January 2015 Issue
Cyber security is becoming a more pertinent issue in this electronic age, as companies wake up to the increasing threat of cyber attack. No longer considered an IT issue, but rather one of strategic risk, cyber security is now a core component of governance. Robust cyber security frameworks and cyber insurance policies now help many organisations to safeguard their corporate interests. Despite this, many organisations remain behind the curve. Failure to recognise cyber threats and to respond accordingly can have devastating consequences – for employees, customers and third parties – and may ultimately threaten a company’s very existence.
FW: In today’s business world, how vulnerable are companies to attacks such as data theft and hacking, data security breaches, computer network interruptions, privacy violations, and so on?
Clarke: Companies are increasingly at risk of cyber attacks and need to ensure that their business continuity plans address this burgeoning issue. Many companies have clear procedures in place for handling the loss of use of physical assets such as buildings, but they overlook one of the company’s most valuable assets – its data. If companies have not turned their mind to how they would continue business in the event of a cyber attack, then they need to urgently review their plans.
Merchant: Companies, and their employees, are more interconnected than they have been in the past. This gives attackers an almost innumerable amount of vulnerable access points to exploit. Public facing websites, WiFi, employee email, vendors’ systems and social media sites are just a few access points which can lead to a security breach.
Soderstrom: All companies are vulnerable if they connect one computer to another to produce something of value. How vulnerable a company is depends on many individual factors, starting at the top of an organisation rather than at the bottom, as often perceived. Three critical categories help define ‘how vulnerable’: cyber security decision making and discipline, company and customer information sensitivity, and the attacker’s profile. First, who owns cyber security? The decision makers with the money own cyber security. The board must demonstrate risk ownership and budget accordingly. Second, how valuable are your corporate and customer secrets? Companies need to know, really identify, what is at risk in order to control it. Third, what industry are you in and who is attacking you or your peers? Understanding the adversaries targeting you is key to a strong cyber security defence.
Plesco: Unfortunately, companies remain vulnerable to attacks, hacking and external and internal network security breaches. As of Q3 2014, over 183 million records have been breached from financial services companies alone, according to SafeNet. The overall cost for this type of breach is roughly $37.7bn. This figure is based on the latest research from the Ponemon Institute 2014 Data Breach Report, which estimates the average cost per record in the financial services industry is around $206. Furthermore, companies are increasingly unaware that they have been breached; the average time it takes a company to determine they have been breached is 229 days, according to the 2014 Verizon Data Breach report.
Lo Cicero: Companies will become increasingly vulnerable to these types of incidents, although to what extent they are at risk is mostly a function of how narrow their attack surface is. The cyber attack surface historically has been defined as relating to an organisation’s outward facing web based services and systems as possible attack conduits. However, because those areas have been receiving significant attention and security hardening of late, coming in the ‘front door’ is now more of a challenge for attackers. Today, that attack surface must encompass an organisation’s employees, consultants, third parties and supply chain. Failure to recognise and address this extended attack surface will leave companies even more vulnerable. Financial gain and espionage have been the primary motives behind security breaches, with cyber terrorism closing in, retail and financial services companies with a great deal of customer financial and private information, as well as critical infrastructure organisations, will continue to be targets of choice.
Shepherd: Companies of all sizes are vulnerable to cyber attacks. The recent series of data security breaches that struck, for instance, have left tens of millions of customer data exposed. 2013 was ‘the year of the mega breach’. According to Symantec’s Internet Security Threat Report of 2014, eight breaches in 2013 each exposed more than 10 million identities. Combating the malware behind some of these large breaches remains a constant struggle for companies of all sizes. That those companies reported to have strong security measures still fell victim to attacks further illustrates the increasing vulnerability companies have to attacks causing data theft, hacking, data breaches, computer network interruptions, privacy violations and other consequences of cyber risk.
“Cyber attacks have the potential for significant financial and reputational damage. It has been estimated that the average total cost for a US company experiencing a data breach is greater than $5m.”
FW: Have any major legal and regulatory issues in this space emerged over the last 12-18 months? How are these developments affecting the ways companies manage data and address cyber security?
Soderstrom: In the US today, the cyber security legal and regulatory landscape is fragmented and includes both federal and State structures. Most US States have breach notification laws on the books, requiring notification when there is a reasonable assumption of harm to an individual’s identity. Theft of encrypted data is sometimes exempt in notification laws, so encryption is a focus in data protection schemas. From a federal perspective, in 2014 the National Institute of Standards and Technology (NIST) published the ‘Framework for Improving Critical Infrastructure Cybersecurity’ in response to a 2013 Executive Order on the same theme. The ‘Cybersecurity Framework’, as it’s called, is a good start. It provides a risk-based approach to enhancing a firm’s cyber security program, focusing on critical functions and the maturity of practice indicators. Companies are using it voluntarily as a guideline to improve their cyber security programs, but more importantly, to establish generally accepted baseline practices.
Shepherd: The US does not have a single national law which regulates the collection and use of personal data but rather a patchwork of federal and state laws. Kentucky finally enacted a breach notification law that became effective on 14 July 2014, making Alabama, New Mexico and South Dakota the only states without breach notification laws. Kentucky’s law differs from other state breach notification laws as it specifically addresses the protraction for student data that is stored in cloud systems. Florida has amended its breach notification law which became effective 1 July 2014. The amendment significantly expands the definitions of what constitutes personal information and a data breach, and includes shortened deadlines for providing notice to affected Florida residents. Equally, the amended law created new document disclosure requirements. Iowa is another state to amend its breach notification law in 2014 to include paper documents.
