If your business stores data and information digitally, you should have a cyber risk management program that addresses prevention, disclosure, crisis management and insurance coverage in the event of a data breach. Good cyber risk management requires the planning and execution of each of these four components.
Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets, and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy, so make sure you know whether you need to encrypt your devices. Your strategies may also include educating employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true. Analyze your cyber risks from three different perspectives: technology, people and processes. This risk assessment will give you a clear picture of potential holes in your security. Revisit and revise your plan regularly, because new risks often arise, sometimes even daily.
In the event of a data breach, you are required to notify certain people. If your company is publicly traded, the Securities and Exchange Commission (SEC) requires you to report cyber security incidents to stockholders. SEC advises timely, comprehensive, and accurate disclosure about risks and events that would be important for an investor or client to know. It’s important to evaluate what information and how much detail should be released. Notifying a broad base when it is not required could cause unnecessary concern for those who have not been affected by the breach. Some extreme cases of a data breach may require you to go further than just assessing and disclosing the information. You may have to destroy or alter data depending on its sensitivity.
Preparedness is a key component of your cyber risk management program. When you experience a data breach, you need to be prepared to respond quickly and appropriately. This is where your crisis management and response plan come into play. Determine when and how the breach occurred, what information was obtained and how many individuals were affected. Then assess the risks you face because of the data breach and how you will mitigate those risks. Part of managing a crisis is letting your clients know what actions you are taking.
However, you must be careful not to disclose too much information. It’s a delicate balance. Focus on correcting any perceived deficiencies —this will restore trust in your stakeholders and clients. Your in-house lawyers, risk managers, and IT department should work together to create and refine your plan. Everyone should be on board and know their responsibilities when a breach happens.
Your cyber risk management program should include cyber liability insurance coverage that fits the needs of your business. Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure.
Your cyber liability insurance policy can be tailored to fit your unique situation and can be written to include the costs of disclosure after a data breach.
Contact RMC Group to learn more about cyber liability insurance and how you can protect your business from a data breach. We can be reached at 239-298-8210 or [email protected].
This document is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2014 Zywave, Inc. All rights reserved.
