Cyber Risk

Experian Data Breach Resolution and the Ponemon Institute released a new study today that shows that companies now rank cyber security risks as greater than natural disasters and other major business risks. While only 31% of companies are insured today, there are a growing number of companies exploring policies. This indicates a larger appetite for financial protection in the wake of a breach. The report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, is one of the first to examine corporate adoption and attitudes about the rapidly evolving cyber security insurance market and how companies are managing the potential financial damage of breaches. Respondents include senior privacy and compliance professionals involved in evaluating cyber insurance policies and corporate risk management. The top industries represented are retail, public sector, health and pharmaceuticals, and financial services.

Companies surveyed acknowledged the potential financial impact associated with security breaches. Of the 56% that had breaches, they reported an average cost of these incidents as $9.4 million in the last 24 months. However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.

"Companies worry about the financial impact following a data breach," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses."

The International Association of Privacy Professionals (IAPP) Privacy Academy

"Managing the Top Five Complications in Resolving a Data Breach."

Presentation through a live stream at http://www.ustream.tv/experiandbr and pose questions to the panelists in real time via Twitter using the hashtags #databreach and #iapp.

According to Bruemmer, three of the most common mistakes include:

-- No engagement with outside counsel -- Enlisting an outside attorney is highly recommended.

-- No external agencies secured -- All external partners should be in place prior to a data breach so they can be called upon immediately when a breach occurs. Not having a forensic expert or resolution agency already identified will delay the data breach response process.

-- No single decision maker

World's Biggest Data Breaches - Selected losses greater than 30,000 records

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Cost of a Data Breach $136 in 2012 per compromised record via Symantec

John Mullen Declares People Biggest Threat and Risk Management Best Defense -

“Whether it’s a trusted insider betrayal, through blackmail or naiveté or a result of remote recruitment”, people are your main threat. “Scientists say people are more willing to share secrets online than anywhere else, and Americans fall for social pressures [social engineering] time and time again”.

It only takes one individual in thousands to betray our government, “and that one individual only needs to get it right once. One betrayal can cause loss of life, loss of profit”, he explained.

The unintentional insider threat is also a big problem, especially when your staff are mobilised and travelling abroad. Mullen gave the following advice for minimising the risk:

  1. Never lose sight or physical control of your device: “It surprises us what people put on their devices that they don’t need to take with them”
  2. Never accept files
  3. Never use local services

Mullen described his career as “playing the offense.” You can have an active offense and know a lot, he explained, but “if you don’t apply it, you’ll be beat.” While Mullen described offensive operations as “dynamic and constantly moving”, he labelled static defense as being vulnerable to “defeat over time”.

Managing Risk

Having defined the information security challenges, Mullen declared risk management as the strategy that will “protect your organisation, your IP, your ROI and your networks.” Security programs, he admitted “are not easy and they don’t generate revenue, but they’ll protect your longer-term visibility and revenue.”

http://www.infosecurity-us.com/view/33856/cias-john-mullen-declares-people-biggest-threat-and-risk-management-best-defense-/

Cyber risks too big to cover, says Lloyd’s insurer

Alistair Gray, Insurance Correspondent

Cyber attacks now present such a danger to global business that governments should step in to cover the risk risks, the head of the largest Lloyd’s of London insurer has warned.

Speaking a day after yet another large company — Anthem, the US health insurer — disclosed that hackers had breached its systems, Stephen Catlin said cyber security presented the “biggest, most systemic risk” he had come across in his 42-year career in insurance.

Cyber risks too big to cover, says Lloyd’s insurer - FT.com http://on.ft.com/1C3miTR via @FT

  • Cyber risks are hard to model and unusually systemic.
  • Traditional risks, such as natural catastrophes, are more contained
  • Mindful of the potential aggregation impact. It’s something governments should be putting a lot of thought into.
  • Governments have already had to establish state-backed schemes to provide terrorism cover