Plesco: Driven by reactions to a number of very high profile retail and financial services industry breaches, the industry currently finds itself at a pivot point. In the current market, companies are being required to navigate the liability and risk landscape in a number of ways. Clearly there are political, regulatory and enforcement issues facing companies operating in the current marketplace. One only has to search the recent news to witness the increased level of scrutiny that state legislatures, Congress and similar international legislative bodies are placing on cyber security. Further, a number of US and international enforcement counterparts, such as the State Attorney Generals, the Department of Justice and others, are actively investigating consumer protection issues. The US and a number of the country’s international regulatory enforcement counterparts, such as the Federal Trade Commission and the Securities and Exchange Commission, are looking to active policy and regulatory developments to ensure cyber security.
Lo Cicero: In the past year or so there has been an increase in legal and regulatory developments around the world, with many countries updating, issuing or considering laws and directives relating to both the protection of critical infrastructure, particularly energy and utilities industry focused, and the privacy of personal information. Companies are now either expanding the authority and responsibilities of their information security and privacy governance and compliance teams, or setting them up if none previously existed. The remit of these teams is now becoming cross-functional across entire organisations. This is usually in close cooperation or integrated with the legal, enterprise risk management and internal audit departments. Although the organisational governance and compliance structures have been transforming in response to these developments, the technical or operational IT security responsibilities continue to remain, rightfully so, within IT departments.
Merchant: Although no major regulations have been implemented over the past 12-18 months, NIST did release its long anticipated Cyber Security Framework in 2014. The framework was put together in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, calling for the development of a voluntary, risk-based Cybersecurity Framework. Reactions have been mixed regarding the Framework. Many sophisticated organisations are already implementing most, if not all, of the Framework’s guidance. Many middle market and small market companies may not even know it exists yet.
Clarke: Privacy legislation continues to develop across the Asia-Pacific region. Many countries are enacting similar legislation with one of the main differences being whether or not that country has adopted mandatory notification. It is important that all businesses understand that simply housing data offshore, such as in an overseas based ‘cloud’, is likely to expose them to the data privacy laws that exist in that country, as well as in the country in which they operate.
FW: To what extent do you see boards undertaking key oversight activities related to cyber risks, such as reviewing IT budgets, assessing security programs and implementing top-level policies? Are board members sufficiently aware of their role in improving cyber security?
Plesco: Cyber security and threats are now a ‘top of house’ issue for all corporations. As such, boards, through audit committees, risk committees or hybrids, are considering and implementing new risk governance structures designed to mitigate the unique risks the cyber threats propose. This approach takes varying forms from audit attestation to threat based risk governance models. There is no one standard.
Lo Cicero: Last year’s cyber attack and financial and personal data breach at Target saw both the CEO and CIO resign and a proxy adviser urge Target’s shareholders to overhaul its board and vote against seven out of 10 directors “for failure to provide sufficient risk oversight” as members of the audit and corporate responsibility committees. The latest edition of the National Association of Corporate Directors (NACD) Handbook now contains a section titled ‘Cyber-Risk Oversight’ which outlines five principles that all corporate boards should consider to increase their oversight of cyber risks. The information and tools are there for an informed and diligent board to understand their roles and responsibilities. Though it may not be appropriate for them to personally assess programs or review detailed budgets, they should and many do, with the support of their chief information security and privacy officer, determine a sufficient level of oversight for their organisation.
Clarke: The level of understanding cyber risks at the board level is definitely improving, and has certainly been helped by high profile attacks and subsequent litigation in cases affecting major retailers, as well as financial and entertainment institutions. Such examples continue to highlight the nexus that exists between appropriate management of cyber risks and other exposures that the company may have, such as directors’ and officers’ liability and employment practices liability.
Merchant: Many boards already have some form of oversight when it comes to cyber exposure, generally in the audit committee. However, some boards have taken it a step further and have formed committees specifically tasked with enterprise IT security and emerging exposures. This type of committee can have a great impact on providing a top-down approach to cyber security. It can also help to effect a cultural change with top level policies aimed at embedding ‘privacy by design’ as opposed to ‘compliance by design’ which takes a checklist approach to cyber security.
Shepherd: As with the oversight of all major corporate risks, boards must be informed of their companies’ cyber security risk and proactively and consistently seek ways to minimise that risk. Although recent surveys show that cyber security is a top concern for boards, directors may not have the expertise to address all the relevant issues surrounding cyber risk. While directors and officers are not expected to be cyber security experts, they should be able to rely on key individuals within the company, as well as outside experts, to assist in assessing security programs and implementing policies and procedures to help mitigate cyber risk. Ultimately a board should have a high-level understanding of the cyber risks facing the company. Clearly those risks will differ depending upon the company and the industry it operates in. The board also should review and update accordingly the policies, procedures and controls in place to identify, manage and mitigate its exposure to cyber risk.
