Mitigating Cyber Liability without Breaking the Bank

2.jpg

Today, the grim reality is that even after taking preventive measures and heavily investing in cybersecurity, businesses can’t reduce their cyber risk to zero. As a result, risk management is all about reducing liability, cost of incident response, and demonstrating due diligence practices for reputational protection.

Start with Prevention

Prevention starts with a few simple measures which can lower the likelihood of experiencing a security breach. For example, businesses can bolster their posture by applying dual-factor authentication, implementing employee training, and limiting access to sensitive data.

Reducing the number of privileged accounts and requiring the use of unique local, complex administrator passwords can also help since many attackers look to gain access to those accounts to move undetected around the network.

And while these efforts, also known in the industry as cyber-hygiene, can go a long way, it’s important to expand the scope of cyber risk management by incorporating cybersecurity into standard business practices. Make sure to involve senior management in the review of protocols and provide them with full visibility into threats and risks!

The New Age of Liability Mitigation

Prevention alone will not reduce the costs of real and potential liability.  More often than not, companies need to think about how to effectively outsource or mitigate cyber liability. Typically, the first option is to outsource high risk or complex functions that aren’t a core service. Another option is buying cyber liability insurance. Cyber liability insurance has limitations as many incident response costs may not be directly covered by insurance and the deductible and forensic requirements of using the insurance poses implications for many businesses. Start by identifying your liability exposure by categorizing the threats to your business from a 360° degree perspective.

Most risks can be grouped into three broad areas:

  • External breaches for the purposes of theft, espionage, extortion or embarrassment
  • Unintentional (or intentional) data leakages by staff, contractors or vendors
  • Operational risk through third-parties e.g. inadequate testing during mergers and acquisitions or breach through a partner networks.

Engaging with external risk assessors not only demonstrates due diligence and prudent fiduciary responsibility, it establishes the objective enterprise risk baseline for management.  In preparation, you should review the following elements:

  • Comprehensive Security Controls and Procedures: Have you conducted data audits in the last six months to identify where sensitive data resides? Think about what data protection laws apply to your organization (e.g., HIPAA, DFARS) and what potential liabilities those create for the company.
  • Roles & Responsibilities: assign roles to a dedicated response team and prepare communication templates that can be customized and deployed; the team usually consists of people from the executive team, Legal, Marketing, and HR. The “response” team should be trained on exercise scenarios to ensure that rapid response and informed decisions are made on the fly.
  • Policies & Training—document all policies to address legal and compliance obligations, and establish ongoing training programs for anyone with access to company systems (e.g. former employees, contractors, vendors).

Customer transactions and business processes are increasingly digitalized and often conducted through a myriad of online transactions, introducing daily cyber risks. Forward-looking businesses should transform traditional IT-based security practices into business opportunities by marketing their cyber advantage and proactively limiting liability.

Contact us to get ahead of business risks and build a strong security posture.