October is National Cybersecurity Awareness Month (NCSAM). For the 17th year in a row, the Cybersecurity & Infrastructure Security Agency (CISA) is spreading cybersecurity awareness through this year’s theme, “Do Your Part. #BeCyberSmart.” According to the CISA, “This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.”
Industry Best Practices
As is evident from the daily news reports, cyber related incidents are rapidly increasing, leaving businesses vulnerable to an attack. Businesses can best protect themselves by establishing and frequently updating appropriate security measures to avoid a cyber event, and by providing regular employee training as well. Such measures are important for the protection of sensitive information belonging to an organization’s employees, clients, and customers for obvious reasons, as well as for their reputation. While having these plans in place provide a strong shield of protection; history has proven that no plan is fool proof.
From a risk management and insurance perspective, cyber insurance underwriters – whether domestically or in London – are generally willing to provide insurance to protect businesses and organizations in the event of a cyber related incident. Premiums and terms are more favorable for applicants who have implemented the following best practices.
- Strong backup procedures: Ransomware has become one of the most common types of cyber-attack, and it is very effective if data is not backed up often. Most ransomware attacks attempt to gain access to corporate data in order to encrypt it, so that it cannot be accessed without making a ransom payment in exchange for the encryption key. This can be thwarted if good backup procedures are in place and periodically tested, thereby allowing the company to restore the data, from a time period prior to the attack.
- Phishing training and testing: Hackers often use a targeted phishing (aka spear-phishing) email to gain control of an employee’s account, whereby they can launch an attack. Employees should be on the lookout for suspicious emails, and best-in-class companies utilize training and testing to prepare their staff. In one recent phishing attack, a company’s email account was replicated. The hacker was able to email a vendor with fraudulent wire transfer instructions, resulting in the loss of $400,000.
- Call back procedures: The age-old “con man” routine is still alive and well, but with a modern twist. Bad actors will use social engineering tactics to attempt to convince employees to transfer money or send sensitive information (i.e. W2 forms) outside the company. This can be prevented by training employees to call the intended recipient, at a phone number previously on file, to verify that they are indeed sending funds or information to the correct place, rather than the bad actor’s account.
- Use of encryption: Sensitive data that is protected with encryption technology is meaningless to anyone who does not possess the encryption key. Encryption is the process of converting information (either at-rest in a database or in-transit to another party) into code. This code is unintelligible to anyone who is not in possession of the corresponding encryption key to translate the code back to readable information. This means that if the data is lost or stolen, there may not have been a “breach” depending upon applicable federal or state law (provided that the encryption key was not also taken). HIPAA regulations provide for safe harbor to institutions who can demonstrate that lost or stolen PHI was in an encrypted format. This is particularly important for mobile devices and portable media such as laptops, tablets, phones with locally stored information, and portable drives containing PII – as they tend to go missing regularly.
- “Least Privilege” user access: Valid user accounts are often hijacked by bad actors attempting to gain access to sensitive information. For this reason, it is important to limit employee access to the least amount of information necessary to perform their job functions. Very few employees should have access to the most sensitive corporate information, which will reduce the likelihood that a compromised user account can be used to steal the “crown jewels” in the form of the most sensitive privacy information.
- Vendor controls: Third party vendors can be the source of a system compromise, as highlighted by the Target breach (which originated from the system of a HVAC vendor). Companies should make sure that vendors who can access their network have information security policies at least as strong as their own. These policies should be audited periodically and contractually required to be in place throughout the period of engagement.
- Other Contracts: As business interactions are becoming more and more electronic, you will likely find your company in the opposite position of having to sign an agreement with a company that is granting you access to their systems. It is also important to carefully review any such contracts to ensure balanced assumptions of liability and that your policy meets applicable insurance requirements.
- Investment in information security technology: There are many technical solutions to prevent and identify data loss. These include advanced firewalls, Data Loss Prevention (DLP) software, anomaly detection, Security Incident and Event Management (SIEM) software, among others. Companies who deploy and properly configure these technologies are less likely to experience a breach of confidential information.
- Development of an Incident Response Plan (IRP) and Incident Response Team (IRT): Companies who plan and prepare for a data breach will be better suited to deal with an actual incident. The IRT should include all employees (including their backups) and critical vendors who will be in decision-making roles in response to a breach of confidential information. The IRP outlines the procedures that should be used immediately upon discovery of an actual or suspected data breach. The IRT should engage in a “tabletop” simulation of a cyber security event in which the IRP is deployed and refined.
- Breach response service providers: The best time to identify vendors who will be engaged to respond to a data breach is before an incident takes place. Computer forensics, outside counsel specializing in privacy law, call centers, notification providers, and public relations firms are likely to be needed in responding to a privacy event. It is critical that these services can be engaged quickly, and substantial savings are possible if rates are negotiated prior to an actual event. Ideally the insurance company writing a cyber liability policy will have affiliations with vendors who can assist in these functions. However, not all cyber insurance companies have such breach vendor relationships – and some have negotiated better terms than other insurance companies.
- Data destruction policy: A company can reduce their data breach exposure by purging sensitive information that is no longer needed. A policy of reviewing stored information periodically and deleting unnecessary files can minimize the scope of a data breach or eliminate it altogether. Along with data destruction, some companies may choose to store their sensitive data in an encrypted environment which is off their network (aka air-gapping)
- Physical security policy: Computer systems which contain sensitive information should be housed in secure environments with limited access. Key cards or biometric readers should be used to restrict access to only approved personnel. This policy should apply to a company’s own facility as well as any co-location, or data centers run by third parties.
- Robust password requirements: User access to sensitive information should require strong passwords that are changed at least every 90 days. Multi-factor authentication should be used to ensure that a bad actor cannot utilize stolen credentials to gain access. Finally, a procedure should be in place to deactivate passwords and user accounts when employees leave/change roles.
- Contractual protections: Agreements with third parties who are in possession of a company’s sensitive information (or are granted access to it) should be written to specifically address each party’s responsibility in the event of a breach. Factors to consider include which party will be responsible for coordinating a response, who will cover associated costs, and who will engage and pay breach response vendors.
Durham, North Carolina – Insurance People of NC, an independent insurance and risk management firm, announced that Mitch Kaufmann, Risk Advisor has been awarded the Accredited Cyber Risk Advisor (ACRA) designation by the Beyond Insurance Global Network. The Accredited Cyber Risk Advisor is a unique type of insurance agent who understands today’s broad range of cyber exposures, regulations and claims facing businesses both nationally and internationally.