Soderstrom: Boards are increasingly engaged in cyber security because it directly impacts their fiduciary duty and shareholder value. Because cyber security and corporate resilience start at the top, with governance and budget decisions, boards already have, and always have had, a key role in cyber security, whether all boards understand this or not. More sophisticated boards are proactive in articulating cyber risk as integral to other forms of corporate risk that must be monitored and controlled at the board level. Accordingly, some boards are hiring cyber security experts as part of the team, and they are demanding cyber security risk management and remediation reviews on an ongoing basis. Also, I think boards now know what cyber professionals have known for a long time – regulatory compliance does not equate to security. At best, it minimises regulatory fines associated with a breach, and regulatory fines are a negligible part of the total real financial losses associated with most breaches we see today.
“The most important piece of advice is to ensure that your organisation’s enterprise risk management related functions are aligned and integrated with the information security and privacy function.”
FW: Cyber attacks can directly affect the brand or reputation of a company, often resulting in significant financial repercussions. In your opinion, do boards pay enough attention to the potential reputational damage that can be inflicted in the event of a cyber breach?
Shepherd: Cyber attacks have the potential for significant financial and reputational damage. It has been estimated that the average total cost for a US company experiencing a data breach is greater than $5m. In addition to these direct costs, collateral damage to a company resulting from a data breach can include loss of customer confidence, reputational harm, impact on stock prices, and potential regulatory actions, as well as litigation. For instance, following a breach experienced in December of 2013, a certain company incurred $236m in total breach expenses. Over 140 lawsuits were filed against the company as a result of the breach; these suits were filed by consumers, banks, credit unions and shareholders. The CEO and CIO were replaced and a new executive position of chief information security officer was established.
Merchant: I think boards have been cognisant of reputational damage well before the risk of cyber attacks became prevalent. Some boards may have been slow to recognise the link between cyber and reputational damage, but I feel they are in the minority at this point in time.
Soderstrom: Reputation is absolutely affected by how aggressively a company responds to a breach, both internally and publicly. It is more damaging to have the press tell your story over time than for you to lead the messaging throughout. However, true financial costs caused by a breach can be hard to quantify. We have learned from the retail industry that buyers who leave because of a breach are often buyers who return some time later. So what was the actual financial loss in terms of brand damage? Speed, sincerity, cooperation with regulators, and making it right quickly, and publicly, are key to mitigating brand damage. Getting it right behind the scenes and learning from a breach are even more important. What is worse than a big public breach? A second big public breach. Smaller enterprises have it much tougher. They can be breached out of existence.
Lo Cicero: Although perhaps they haven’t in the past, some of the more high profile cyber attacks that have caused stock value of affected companies to drop, have considerably raised corporate board awareness of the potential impact of attacks of late. In the wake of an attack, larger organisations will, most likely, be able to recover relatively quickly, provided that excessive liability is avoided and negligence is not a factor. Though brand and reputational damage after a cyber attack is quite concerning, what hasn’t been too common but has occurred on at least on one occasion is that the cyber attack took away a company’s ability to not only to do business and to function, but also removed the company’s ability to recover. Accordingly, the company was unable to sustain itself and forced to shutter its doors abruptly. This was an unusual and extreme situation by current standards, when it comes to cyber crime, the possibilities are boundless and companies should ensure that they pay attention to the risks.
Clarke: Boards do need to spend more time developing an understanding of the impact a cyber attack could have on their business – however, potential reputational issues arising from an attack should not be viewed or managed in isolation. It really needs to form part of the company’s overall business continuity plan, which should address cyber risks and be tested and reviewed at least annually.
Plesco: Boards do not pay enough attention to reputational damage – but they are starting too. With several high profile breaches resulting in the dismissal of board members and C-level personnel, boards are taking notice. Brand impact, be it via damage to shareholder value, or via customer impact, is increasingly becoming an issue.
FW: What advice can you offer to boards on protecting their data, including risk management solutions covering cyber security? What key questions should they be asking when reviewing and reinforcing their systems and controls?
Merchant: One of the best practices I have seen implemented by companies is to recognise that a breach will happen, and to plan accordingly for it. This means having a documented and tested action plan that includes table top exercises on an annual basis. Companies with these tested plans in place often handle breaches much more smoothly than those which do not.
Lo Cicero: The most important piece of advice is to ensure that your organisation’s enterprise risk management related functions are aligned and integrated with the information security and privacy function. Set the tone and expectation from the top with the purpose of alleviating any potential boundary or responsibility overlap issues. Organisation should be asking themselves a number of questions. Firstly, is the firm’s information security and data privacy management capability organisationally positioned at the appropriate level to effectively implement policies and enable a culture change? Which governance, as well as maturity model, frameworks are being used within the organisation’s information security and data privacy areas of practice? Are they based on industry standards, and if so, which? Furthermore, is the organisation continuously monitoring and regularly reporting on governance compliance, maturity level, progress of information security and data privacy projects and activities, as well as the status of incidents, risks and issues within the organisation? Where are they reported, who sees them, and are they used for active oversight? Do these reports and trending analysis show improvement or deterioration month to month or year to year? Is the trending satisfactory? Are independent third party assessments and audits being performed? Do they include a detailed technical IT security audit including comprehensive penetration testing? Who is keeping track of information security, data privacy, data breach notification and critical infrastructure protection laws in each jurisdiction in which the company operates? Finally, what is being done with that information?
