By DAVE LENCKUS, who has covered the insurance industry for more than two decades
Cyberrisk experts advise that planning a detailed response is critical to handling the fallout from a security breach, while warning that organizations with even the best data security will be hacked.
"You can't find a large corporation that isn't so locked down that there isn't a hole in its (data security) fence somewhere," said Larry Collins, the New York-based head of E-Solutions for Zurich Services Corp., the risk management arm of Zurich Financial Services Group.
"They don't even know they have it," he said. Meanwhile, hackers will devote months if necessary to the search for such holes.
Kirstin Simonson, underwriting director with the Global Technology unit at The Travelers Cos. Inc. of St. Paul, Minn., agreed, pointing to dormant websites as one hole in many companies' data security. Indeed, many companies have multiple dormant websites that have been long forgotten but remain connected to their networks, she noted. Those sites provide hackers easy-access portals to the companies' systems and ultimately their customers' and clients' private information, as well as the organizations' own proprietary business information.
Like security-conscious home owners, companies should be making themselves "a less attractive target than others," said Nalneesh Gaur, a Dallas-based director with the Diamond Advisory Services unit of PricewaterhouseCoopers LLP.
But that's where "companies are falling apart," Gaur said.
Even if an organization succeeds in fending off hackers, there still is no guarantee its customers' data is safe if a vendor's system is vulnerable, as is evident by the recent security breach at Epsilon Data Management. The names and email addresses of thousands of customers of dozens of large retailers, financial institutions and utilities were stolen April 1 when hackers attacked Epsilon, which creates and manages corporate email marketing campaigns.
PLAN IN PLACE
So even organizations that have erected a relatively formidable data-security fence need to have a detailed response plan in place and be ready to engage after a security breach, cyberrisk experts maintain.
Without a plan, enterprises won't know what to do in a timely fashion after a breach, and that typically results in an inadequate "kneejerk" reaction, said Tracey Vispoli, the Warren, N.J.- based senior vice president and worldwide cybersecurity manager for the Chubb Group of Insurance Cos.
Vispoli noted that, among the 46 states and Washington, D.C., with data security response statutes, many are very specific about how and how soon a compromised company must respond. An organization will not have time after a breach to learn what is required of it, she said.
Complicating matters for a regional or national company, a data security breach would trigger several state statutes, because every statute is designed to protect consumers covered by that law regardless where the hacked organization is based. The requirements under those statutes vary considerably, Vispoli said. For example, some states require companies to notify customers about a security breach through the U.S. mail, while others permit notification by email. Some states mandate notifying the public through a newspaper advertisement.
Organizations without a planned response also most likely will face much higher response costs, Vispoli added. In developing a response plan in advance, an organization can negotiate lower fees for the services it will need after a breach, including legal advice, customer credit monitoring, data security forensics, and printing and emailing services for producing and distributing customer notifications. Those service providers will not be willing to negotiate lower fees when an organization in crisis approaches them, she warned.
Companies should consider their cyberrisk similarly to their fire risk, according to Brian McGinley, senior vice president of data risk management at cyberrisk consultant Identity Theft 911 of Providence, R.I.
"If there is a cyberincident, who is your fire department?" McGinley said. "Are they well equipped, well trained and knowledgeable of your facility and its contents? Can they make a 24/7 timely response to emergencies? Do you have a contract in place for these types of services?"
May 1, 2011
Copyright 2011© LRP Publications