a climate where the number and severity of data breaches are increasing, many executives remain complacent and may need to beef up investments in education and awareness programs. There are behavioral traits to look for in employees that may emerge over time; for example, increasing hostility in the case of an employee looking to retaliate against his or her employer.
And then there are Human Resources factors to consider, such as third parties and suppliers who may require more thorough vetting, depending on what access rights to information they have. Additionally, data breaches may often be the starting point or, conversely, the culmination point of a series of malicious activities. And in today’s increasingly agile workplaces, many data breaches are also the result of end-user accidental activity versus nefarious intent.
Security toolsets have evolved greatly, and Big Data, which has moved far beyond buzzword status and into reality, can play a pivotal role in pinpointing risk. Used in conjunction with monitoring tools, data infiltration or exfiltration attempts or anomalies in data transfers and other activity patterns over time can be better detected. As well, it can be used to correlate threat vectors against user activity and other contextual attributes.
As executives face up to the likely impact a data breach could have on their organizations, investments in cyber insurance are becoming an integral component of a risk management strategy. According to a recent Fortune interview with Lloyd’s CEO, Inga Beale, cyber attacks cost companies $400 billion a year[1]. Beale also notes the steep increase on insurance policies, with the insurance industry taking in $2.5 billion in premiums last year to protect companies from losses resulting from hacks. This was up by about $2 billion from the year before.
Insurance companies are paying more attention to the costs of data breaches and brokers are becoming selective about the risks they underwrite. They are increasingly requiring evidence of end user education programs and effective security controls implementation as prerequisites for insurance coverage.
Even then, cyber insurance does not provide blanket coverage for all cyber risks and organizations need to review their other policies, such as Directors and Officers Insurance, for litigation arising out of cyber breaches that now directly blame the management of the entity and its officers. This is a key lesson from the retail sector, which was hit hard with breaches in 2014, and is facing inadequate cyber insurance coverage in 2015.
Overall, though, the limits insurance carriers are willing to write for cyber insurance have increased tenfold; in 2010, $40 million was the median coverage, whereas today, financial services and other firms are looking to secure over $400 million in cyber insurance coverage.
The year 2015 will hopefully be remembered as the year of the shift in data breach accountability. According to a recent KPMG report, 89 percent of those surveyed see the responsibility for cyber threats sitting with board, and the executive and audit committees[2]. And, as cyber security becomes a boardroom-level discussion, those executives with strong action plans will be best poised to protect their companies from the typically catastrophic losses stemming from data breaches. Such an action plan should include:
- Setting up a governance board with multiple stakeholders representing security, risk management, human resources, financial and business departments
- End user and security program training for increased prevention, detection, and mitigation of data breach human-related factors
- Increased investment in security programs and newer technologies to detect data anomalies
- Investment in cyber insurance as a key component of a risk management program
[1] http://fortune.com/tag/cybersecurity/
[2] https://www.kpmg.com/uk/en/topics/cyber-security/Pages/ftse350-cyber-governance-health-check.aspx[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