Plesco: Boards must be able to demonstrate due diligence, ownership and effective management of risk of cyber security. In doing so they must first understand what cyber is, and means, from a risk perspective. They must ensure that proper data identification and prioritisation is regularly carried out. Boards must also make sure that they enable the ownership and governance of data at a programmatic management level. This must also include third party vendor risk management.
Clarke: We strongly support the view that there is no silver bullet when it comes to cyber security. Companies should look to create a culture of awareness and develop layers of security, rather than relying on a single product or vendor. In addition to this there are several simple steps that will help to improve a company’s security posture. Anti-virus and firewalls ensure software is implemented and up to date. Encryption ensures that, wherever possible, data is encrypted. Patch management involves having a plan to implement patches and roll-back faulty patches in a timely manner. Business continuity plans should address cyber risks and be tested and updated at least annually. Finally, education applies to all levels of the business – as defensive measures count for little if your employees are not aware of the dangers and impacts of cyber attacks.
Soderstrom: The key question that should be addressed is: Is this board committed to cyber resilience? Boards need to demonstrate awareness and ownership of cyber risk, along with CEOs and executive leadership. There are a number of other key questions boards need to ask, such as: What is our cyber security strategy and how does it align to our business strategy? How do those strategies fit into our overall enterprise risk management program? The hardest part for companies can be clearly identifying the most valuable information, be it IP, trade secrets, financials, strategic plans, M&A activities, or even customer and employee private data. How and by whom do those ‘valuables’ get created, manipulated, consumed and stored? They need to think of the full lifecycle, and time value, of sensitive data. Only then can you address the System with a capital S: governance, budget, policies, people, practices and technology. This is why I say cyber security starts at the top, and not the bottom.
Shepherd: The NIST has issued a set of voluntary standards and best practices known as the Cyber Security Framework, which has been designed to help reduce cyber security risks. Boards can use the framework to create, assess and improve their management of cyber security risk. There are a number of key questions boards should ask when evaluating their cyber security provisions, including: Is there a company-wide approach to the awareness of cyber security? Are we requiring all employees to review and acknowledge our cyber security procedures annually? Is the cyber security budget adequate? How does the company utilise third party vendors? Are we verifying that third party vendor controls and procedures align with our own? What is our incident response plan? Of course, companies should also consider purchasing cyber risk insurance and evaluating annually if the current limit is adequate.
“It is imperative that companies adopt processes for continuous employee education and training. In addition, they should ensure that they adopt and enforce security policies based on role based access rights to data and effective monitoring programs.”
FW: Employees are a company’s biggest asset – and one of its greatest vulnerabilities. What processes should companies adopt to reduce the threat of staff members compromising the company’s cyber security, either intentionally or unintentionally?
Lo Cicero: Awareness and monitoring are the two most important activities companies should undertake in order to reduce insider threat levels. These should be coupled with processes related to the principles of separation of duties and least privilege. Of course, monitoring activities have to be balanced against privacy concerns and regulatory restrictions to ensure legal boundaries are not crossed. Information security and privacy policies, especially those regarding acceptable usage, need to have the widest internal dissemination possible and be incorporated into an organisation’s mandatory annual awareness training program. Awareness training needs to ensure sufficient coverage of the three primary threat vectors that employees interact with daily – emails and their attachments, internet browsing and USB device usage. The risks these areas present to companies cannot be overstated to employees, particularly in addition to the increasing threat of social engineering attacks, which are becoming prevalent in a number of industry sectors, most notably the critical infrastructure sector.
Soderstrom: Implement the concept of ‘least privilege’ for employee digital rights, especially for employees with sensitive access and administrative rights. Identify them, separate duties and restrict access to certain data, devices, regions or timetables. Establish behavioural norms or user ‘footprints’ and react against anomalies from either personal or cadre behaviour. No well-intentioned employee wants to accidentally cause a breach. That’s a life-altering event. Implement the best identity and access management program you can afford, for everyone’s sake. A less common way to address accidental disclosure is to drastically reduce the amount of sensitive customer data required at the transactional level. Companies regularly ask for detailed sensitive information, or are capturing that information about us as a by-product of providing a product or service. How many people see and touch this information? How is it protected and how is it passed around? Take the least amount you need, especially in transactional systems, so there is less sensitive data awash in daily operational systems.
Clarke: A comprehensive education program is the key to ensuring that employees remain the greatest asset in defending the company from cyber attack. If they are educated in the type of attacks that occur, how those attacks are perpetrated and the impact they can have, they become vigilant gatekeepers of the company’s information. It is important that these programs are ongoing to ensure new employees are included and that they keep pace with new tactics being used by hackers.
Shepherd: First and foremost, a company needs to conduct training for its employees to help them understand the policies and procedures implemented in order to minimise compromising the company’s cyber security. The best security technology in the world can’t help a company unless its employees understand their responsibilities in safeguarding sensitive data and protecting company resources. Companies should regularly conduct data inventory assessments to be aware of where their data resides and who has access to it. Those companies should have policies and procedures in place to address proper use of the internet, destruction of data no longer needed, and cyber security issues surrounding the download of information on portable computing drives and BYOD. Obviously, all access an employee has to the company and any of its data should be terminated immediately following the employee’s departure, whether their departure is voluntary or not.
