Almost every day we hear news stories of cyber attacks and data breaches.
These incursions, once rare, are now so common the public has begun to accept them with a remarkable degree of complacency. Indeed, in the past year, 43% of companies experienced a data breach. Still, waking up to find your company at the center of a front-page controversy is every CEO’s worst nightmare.
Cyber security is a business reality that should be on every company’s radar—ideally, on every company’s priority list—because each one is at risk of being hacked. In fact, in the time it takes to read this column, your firm will likely experience a malware event, a normal, every-three-minute occurrence at a typical business entity, according to a recent report from the cyber-security company FireEye. This is not just a big business issue; 60% of all targeted attacks in the last year have been on small and medium-size organizations. Yet several studies have noted the majority of U.S. companies do not have a cyber-security policy in place and two thirds of executives do not believe their organization understands what needs to be done following a material data breach.
In response to the growing media and political attention being paid to cyber risks, the National Association of Insurance Commissioners recently adopted a set of cyber-security principles. The principles are not a new set of standards. Instead, they reflect what has come to be widely accepted cyber-security best practices. They are intended to outline a set of policies and procedures that a regulator would expect insurers and brokerage firms to have in place to protect consumers from data breaches:
- General protections for personally identifiable information
- Systems to perform breach alerts or notifications
- Network safeguards
- Incident response plans and procedures
- Appropriate oversight of third-party and service provider security controls
- Including the cyber-security risks in the enterprise risk-management process
- Board level review of the cyber-security program and internal cyber-audit findings
- Participation in cyber-threat information sharing via information-sharing and analysis organizations
- Proper cyber-security employee training.
The principles do not dictate what must be in a plan or security audit, but they reflect a growing expectation that insurers and brokerages will have a basic plan in place encompassing these elements. Basically, the NAIC says what most executives already should know: If a company faces a credible threat, it should plan, prepare and protect itself and then determine what to do when these efforts fail. This is critical because every company’s systems will eventually fail. At that point, the focus quickly shifts to damage assessment. With cyber, that can be enormous, potentially encompassing everything from simple financial costs to immense potential liability and reputational harm.
This same basic road map extends to every client. Each one should have a cyber-security plan in place that encompasses all of the NAIC elements. Instead of panicking about cyber security while Congress and the states consider ways to address this issue, every company should immediately begin educating itself (if it hasn’t already) and working toward a practical and efficient in-house approach.
To start, companies should evaluate their IT networks and put a stop to abusive but controllable internal practices that place the business at risk. An easy starting place, for example, is to remove and prohibit the use of unlicensed software. A new study for BSA|The Software Alliance, conducted by the International Data Corporation, found 43% of all software installed on PCs globally (and more than 18% percent in the United States) in 2014 was unlicensed. The correlation between unlicensed software and malware, it found, is higher than the correlation between education and income or than that between smoking and lung cancer.
IDC estimates enterprises spent $491 billion in 2014 alone as a result of malware associated with counterfeit and unlicensed software. The implication is clear: Assessing what is in your network and eliminating unlicensed software could help reduce your cyber-security incidents. Yet only 35% of companies have policies requiring the use of properly licensed software.
All of your firms are advising clients on data breach and cyber-security issues. The insurance market is still in a relatively nascent stage for coverages beyond consumer data-breach related liabilities. As your work in this emerging area and the available insurance products continue to evolve, the cyber-security risk management protocols will continue to become more of a focus.
Enhancing clients’ cyber security with straightforward steps, like policies that eliminate exposures from unlicensed software for example, could go a long way toward protecting your client. It could also reduce the cost of insuring exposures as the market continues to develop, and it could cement your role as your clients’ advisor of choice.
And isn’t that the business we’ve chosen?