Mitigating and managing cyber risk: ten issues to consider



Similar documents
Managing Cyber Risk through Insurance

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber and Data Security. Proposal form

Beyond Data Breach: Cyber Trends and Exposures

The potential legal consequences of a personal data breach

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Cyber/ Network Security. FINEX Global

Cyber Insurance Presentation

Cyber Security Issues - Brief Business Report

Cybercrime: risks, penalties and prevention

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Data Breach and Senior Living Communities May 29, 2015

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Security & Privacy Current cover and Risk Management Services

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber Risk Management

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

ACE European Risk Briefing 2012

Rogers Insurance Client Presentation

Small businesses: What you need to know about cyber security

CYBER/ NETWORK SECURITY

Airmic Review of Recent Developments in the Cyber Insurance Market. & commentary on the increased availability of cyber insurance products GUIDE

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

NZI LIABILITY CYBER. Are you protected?

Who s next after TalkTalk?

Cyber Risks in Italian market

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Small businesses: What you need to know about cyber security

CYBER RISK INSURANCE. Presented By: Jonathan Healy

CGI Cyber Risk Advisory and Management Services for Insurers

Cyber Liability Insurance

ISO? ISO? ISO? LTD ISO?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Third Annual Study: Is Your Company Ready for a Big Data Breach?

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Information and Communication Technology, Cyber and Data Security

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

Cyber Exposure for Credit Unions

NCUA LETTER TO CREDIT UNIONS

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

How To Cover A Data Breach In The European Market

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber Risks and Insurance Solutions Malaysia, November 2013

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Cyber and data Policy wording

Guidance on data security breach management

Our specialist insurance services for Professionals risks

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability.

Coverage is subject to a Deductible

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Cyber Threats: Exposures and Breach Costs

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

White Paper on Financial Institution Vendor Management

Information Security: Business Assurance Guidelines

Data Management Session: Privacy, the Cloud and Data Breaches

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber Security - What Would a Breach Really Mean for your Business?

Understanding the Business Risk

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

The era of hacks and cyber regulation

Insurance for Data Breaches in the Hospitality Industry

Protecting your business from cyber crime and data loss. November 2014

Guidance on data security breach management

Privacy, the Cloud and Data Breaches

Identifying Cyber Risks and How they Impact Your Business

How-To Guide: Cyber Security. Content Provided by

External Supplier Control Requirements

Helping to protect your business and your customers in the event of a data breach

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Central and Eastern European Data Theft Survey 2012

Cyber Risks October

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Cyber Risks in the Boardroom

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Embracing Cyber Risk: Insurance Solutions

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

FINANCIAL LINES ACE ELITE PLUS MANAGEMENT LIABILITY INSURANCE

Insuring Innovation. CyberFirst Coverage for Technology Companies

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Network Security & Privacy Landscape

CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY

Cyber Insurance as one element of the Cyber risk management strategy

Service Schedule for Business Lite powered by Microsoft Office 365

Transcription:

Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed that companies rank cyber security risks as greater than natural disasters and other major business risks. In light of its potentially significant effect on corporate reputation and financial performance, the board needs to consider the impact a cyber event may have on its business by identifying the organisation s risk exposure and exploring risk transfer and mitigation strategies. 1 The following factors highlight the main areas that directors should consider in mitigating and managing cyber risk: Understand the risks Consider your client base. Now consider how your organisation would cope if more than three quarters of your clients stopped doing business with you. Should your organisation fall victim to a cyber attack, such an outcome could be a possibility. According to a 2011 Unisys survey, 82% of the UK public would stop dealing with an organisation, such as closing their online account, if their data was breached. Damage to brand and reputation can be irreparable. A cyber attack or data breach can take many forms including deliberate attacks, technology issues and human error or negligence. The perpetrators of a cyber attack can include organised crime groups, competitors, disgruntled employees and politically motivated groups. The UK s increasing reliance on computer systems, web-enabled communications and cloud technology has left many organisations open to new exposures. Although most risk managers and business decision makers recognise that data breaches represent a major threat to their organisations, developing a better understanding of their organisation s specific network security and privacy risks is an important first step to aligning the exposures to appropriate risk transfer options. 1. Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age (August 2013)