Plesco: Awareness training and monitoring is paramount. This fact is acknowledged in a recent Cisco study which noted that “43 percent of IT professionals said they are not educating employees well enough”. A further 19 percent said “they have not communicated the security policy to employees well enough”. It is imperative that companies adopt processes for continuous employee education and training. In addition, they should ensure that they adopt and enforce security policies based on role based access rights to data and effective monitoring programs.
Merchant: Companies need to train, train and train. Having a formal network security and data privacy training regimen is an extremely important factor when it comes to mitigating risk posed by employees. This training also goes for senior level executives, who are often the targets of Advanced Persistent Threats (APTs). Criminals employing some form of social engineering often target senior executives due to the high level of network access. If these executives are not properly trained to recognise social engineering techniques, they can potentially put their organisations at greater risk than lower level employees.
FW: No matter what precautions are taken, no company is immune to cyber risk. How should firms respond immediately after falling victim to cyber crime, to demonstrate that they have done the right thing in the event of a cyber breach or data loss?
Clarke: The organisation should immediately implement its business continuity plan. If it has purchased cyber liability insurance, this would form part of that plan and any leading policies will provide an incident response team. This team is made up of professionals who provide legal, public relations and IT forensics assistance, and will manage the incident in conjunction with the business to ensure that it returns to full operational capacity as quickly as possible.
Plesco: When a cyber security breach takes place companies must, first and foremost, identify and acknowledge that an incident has actually occurred. Companies must have effective monitoring tools and preset incident response plans in place to assist with both protection and detection of incidents. Once they have been breached, firms must act immediately and document their actions in a number of areas. Companies that have been compromised must quickly investigate and contain the breach while preserving all electronic evidence. Ascertaining what data was lost, destroyed or stolen is paramount as it enables companies to determine their risk exposure and potential liability. The complexities of incident response and investigation may involve multiple corporate verticals and business units including those of the CIO, CTO, CISO, general counsel – and potentially outside counsel, marketing, audit and others. Table top or similar exercises should be carried out in order to help companies practice incident responses. These exercises should be at both executive and management levels. Unfortunately, the worst time to figure out how a company should respond is during an actual incident.
Soderstrom: The immediate response should be executing the cyber breach response plan. You cannot make up the plan on the fly in the middle of a crisis. Our research shows that over half of CEOs have had no training in breach response, and less than half of CXOs and boards believe they are accountable for the breach response process. Lines of communication, roles and identification of decision makers must be known before a breach occurs. Who is authorised to make which decisions right now? Fast response and containment are key. Damages can be mitigated if action is taken quickly in response to a breach, and executives need to know what their specific roles and responsibilities are during a breach, what Systems are in place – people, processes and technology – for breach intelligence gathering and rapid response, how internal and external communications will occur, and what follow up actions and notifications are required post-breach. My advice is that companies run cyber breach response exercises to stress test their plans.
Merchant: Hopefully, a company will have a documented and tested Incident Response Plan (IRP). The plan will often call for a triage meeting with senior executives, IT security and legal counsel to determine what has occurred. If it has been determined that a breach has in fact occurred, many plans call for the engagement of outside expertise, including ‘breach coaches’, computer forensics partners, public relations firms and a host of other vendors to immediately begin remediation.
Shepherd: In the event of a cyber breach or data loss, a company should have a customer-centric incident response plan. This plan should be developed cooperatively with key departments within the organisation. The plan should address the use of service providers for immediate breach response such as legal, forensic, notification and public relations activities. An incident response plan should include a timeline and work flow order with the capability of activation 24 hours a day, seven days a week, including holidays. Communication is the key to maintaining customer confidence after a breach or data loss but the company needs to remember communication is not limited to customers. Employees, investors and regulators will also need to receive appropriate responses describing the breach, discussing what type of data was impacted and the steps being taken by the organisation to mitigate similar events from occurring in the future. The company should also communicate a plan in place to all concerned parties detailing how it is remediating potential identity theft of the impacted individuals.
Lo Cicero: Companies need to ensure that they have well developed and tested incident notification, response and recovery plans and capabilities. These plans have to integrate holistically with an organisation’s IT disaster recovery plan, business continuity plan and emergency and crisis management plans. There also needs to be a comprehensive internal and external communications plan covering all of these areas. The absolute worst case is a company that responds to cyber-incidents in an ad hoc manner, as this type of response can only lead to mistakes being made which will aggravate the situation and make an organisation appear incapable of managing itself. Although having these plans in place, and tested regularly, is paramount, part of doing the right thing includes having a sustained and comprehensive program of assessments and audits of a company’s environment, which in turn should lead to continuous improvements. These are the foundations of demonstrating that appropriate due diligence has been applied.
“Our research shows that over half of CEOs have had no training in breach response, and less than half of CXOs and boards believe they are accountable for the breach response process.”
FW: In your opinion, what are the key risks to D&Os arising from data and security breaches? Could you outline any recent cyber liability cases of note?
Soderstrom: From a personal perspective, directors and corporate officers have their jobs on the line when a breach occurs. The CEO and chairman of Target had to ‘step down’. Further, a proxy advice firm recommended to stockholders that the majority of board members be removed because of the breach. Cyber breaches are becoming personal concerns, and D&Os may look for contractual protection, even from each other, if litigation occurs. Beyond educating themselves about the cyber security posture of the company, boards may need to restructure so that a member or committee is responsible for cyber risk management. Regulators and others take into account the ‘conduct’ of a board before, during and after a breach occurs. Findings can range from gross mismanagement, breach of the duty of care or oversight, securities fraud, notification improprieties, failure to comply with industry standards, and so on. It is imperative for D&Os that a cyber risk management program is in place, and that they are actively reviewing company performance against it.
