Friday, March 29, 2013

Protecting Against Cyber Risk & Developing a Data Breach Response Strategy (Spring 2013)

cyber risk, data theft, data breach, security

The best defense against loss from a data breach is to do all you can to prevent a breach from occurring in the first place.

Even small companies can be a target of data thieves.  The primary causes of data breaches have been identified as employee error, contractor error, lost or stolen equipment (laptops, smart phones, storage media), and procedural mistakes.

Data outsourcing and sharing also create a risk.  In a survey by Ponemon Institute, more than 85 percent of companies indicated they share customer and employee data with third parties for activities such as billing, payroll, employee benefits, web hosting, and other information technology services.  Of those organizations that outsource data, over 60 percent do not require third parties to cover the costs associated with a data breach in their contracts.

Typical business insurance policies often do not provide adequate coverage for cyber risk.  There are cyber insurance programs available to help cover the costs of responding to data breaches and providing services to affected individuals.  To learn more about what options are available, contact your Leavitt Group insurance consultant.  Let them know of any e-commerce activity you do as well as what kind and whose information you store on your network.  Include information on subcontractors who manage any of your e-commerce activity or who help in running or maintaining your computer network.


cyber insurance, cyber crime, cyber theft,
A recent survey of risk managers revealed the following: 
  • Over 70 percent were not purchasing a cyber insurance policy for their organization. 
  • Two-thirds believed their internal controls were adequate or that they didn’t have a significant data exposure.
  • Fewer than half conduct regular “penetration tests” to evaluate the adequacy of their network.
  • More than 40 percent indicated they purchased a cyber limit of between $1 million and $5 million; however, the median cost of cyber crimes to an organization is about $5.9 million.

data breach, response strategy, cyber attack, plan,

Recent surveys have found that more than half of small and midsize businesses in the United States have experienced at least one data breach.  Among those who have experienced this problem, only one-third have actually notified their customers when the breach occurred.  Failure to act in a timely and effective manner in the event of a data breach can harm your business’s reputation and, in many states, put you at risk for legal penalties.  Every business should have a plan in place on how to respond if sensitive information on customers and employees is compromised.

Here are a few suggestions for developing a data breach response strategy:  
  • Develop a data breach notification policy.  This policy is written for your customers and tells them how your organization will notify them if a data breach occurs.
  • Train staff to be able to recognize breaches.  All employees should be able to identify a potential data breach and know how to report the incident.
  • Notify financial institutions.  Contact the bank that manages your credit card processing if financial information (such as credit card numbers) is compromised.
  • Seek assistance from an attorney or risk consulting company as soon as you become aware of a possible data breach.  These professionals can help you identify which laws might be involved and whether you need to alert customers or the government.
  • Notify affected customers in the way you said you would in your “data breach notification policy.”  It is important that you do this as soon as appropriate based on the situation.  Having your customers find out about the data breach from another source will not help your customer relations or your reputation.
In a survey by Ponemon Institute in 2012, customers indicated how they would expect an organization to respond after a data breach.  They revealed the following:
  • Breach notifications should be easy to understand, well-written, and concise.  Do not include so much legal language that it becomes difficult to understand.  Present all of the facts in a way the average person can understand.
  • Let people know what your organization is doing to protect them from financial damage.
  • Explain the risks and offer advice.  Provide information on what steps your customer should take to protect themselves.
  • Offer financial help.  Many experts recommend offering credit monitoring services to breach victims.
Developing and implementing an effective data breach response strategy will enable your organization to fulfill your responsibility to protect the personal information your customers and employees have entrusted you with.


The coverages discussed herein are for illustrative purposes only.  The terms and conditions of your specific policy may differ from those described.  
Please consult the provisions of your policy for the terms, conditions, and exclusions that apply to your coverage.