The digital world; we’re all active participants. And as active participants, it is vital for businesses to assess their cyber-risk appetite and define their risk strategy in a specific and thoughtful manner.
Let’s quickly examine what we mean by risk appetite. PwC defines risk appetite as “the amount of risk an organization is willing to accept in pursuit of strategic objectives.” But we know that the amount of cyber risk most organizations really want to accept is zero. No risk is the safest, right?
It is an alarming fact that most breaches happen on weekends, with an overwhelming number occurring over 3-day holiday weekends. And, unfortunately, we live in a world where it is virtually impossible to completely eliminate risk, especially given side effects of the ongoing global pandemic that has forced much of the workforce to work remotely. No risk would mean a business or organization is completely offline – a pretty unrealistic scenario in today’s very digital world.
According to a recent survey by Accenture, 68% of business leaders feel their cybersecurity risks are increasing. Perhaps someone let them in on the secret that the average cost of a data breach is $3.86 million, and the average cost of a mega breach (1M+ records) is a staggering $50M+! Organizations must understand their cyber risk appetite and develop a strategy that is deliberate, risk-focused, measurable, and can be cascaded through all levels of their organization.
Having a strong cyber insurance policy is one of the most valuable tools to help protect a company’s balance sheet. The ABD Team cyber experts carefully review clients’ policies and identify numerous coverage solutions that could apply:
- Cyber Crime: Reimburses for loss of funds associated with phishing exploits.
- Network Business Interruption: Indemnifies for loss of income due to down time caused by a Cyber event (subject to a waiting period).
- Cyber Extortion / Ransomware: Funds investigative expenses and ransom payments.
- Incident Response: Covers expenses to hire 3rd party consultants (legal counsel, forensic investigators and crisis management firms) in the event of an actual or suspected breach.
In addition to a review of policies, The ABD Team can provide:
- Coverage analyses to evaluate what policies will trigger in the event of a cyber claim (ie Cyber, Property, Crime, and Liability)
- Benchmark data for limits, including peer data comparisons
- Cyber breach cost evaluations
- Contract playbook
- Custom program structure to extend dedicated limits to enterprise customers
And if needed, our team can align you with expert resources who provide tools to help you build a cyber breach response plan; legal review of your policy terms and conditions; and cyber actuarial analysis – ensuring no matter your needs, we’re by your side with impactful solutions.
Additionally, businesses should continually review and update business continuity plans and consider the following possible best practices:
- Risk and governance come from the top. Your Board of Directors and senior management should understand technology being deployed and arrangements being made to combat the threats. Management must make clear that security must be considered throughout new work activities.
- Coordinate Incident response plan (IRP) with carriers. Ensure your IRP is aligned with your carrier’s approved vendors, as well as the coordination of various policies that may respond to a breach.
- Review IT system security. Confirm with your IT department that the appropriate resources and attention are being directed to defend against risks to your organization’s cyber systems and work-from-home arrangements. New software should be tested and investigated before being trusted with confidential information.
- Communicate with and train employees. Carefully explain how employees are expected to utilize systems in a work-from-home environment. Employees should be instructed on how to access systems and be reminded of cybersecurity precautions that must be taken while working remotely, including with respect to their surroundings, phone calls, printing, and system access.
- Implement multi-factor authentication. Implement multi-factor authentication on all remote systems to ensure that access is limited to legitimate and trustworthy personnel. Remind employees of the importance of these systems and of having authentication mechanisms, including any required tokens, available and kept secure.
- Strengthen passwords. Remind employees of the importance of keeping up-to-date and strong passwords and protecting those passwords when using their systems, especially in remote locations.
- Warn employees about phishing. Remind employees of the importance of taking steps to avoid phishing and social engineering attempts to breach their systems, and that they should never click on links in unsolicited emails or reveal personal or financial information in response to emails.
- Manage third-party vendors. Check in with key third-party service providers to ensure readiness and planning. In the event of their own increased customer demands, do vendors that you rely on have the right plans in place?
- Review regulatory obligations. Businesses should consider regulatory obligations, including any reporting obligations that they may have. Arrangements should be made for any regulatory reporting that may be required, including testing whether there are secure remote systems for that reporting.
Establishing an effective cyber risk strategy is critical for any business that has exposure to the internet (all of us!). If you fall victim to a phishing or ransomware event or suffer a cyber breach, please contact your ABD representative as soon as possible. Please be mindful of strict claim reporting requirements in your policy that could preclude coverage. Timely reporting is key!
While it may seem overwhelming, The ABD Team can help you get on the right path to managing your cyber risk, delivering a well-designed plan that allows you to make crucial and well-informed cyber decisions.