Shepherd: Some of the key risks to D&Os arising from data and security breaches include termination of employment, regulatory investigations, reputational damage and class action lawsuits. Class action lawsuits are no longer limited to consumer class actions but also include shareholder suits. Between April 2008 and January 2010, Wyndham Worldwide Corporation suffered three data breaches that resulted in the theft of payment card information of over 600,000 customers. A derivative action was filed alleging that the entire board, president, CEO and general counsel of Wyndham breached their fiduciary duties of care to the company and wasted corporate assets by failing to implement a system to protect customer data. Target, Heartland and other companies have also been sued in shareholder derivative suits, in which shareholder plaintiffs are seeking damages associated with the loss of share value and waste of company assets arising from legal costs, liability and government investigations. If these suits are successful, the damages incurred will be significant.
Plesco: The key risk is that corporate boards have not exercised their legal obligations pursuant to the business judgement rule in governing the risk of a cyber incident. Boards must understand the risk and ensure that an overall governance approach is implemented.
Lo Cicero: Probably the one area that should be on the radar of company directors and officers would be that of personal liability. Company directors and officers have a fiduciary responsibility to ensure due diligence has been completed across various aspects of corporate management – cyber security and privacy are no exception. Several new information security and privacy laws in certain countries have provisions for personal liability in this space. In turn, this has had the effect of executive employment contracts more regularly including indemnity coverage of personal fiduciary liability on behalf of executives. This is not to mention the standard risks regarding corporate reputation, market share and income losses, coupled with potential corporate financial liabilities directly attributable to data and security breaches, all of which may have a negative impact on an organisation’s stock and its shareholders. One recent case involved corporate liabilities approaching $1bn for the costs of addressing and recovering from a single but large scale breach, without consideration of any other possible long term financial impact to that company.
Clarke: Directors and officers are charged with managing the company in the best interest of its shareholders, and so the effective management of the company’s assets – including data – should be a key concern for directors. Recent high profile breaches have been the catalyst for numerous actions against directors and officers and have raised the possibility of employment discrimination actions.
FW: How do most companies evaluate their cyber risk exposure and decide which measures to implement? How can they improve in this area?
Plesco: Companies will often hire advisory firms to carry out two functions. Firstly, to help them understand the cyber threat environment they operate in and, secondly, to implement an overall capability maturity model. To do this effectively, companies must undergo a cyber security risk assessment and maturity model review. Most companies carry out such reviews in a vacuum, failing to consider the actual threat environment they are currently in. In order to improve, they must couple these efforts with a near real-time monitoring of the tactics, techniques and procedures of the threat actors.
Lo Cicero: Most companies develop risk based cyber security and privacy improvement roadmaps based on assessments and audits which have used international and industry best practices as a basis. Exposures are identified and then prioritised by criticality to the organisation as a function of executing these assessments and audits. The improvement roadmaps, by addressing the highlighted exposures, would be developed in accordance with the organisation’s risk appetite and maturity goals. Many companies, for various reasons, don’t have the desire to perform comprehensive assessments and audits – instead they satisfy themselves with less impactful fractional ones resulting in roadmaps not accurately addressing total risk exposure across the entire organisation. If cyber security and privacy risk is a serious concern for a company, then its leadership needs to ensure that comprehensive assessments and audits are executed with appropriate prioritisation so as to lead towards the development of effective roadmaps or plans of action.
Shepherd: Many companies do not strategically evaluate their cyber risk exposure in order to align it with their overall business strategy. The evaluation should address security technology, employee and insider exposure to cyber risk as well as security practices of third party vendors. Many companies evaluate solely the costs of implementing new technology and procedures designed to improve cyber risk before deciding which measures to implement. However, a recent study by the Ponemon Institute indicates organisations save on average $1.7m overall on breach expenses by implementing good security practices. According to the study, “companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cyber crime costs lower than companies that have not implemented these practices”.
Soderstrom: Simply, it starts with identifying the most critical corporate assets. This work requires a specific understanding of how, where and by whom those assets are born, live, retire and die within the company’s ecosystem. If this meticulous work is not done, you are left trying to protect all things from all threats at once. Adversaries love this approach, because they can create noise elsewhere in the system to draw your attention away from their real target. Increasingly, two additional actions can be taken to reduce exposure – instituting cyber hunting teams and conducting security intelligence gathering. Cyber hunting teams, or ‘green teams’, don’t wait for the adversary to make himself known; they go out and actively look for indicators of compromise on the live network and deal with them accordingly. Security intelligence gathering is a rising discipline, gathering internal and external intelligence on known bad actors, industry campaigns and corporate targeting, so that you are ‘wise’ to what you are facing from the adversary.
“Directors and officers are charged with managing the company in the best interest of its shareholders, and so the effective management of the company’s assets – including data – should be a key concern for directors.”
FW: Organisations are now looking to insurers to mitigate the damage caused by cyber crime and data breaches. How are organisations doing this? In what ways do you see the appetite for insurance changing over the next 12-24 months?