Cyber risks: cause and effect examples Event Nature of event Outcome spectrum Consequences Accidental Intentional Malicious Accidental Third party Hacking Virus Cyber extortion Identity theft Unauthorised access System error Loss/destruction of information Theft of information Defamatory Privacy breach Breach of intellectual property Breach notification Brand and reputation damage System disruption Forensic investigations Damage to digital assets Legal proceedings Regulatory security Extortion demands Data loss Legal liability to your suppliers and employees Notification costs Fines and penalties Increased compliance costs Enforceable undertakings Replacement of digital assets Loss of revenue Customer confidence Impact on share price Wrongful collection Data restoration costs Forensic consultation costs 2 3 Data breaches and your organisation s reputation The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence, the likelihood that a material data breach will adversely affect an organisation s reputation, bottom line and share price is a real exposure. In the US, the Securities and Exchange Commission has responded to this ever-increasing risk by requiring greater disclosure related to data security; it is likely that the UK and other European countries will follow suit in the near future. Are you aware of the changing regulatory landscape? The European Commission is planning to overhaul the regulation of data protection and privacy across all member states by introducing a General Data Protection Regulation that would create a single set of rules for all organisations processing personal data in the European Union. 2 2. The European Commission, Proposal for a Regulation of the European Parliament and of the Council, 25 January 2012

If the draft regulation is adopted, it would lead to a substantial reform of the 1995 data protection directive and could potentially impose much tougher rules on any affected organisation. More importantly, the potential consequences of failing to comply with the new rules could compound the possible financial, brand and reputational damage which can befall an organisation after a data breach. The regulation is currently expected to come into force in 2015 or later. 4 5 6 In a separate move, the Commission is also proposing a directive on network and information security that may affect a range of organisations including those that are involved in the provision of critical infrastructure, banking and healthcare as well as those that are enablers of information society services for example, e-commerce platforms and social networks by requiring them to meet minimum IT security standards as well as disclose cyber breaches to their national regulators. 3 The proposed General Data Protection Regulation may create a number of challenges One of its most important elements is a plan to allow the national data protection authorities of each member state to impose fines of up to 2% of worldwide revenues on any organisation that processes personal data. In the UK, the current maximum fine that can be imposed on an organisation is 500,000. 4 Mandatory notification may be on the horizon As things stand, any organisation that comes under the new data protection regulation will be required to notify its local data protection authority and its data subjects within 24 hours, if possible, should it suffer a data breach. There is, at present, no requirement to provide such notification in the UK. Increasing data protection and privacy compliance burden Perhaps the most significant elements of the draft data protection regulation are those that directly seek to enhance the privacy rights of the individual, particularly the intention to create the right to be forgotten. Under this plan, an individual can require any organisation to delete personal data when there is no longer a legitimate reason for keeping it. Moreover, an organisation can no longer process personal data that requires the consent of the individual. In future, it will have to have explicit consent before proceeding. 3. The European Commission, Digital Agenda for Europe, Policy/Legislation: 07/02/2013 4. ICO - Taking action: data protection and privacy and electronic communications, http://www.ico.org.uk

7 Hackers are already two steps ahead of you Some organisations mistakenly believe that because they have a firewall, a quality IT team, or antivirus protection, they will not be targeted. However, various major organisations around the world have been victims of cyber crime in recent years and have experienced significant data and security breaches including the details of bank accounts, medical records and confidential business information. 8 9 These incidents have affected millions of customers and exposed some of these companies to litigation and liability, significant financial recovery costs as well as loss of future business and reputational damage. Cyber threats can pose merger risks Boards need to closely consider cyber security and other data protection measures in the context of corporate M&A activity. If a company acquires a target with a malware-infested IT system, there is a potential for a wide range of liabilities. Cyber security and other data protection methods should be added to the list of criteria a board should consider when evaluating a potential acquisition. In addition, acquisition documents should include appropriate representations, warranties, and indemnities related to cyber risks. Have you considered the legal and risk governance issues around data hosting and jurisdiction? The decision by many UK organisations to outsource their software applications, technology platforms and IT infrastructures to third-party providers has created a raft of new legal issues that may have significant risk management ramifications. Businesses should balance the flexibility and potential cost savings of outsourced services such as cloud computing with the risks inherent in storing data, infrastructure and platforms offsite, beyond the company s direct control, and possibly even in a foreign country with different laws. It may be helpful to obtain detailed information from cloud providers about their security programs including who can access the data, where it will be located (country of jurisdiction, for the evaluation of legal obligations), technical aspects of the infrastructure, and what steps the provider has taken to protect the integrity and security of the data.

10 Insurance coverage is available through tailored cyber risk policies Ramifications of a breach can be very costly to a company s business, both fiscally and for brand and reputation. In addition to notification costs (PR, call centre costs and credit monitoring services), investigations response and compliance, and compensation to affected individuals, there are additional concerns such as engagement of forensic experts, and defence of claims for misleading conduct, negligence, breach of contract, breach of confidence and interference of privacy. Most of these exposures are not covered under conventional insurance. It is, therefore, important for companies to thoroughly evaluate existing exposures and insurance coverage and consider purchasing tailored network security and privacy insurance to cover identified gaps. Aon UK Limited is authorised and regulated by the Financial Conduct Authority Aon UK Limited 2014. FP 8729.04.14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information