My Educate-Innovate-Collaborate for Results program includes unique, proprietary and even disruptive insurance and risk management approaches that forward-thinking business are adopting. By stepping away from the status quote, organizations are benefiting from deploying a more cost-effective use of capital to not just protect assets but in certain situations generate more profit and shareholder value.
As part of this endeavor, I recently co-sponsored “Cyber Breakfast with an FBI Agent. The purpose was to provide Small and Mid-sized Businesses (SMBs) with valuable insight into network vulnerabilities and best practices to mitigate risks from their quickly evolving cybersecurity exposure.
The Agent gave an unsettling picture about the what, why and how hackers are taking advantage of vulnerable networks to infiltrate an organization. His examples clearly illustrated the pathways to corrupt data, steal Intellectual Property and extort money as well as the challenges of recovering from the aftermath of a cyber event. More and more, SMBs are becoming prime targets because of limited financial resources and technical expertise compared to larger companies. One sobering statistic shows that 60% of businesses are unable to recover from a significant cyber event and cease operating.
I was delighted the event attracted 126 attendees. As it was above our expectations, we had to move to a larger venue. This is gratifying, especially compared to what I encountered when I first realized Cybersecurity had the potential to become a significant risk for business and individuals alike.
That was in 2007. My introduction to Data Breach & Privacy Protection, which is what it was referred to then, was due to three concurrent situations involving a friend’s stolen identity and two businesses, whose owners I knew had incurred significant losses of incomes due to breaches.
As a Trusted Advisor to my clients, I believed this potentially disastrous, emerging risk was important enough to warrant my own cyber education to better protect my clients. The considerable knowledge gained gave me the confidence to speak knowledgably on the subject and allowed me to publish a white paper.
You know what? Nobody cared. My clients and other businesses weren’t all that interested in what I had to say nor the coverage offered. The response was, “Thank you, but it’s not a concern.” “We’ll keep this in mind.” I was ahead of my time. For those of you in business then, think back about your own perception of cyber as a business risk.
Since then, I have observed cyber risk evolve from a malicious, disruptive tool used by hackers to interfere with a company’s ability to transact business, stealing personal identifiers, and credit card information that would be sold on the Dark Web, the digital Black Market. Today’s hackers use more sophisticated, using targeted methods like phishing, spoofing and ransomware to more quickly monetize their nefarious efforts for bigger payoffs.
The results of a hack can impact the balance sheet in many ways:
• Reputational harm
• Loss of data, Intellectual property, and stream of income
• Post breach forensics, notification and mitigation costs
• Third party liability
• Regulatory Fines & Penalties
On the low side, taken together, the out-of-pocket expense to a business for a cyberattack can cost approximately $350,000 – $500,000.
With this in mind, and the realization that a breach could be more a matter of when, not if, consider these 5 key points to help assess a more effective approach to protecting your enterprise.
1. Cybersecurity is no longer a technology (IT) problem residing in its own silo. It is a business problem with mission critical systems at stake. As such, protecting your company’s reputation, digital and financial assets are clearly a management level responsibility. Management teams need to devise a strategy for governance, include having prevention processes and tools in place with a strong recovery plan in the event of a breach.
2. The time-honored purpose of insurance is to make an individual or business whole after a loss. This is the security of asset protection that an insurance policy provides. In addition to a cyber policy, experience shows that a breach requires businesses to also be resilient. Resilience is the ability of an enterprise to limit the impact of security incidents. It’s a broader approach that encompasses cybersecurity and business continuity management, which aims to not only defend against cyber-attacks, but also ensure that the enterprise is able to survive following an attack. Because, if the only alternative is to eventually shut down, then it’s a bad risk.
3. Offense is the best defense. In the hacking world, time is money, and the ROI on that time determines where hackers deploy their energy. Protecting your network with layers of security and employee training may establish enough of a barrier to gain entry causing the attacker to seek easier prey.
4. When it comes to cyber threats, and how they continue to evolve, businesses are faced with the known and massive unknown. As such, buyers of Cyber Insurance need broader and better solutions, not just more insurance products. (I know, this is a curious statement from an insurance guy.) As cyber perils looms, the focus must shift from a reactive position of obtaining cover from products to a proactive approach engaging risk management, incident prevention and response. To truly maximize the benefits of Cyber Insurance, success is about integrating technology and forging relationships with third-party providers
5. Many businesses are under-prepared and/or under-insured for their growing cyber peril. Therefore, it’s imperative for businesses to have a quantifiable way to understand their own digital network security posture. This was the reason Orion rethought the traditional insurance approach and established Cyber Protection Reimagined. We formed an association with a Security Operations group. This organization developed an end-to-end solution that identifies an company’s network vulnerability, closes gaps, educates employees on how to avoid exposing their network to hackers, provide 24×7 monitoring and establish a post-incident event plan. These best in class attributes reduce the chance of cyber disruption for an improved risk profile, resulting in better coverage and lower premiums.
Cyber Protection Reimagined is a holistic approach and powerful solution transforming the way our clients view their cyber exposure to better manage this risk.
An attacker doesn’t have to be good every time, they just need to be successful once! Offense wins and defense loses.
CIC Cyber Risk Strategist
Orion Risk Management An Alera Group Company