Shepherd: Cyber risk insurance has been available in the market since the early 2000s. However, some of the earliest versions date back to 1998. Companies of all sizes are beginning to realise that there is no immunity to cyber crime or data breaches. All entities are vulnerable to cyber risk, and management teams are becoming more cognisant of the value of transferring some of these risks via insurance. Given some of the costs associated with recent publicised breaches, companies are starting to evaluate how much insurance they should purchase. Some organisations that already purchase cyber risk insurance are increasing limits on renewal and those entities that may have been hesitant to purchase the coverage in the past are now actively buying. As carriers start to pay more claims, you may see some restriction in the limits available, depending upon the industry segment. We are already seeing this in the retail industry.
Merchant: In many cases, cyber ‘insurance policies’ have evolved into cyber ‘insurance services’. Carriers work with dozens of loss prevention and loss mitigation partners who handle everything from notification of affected individuals, credit monitoring and call centre services, to computer forensics and highly specialised legal counsel. Carriers have become a sort of ‘hub’ from which an insured can access multiple services to help lower the likelihood of a breach or mitigate one. As organisations recognise the added value of these services, they will be more inclined to adopt the coverage.
Clarke: In the last 12 months, we have seen a very strong increase in demand for cyber liability insurance and we expect this to continue for at least the next five years. In many regions around the world, cyber liability is still a relatively new concept and companies are still getting to grips with how it can help protect their data. We have typically seen a 12-15 month purchasing process whereby, following initial discussions with a broker and an insured about the exposures they face, the majority of organisations are eager to purchase a policy. However, they generally need to wait until the following year to allow for the additional budget allocation. We would expect this process to shorten in the next 12-24 months as awareness of cyber issues continues to increase and the insurance industry can demonstrate more claims examples and instances of how policies have assisted throughout an attack.
Soderstrom: Transferring cyber risk, and thereby lowering the internal inherent risk curve, is extremely attractive. And cyber risk is opening up new channels for insurers; it represents a dramatic development in a long established market. There are two big challenges in this marketplace. The first is that we don’t yet have real actuarial tables that monetise cyber risk. Accordingly, premium-setting for cyber risk is still too hard. Second, insurers are looking to attain first-mover advantage, which may not really be an advantage. If you can’t codify the insured risk, meaning underwriting cases are based on poor assumptions or attestation of reasonable security controls, that creates systemic risks. The winners will be the insurers that look to cyber security experts to assess comprehensive risk, and map premium discounts to improved security measures over time. It creates the right incentives. There are great firms working to get this model in place, and companies seeking cyber insurance should start there.
Lo Cicero: Companies are beginning to look at cyber insurance options more often than previously. Though cyber insurance has been on offer for more than 10 years, the market is still relatively immature and policy premiums are expensive for limited coverage. In one recent breach, the affected organisation had a policy but the payout limit of over $20m was less than 9 percent of the total cost of the breach. It is difficult to quantify coverage requirements when the actuarial science is not as well developed as it is in other types of risk and insurance. Over time, more data will develop and ease this difficulty, but cyber insurance premiums will not significantly decrease over the next two years. Accordingly, cyber insurance will remain a luxury few can justify without well-defined statistical information, especially when most industry reports place the cost of a breach at an average of less than $1m.
Plesco: It has almost become a standard of care to have some level of cyber insurance. Accordingly, the appetite will only increase over the next two years.
“Carriers have become a sort of ‘hub’ from which an insured can access multiple services to help lower the likelihood of a breach or mitigate one. As organisations recognise the added value of these services, they will be more inclined to adopt the coverage.”
FW: Going forward, what are your predictions for cyber crime and data security over the next few years? How do you expect the inherent risks, and companies’ response to them, to evolve?
Merchant: Criminals are obviously a clever lot. As long as there’s the spectre of some monetary gain, be it intellectual property, personal health information or bank account information, criminals will always try to steal it. This is no different than any other form of crime. I feel data security will evolve more quickly over the next few years than in the past decade in an attempt to keep up with the criminals. This evolution will be on the technical front as well as the cultural front as companies try to impress upon their employees that network security and data privacy is their responsibility, not just IT’s.
Soderstrom: We need to make it much harder for the adversary to steal something usable. The good guys are doing two important things. Firstly, we are coming up with ways to make what’s stolen ‘un-fence-able’. With clear-headed assessment of assets, plus data encryption and other capabilities, we are trying to make the data we need to operate or protect unusable outside of certain controlled conditions. Secondly, we are slowly turning the tables on the bad actors, by becoming smart about their motivations, tools, techniques and preferences. We are studying them, hunting them down and establishing kill chains in order to better protect ourselves. With the efforts being taken at the corporate, industry, national and international levels, we will be able to establish cyber resilient operations, whereby we are governing and reducing the risk we carry, addressing the adversary head on, and creating operational structures that allow us to thrive, rather than fail, in the case of cyber attack.
Clarke: With cyber crime knowing no geographic boundaries, I expect it to continue to grow exponentially throughout the world in the years ahead. Equally, I expect to see the same exponential growth in the cyber liability market – in 10 years time I would expect that companies will purchase property, liability and cyber liability insurances as their core insurance purchases.
