Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.
While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.
Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.
1. Assess the risk
So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?
“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”
Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.
“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.
There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.
Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.
2. Avoid these mistakes
The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.
“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:
- Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
- Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
- Passing the buck rather than developing a comprehensive coordinated response.
- Defensive reaction to regulators rather than an open and frank dialogue.
- Failure to timely notify any and all potentially applicable insurance carriers.
Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”
He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”
Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.
3. Working effectively with your breach team
After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader
Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”
Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”
There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”
Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”
4. Experience matters
Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”
Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:
- Identify the applicable insurance policies.
- Provide the insured with the required insurance notice requirements.
- Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
- Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
- Determine whether, and in what manner, notice is required to insurers.
- Describe past cyber incident best practices that reduce the total cost of risk.
- Maintain consistent and timely communications between the insured and the insurers.
5. Practice makes perfect
Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.
Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.
Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.