CRITICAL COMPONENTS OF CYBER RISK MANAGEMENT
Organizations, regardless of size or industry, face cyber-security threats in some way. Whether it’s hackers, malware, or viruses designed to steal valuable data, it is imperative that every business have a basic cyber risk management program to address prevention, disclosure, crisis management, and insurance coverage in the event of a data breach.
Develop Strategies to Prevent a Data Breach
Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy, so make sure you know whether you need to encrypt the devices or not.
Your strategies may also include educating employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true.
Analyze your cyber risks from three different perspectives: technology, people, and processes. This risk assessment will give you a clear picture of potential holes in your security. Revisit and revise your plan regularly, because new risks arise often, sometimes even daily.
Know Your Disclosure Responsibilities
When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals.
All states have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the type of industry you’re in, you’ll likely be subject to some set of compliance regulations designed to protect confidential information
If an incident does occur, you need to have a response plan that’s in compliance and in alignment with whatever regulatory framework applies to your organization.
3. CRISIS MANAGEMENT
Have a Crisis Management and Response Plan
Preparedness is key when developing your cyber risk management program. When you experience a data breach, you need to be equipped to quickly and appropriately respond. This is where your crisis management and response plan comes into play.
Determine when and how the breach occurred, what information was obtained, and how many individuals were affected. Then assess the risks you face because of the data breach and how you will mitigate those risks.
Every employee should know exactly what to do in the event of a breach, and your response plan should be documented in detail so that any auditor can clearly see that you’ve taken all the necessary actions with regards to incident response.
While managing a crisis, let your clients know what actions are being taken, and what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. Encourage people who discover their information has been misused to report it to the FTC, using IdentityTheft.gov. IdentityTheft.gov will create an individualized recovery plan, based on the type of information exposed.
Protect Your Data—and Your Business
Your cyber risk management program should include cyber liability insurance coverage that fits the needs of your business.
Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure.
“Sound cyber risk management requires the planning and execution of these basic components,” said Lisa Lee, Commercial Risk Specialist for Avery Insurance. “We work with companies to tailor cyber liability insurance policies to fit their unique situations to defend businesses after a data breach.”
Contact Avery Insurance to learn more about cyber liability insurance and how you can protect your business from a data breach.