A staggering 43 percent of U.S. companies have experienced a data breach in the last year according to the Ponemon Institute. Despite the rise in breaches, 27 percent of companies didn't have a data breach response plan or team in place. Are you one of those companies, or are you looking to lessen the fallout should a breach or cyber-attack occur? The following are steps every manufacturing-related business should take to minimize risk.
Assessing the Risk
First, start by assigning one person to be responsible for data security with enough authority to get things done. Then, conduct a risk assessment to identify areas of vulnerability and improve your network security. Implement policies and procedures that limit access to sensitive data and record retention storage. Review and improve your vendor contracts to ensure any service providers you share confidential information with are required to protect your information, especially if using cloud-based information storage. Next, implement a continuous employee awareness, education and training program on your data security policies and procedures. Prepare for a data breach by having an Incident Response Plan reviewed and tested frequently to help guarantee the plan can be executed effectively and timely. Also, consider purchasing cyber and privacy liability insurance coverage so in the event of a breach, you have a financial backstop to cover the losses that may occur as a result.
When conducting an assessment of cyber risk, there are some key areas of focus. First, start by understanding the type of information collected and where it’s stored. The risk assessment should focus on three key areas: administrative safeguards, physical safeguards and technical safeguards.
Administrative safeguards include assessing policies and procedures that limit access to confidential information for customers, employees and/or others. In addition, vendors should have appropriate safeguards in place to protect the data companies send them. Some key administrative policies should be a “clean desk policy” that requires employees to properly secure records containing confidential information, a record retention policy that would help ensure the organization doesn’t keep records for longer than necessary, and an acceptable use policies outlining how company employees should use information.
Physical safeguards could include storing paper records containing confidential information in locked file cabinets, shredding confidential records and storing servers, laptops, flash drives or other sensitive equipment in secure, locked areas.
When it comes to technical safeguards, companies should develop a defense strategy that effectively balances the need for security against the efficiency of doing business. Some companies simply focus on “protecting the perimeter” by employing malware and firewall software either in an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) function. Other companies employ a “Roach Motel Defense” which accepts that some intrusion into the network will happen but limits the intruder movements and prevents an intruder from leaving the network with any information. Many companies now utilize SIEM systems as part of their defense strategy. In addition to the type of defense, companies, at a minimum, should encrypt laptops, flash drives, and data stored on servers and update system software regularly.
Minimizing the Fallout
At some point every company will be faced with a data breach and how a company responds is critical. A core component to minimizing the impact of a cyber-attack is having a comprehensive incident response plan. An IPR is a living document, which should be continuously updated as the business changes and outlines who and how the company will respond to a breach. An IRP should be clear, succinct and organized in sections, while containing the appropriate details for response.
There are four key elements every IRP needs. First, there should be an Incident Response Team with the roles and responsibilities of each team member outlined. It should list both internal and external team members and their detailed contact information and specific role and notification level. Second, generate an Incident Triage Notification that informs the response team, insurance carrier, law enforcement, outside forensic investigation, crisis and media management. Third is the creation of a Breach Response, which details the response procedures such as timing, affected individuals, and government notification. It should also address issuing a press release, internal communications, what is posted on the website, as well as remedies such as credit monitoring and identity theft resolution. Fourth is a Mitigation & Remediation system, which should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches, and review and improve the incident response team.
Finally, having appropriate cyber and privacy liability coverage in place will provide a financial back-stop if a cyber-attack occurs. When determining what kind or how much cyber insurance to buy, always start by asking “what do I need”. One of the most important issues in purchasing cyber insurance is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Estimates vary, but the Poneman Institute’s 2014 Cost of Data Breach Study estimated the average organizational cost of a data breach was $201 per electronic record.
Ensure your company has Retroactive Coverage, as most cyber insurance policies limit coverage to breaches that occur after a specified “retroactive date.” In some policies, this date is the same as the policy’s inception date, which means there may not be coverage provided for claims made due to breaches that occurred before the policy period, even if the insured did not know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, companies should always ask for a retroactive date that is earlier than the inception date. This will ensure the coverage includes unknown breaches that occurred before the policy incepted.
Finally, companies should not forego purchasing a separate cyber policy assuming there’s coverage under the Commercial General Liability (CGL) policy. Recently, many carriers have denied coverage for data breach claims filed under a company’s CGL policy and the courts have agreed. It’s important that a company understands how each policy will respond to a cyber claim.
Jay Shelton is the Senior Vice President of Risk Management Services at Assurance.