Risk managers: Do your organizations' policies require vendors and associates to meet the same network security and data protection standards that your own organization follows? They should, said Michael Dandini, senior vice president of The Hartford's management and professional liability underwriting unit. Because if there is a breach, consumers and the public may hold your organization responsible, even if a vendor actually caused the breach.
And beyond establishing policies, risk managers should include network security and data protection in their vendor due diligence process.
A data breach can cost an organization millions of dollars in notification expenses, public relations, legal fees, lost business--current and future--and possible lawsuits, even class action suits.
According to the 2010 Annual Study: U.S. Cost of a Data Breach by Poneman Institute, a Michigan-based research center that studies privacy, data protection and information security policy, security breaches cost $214 per compromised record and average $7.2 million per data breach event.
Dandini, whose cyber liability unit reviews thousands of applications for network security and data privacy liability protection each year, maintained that "most large entities do not have an incident response plan, not because they don't care but because they just don't know they need one until something happens."
But that needs to change, he said, both for the client organization and for vendors that handle data on its behalf.
Increasingly, underwriters are considering whether an organization's vendor selection practices include sufficient due diligence on whether its vendors and associates have safeguards in place to handle catastrophic losses of data.
"The level of awareness about the need for vendor due diligence with respect to network security is low," Dandini said. "Many institutions just have a box on their applications for compliance, and vendors simply check 'yes' to the question of whether they have security measures in place.
"Then, suddenly, a breach occurs and the organization finds that its vendors didn't have sufficient controls at all. If you don't dig in and ask specific questions, you can miss gaping security holes."
Insurers are taking a close look at a company's data protection practices when underwriting an account.
"We want to know that the institution and its vendors and associates--anyone handling sensitive information--are able to answer in-depth questions about their security systems," Dandini said.
Underwriters consider the types of data the institution collects--hospitals, for instance, handle high volumes of sensitive information, such as medical records, insurance card information and credit card numbers. They also look at the types of security controls the entity and its vendors have in place to prevent breaches, such as patch management and encryption.
Underwriters review the types of procedures and insurance coverage in place in the event of a breach. They also like to see that a vendor is willing to allow its client organizations to have a third party, such as a network security firm, audit its system to certify that its systems check out, and they look for response plans that include credit monitoring services.
INCREASE IN DATA BREACHES
The risk of data breaches has been rising as organizations are transitioning from paper to electronic records, Dandini said.
"Most institutions don't understand the risk and do not require sufficient due diligence as part of their vendor selection process. At most, they may ask vendors if they are secure, but they rarely if ever address specifics," Dandini said.
"Ideally, we'd prefer to have information about the vendor's own data security processes and policies, since all too often it's actually a vendor who loses the data, but it's difficult to get that information." Typically, he said, we ask risk managers, "Do your vendors follow industry standards and best practices for securing data? If the answer is yes, we can reasonably assume they have appropriate controls in place.
"Each institution should have a team specifically charged to conduct due diligence and handle breaches when they occur," Dandini said. "This team should include risk management, finance and IT, such as the CIO, CTO or chief security officer."
As the incidences of data breaches have increased, so has the existence of breach notification services. Once a small, cottage industry, breach notification has become a significant business in recent years.
"With these new breach notification services, a risk manager can make a single phone call and the service takes it from there-- handling everything from notification to credit monitoring," he said. Even the best prepared company can suffer a data breach.
"Accidents happen," Dandini said. "You may put tons of safety precautions around a vehicle, but that doesn't mean it won't crash."
Often, data breaches result from human error, but an organization can also have a rogue employee who may have stolen information because he was angry about being demoted or fired.
Whatever the cause, however, data breaches can be catastrophic to an organization, particularly if it isn't prepared.
"A lot of losses are first-party costs right out of the organization's pocket," Dandini said. Forty-six states currently have breach-notification laws. Such notification costs a lot of money, and "it can cost more if you don't know how to do it," he said.
"If you don't have someone lined up, you may call the most expensive firm when a breach occurs, but that doesn't mean you're getting the best service.
"It's a scenario all parties would prefer to avoid," he said, "which is why we want to know the plan ahead of time."
"Beyond the time and cost of a data breach, a company's overall reputation and client relationships are at stake," Dandini said. "A thorough due diligence process is well worth the investment."
"The Hartford" is the insurance companies of Hartford Financial Services Group, Inc.
(The above piece is part of our continuing Perspectives series designed to highlight key products and services to our readers. This paid-for Perspective was written and edited by Risk & Insurance®
on behalf of our marketing partner. Additional Perspectives can be found on our Web site at www.riskandinsurance.com/.)
December 1, 2011
Copyright 2011© LRP Publications