Lo Cicero: If your organisation has not been hit by ransom-ware, expect that it will. Holding your data hostage for money is the quickest way cyber criminals make money with very little effort on their part, or risk of being caught. For cyber criminals, no specialised code or focused targeting are required. By simply ensuring that their distribution is as wide as possible, the law of averages does the work. Companies will be forced to take a look at their trust and authentication mechanisms, network segregation and the pervasiveness of drive mappings to limit the impact of this inevitable breach. New legislation, much more comprehensive and demanding than any previous ones, focused on information security and data privacy as well as on critical infrastructure protection has already been implemented in various jurisdictions around the world and is pending in many others. The impetuses for these are many and justified. The resultant legal, financial or commercial sanctions for non-compliance will drive companies to shore up and integrate their risk management functions, increase their information security and privacy compliance competences, and further develop their operational and technical security control capabilities. The most ominous of predictions is the extent to which the physical manifestation of a cyber attack within the critical infrastructure space can reach. There have only been a few instances of cyber-initiated destruction of limited physical assets. It is not outside the realm of possibility, within the context of cyber related crime, terrorism and war, that in the future we may witness instances, intentional or otherwise, of catastrophic destruction of physical assets and loss of human life.
Shepherd: Recent attacks have shown cyber criminals are capable, resourceful and resilient. There is no reason to believe they will slow down over the next few years. Although we have not heard of many breaches in the cloud to date, I suspect that will change as a successful cloud breach can yield significantly more amounts of data than a targeted attack against a single company. Cyber criminals will continue to exploit the weakest links within the data exchange process, including vendors, consultants and rogue employees. The use of malware targeted to mobile devices will grow as the convenience and popularity of such devices continue to grow. Companies need to recognise there is more at risk with a breach of data security than personal data and identity theft. Corporate secrets and disruption of critical infrastructure are two of the most significant threats an organisation can face with a breach in data security. All members of an organisation should be focused on the protection of its valuable data assets.
Plesco: We expect to see an overall increase in cyber attacks and threats in the next few years. They will increase in sophistication and move from disruptive to destructive attacks. A few years ago, a pivot point occurred among the more cyber threat aware companies, most notably in the financial and energy sectors. The pivot point was the realisation that companies cannot be 100 percent secure and that it is no longer a question of when or if you have been hacked, but an assumption that you are hacked and whether you can you contain the incident. Put simply, companies are now operating from a posture of containment based security models. This concept and its evolution are feeding new tools, technologies and processes and procedures.
Matthew Clarke is the AIG APAC Professional Indemnity and Cyber Liability Manager. He has more than 15 years’ insurance experience in underwriting and broking roles with responsibilities across Australia, New Zealand, Asia and the UK. Mr Clarke has been a contributor to numerous articles and is a regular speaker on cyber liability issues around the Asia Pacific region. He holds a Bachelor of Business (Insurance) from Charles Sturt University. He can be contacted on +61 2 9240 1796 or by email: matthew.clarke@aig.com.
John Merchant is the head of Commercial E&O at Freedom Specialty Insurance Company, a Nationwide Company. He has been engaged in product development, marketing, sales and underwriting of Security and Data Privacy insurance products since 2007. Mr Merchant has experience with several other Professional Liability product lines including Technology E&O, Miscellaneous E&O and Lawyers Professional Liability. He also worked at AIG and Hartford in similar roles. He can be contacted on +1 (212) 329 7748 or by email: john.merchant@freedomspecialtyins.com.
Cheryl Soderstrom is the Americas Cybersecurity Chief Technologist for HP Enterprise Services. In this capacity she is focused on bringing the larger HP cybersecurity value proposition to industry leaders and key clients, leveraging HP’s deep insights gained from securing global operations in more than 170 countries, our Managed Security Services leadership, and our market-best security research teams studying and correlating the threat landscape and vulnerabilities in cyberspace. She can be contacted on +1 (703) 742 1312 or by email: cheryl.soderstrom@hp.com.
Ron Plesco is an internationally known information security and privacy attorney with 17 years’ experience in cyber investigations, information assurance, privacy, identity management, computer crime and emerging cyber threats and technology solutions. Mr Plesco is the National Lead of the KPMG Cyber Investigations, Intelligence and Analytics practice. He joined KPMG in 2012 after a distinguished career in the private and public sectors and is a frequent speaker nationally. He can be contacted on +1 (412) 953 0777 or by email: rplesco@kpmg.com.
Claudio Lo Cicero is the Head of Global Information Security for Denmark-based Maersk Oil. He holds a Master of Science with an Information Security Specialisation as well as several professional certifications including the CISSP, CRISC, CISM, CIPM, and PMP. Mr Lo Cicero is also a member of several industry organisations such as the IAPP, ISACA, ISSA, ISC2, and PMI. He can be contacted on +45 3363 4000 or by email: claudio.locicero@gmail.com.
Betty Shepherd, an established Cyber, Security & Privacy expert, serves as vice president for RT ProExec, the Professional Liability division of R-T Specialty, LLC, in the Hartford, CT office. Ms Shepherd has over two decades of underwriting experience. In 2012, she launched the Cyber Security blog ‘CyberBytes’, to honour her commitment to keeping the insurance industry informed about the ever-changing world of cyber risk insurance. She can be contacted on +1 (860) 656 1362 or by email: betty.shepherd@rtspecialty.com.
© Financier Worldwide
THE PANELLISTS
AIG Australia
Freedom Specialty Insurance
Hewlett-Packard
KPMG
Maersk Oil
R-T Specialty, LLC