Assessing the technology/insurance inflexion point
Technology and education are the first frontier of data protection and cyber security. Investing in a spread of security technologies such as firewalls, encryption, system monitoring, vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation.
There is however a point at which additional investment in security offers diminishing value. At this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance.
Tim Fitzgerald, Chief Security Officer and VP Symantec, explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisation’s data collection, its reliance on cloud computing services, deployment of Internet of Things devices, and also the mobility of its workforce and user base.
He recommends that organisations conduct a cyber risk assessment, analyse the data stores held, and assess by who, and why, they may be targeted, and then develop a security strategy based on that insight. The board and senior managers need to be appraised of the security risk and strategy, and through gap analysis, determine the need for cyber insurance, understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber- attack.
A data breach response plan which can be informed by the Office of the Australian Information Commissioner’s guidelines ensures that should a cyber-attack occur the organisation and staff understand their responsibilities. A comprehensive response plan also demonstrates good governance to business partners, investors and regulators.
However any cyber response plan must remain a living document and needs regular review, ensuring that current regulatory requirements are acknowledged.
In addition, any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach. The plan should also identify any third party support services required should an attack occur, allowing engagement contracts to be negotiated well in advance.
|Organisations attacked once are three times more likely to be
attacked again - Symantec
45x more cyber ransom events year on year - Symantec
Cyber risk; are you properly prepared?
There are four key questions that every organisation needs to address regarding cyber risk and protection:
- What can go wrong?
- How bad can it be?
- How am I protected?
- Will my insurance work?
Assessing the organisational risk profile requires input from multiple stakeholders including the Chief Financial Officer, Chief Information Security Officers, risk management head, and legal counsel. External consultants can also provide a fresh lens through which to explore exposure.
Knowing the risk is one thing – dealing with it effealso demands the support of the most senior management and board. Effective security requires a whole-organisation commitment from the top down.
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations “ought reasonably to have been aware” which suggests regulators may penalise companies found to have inadequate security systems. It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries.
Cyber security is a critical issue for organisations of every scale and in every sector. Robust and comprehensive security frameworks, a well-crafted response plan, and effective cyber insurance, developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge.
Aon cyber security summit, Aug 16
Aon’s Cyber Risk Symposium held across Australia recently, delivered important clarity regarding the global threat environment. Working with partners DLA Piper and Symantec, and leading cyber security experts, Aon reflected on the legal influences on the cyber risk landscape and the technology solutions and strategies available. It also explored the growing role played by cyber insurance in underpinning safe and sustainable business models.
Aon plc (NYSE:AON) is a leading global provider of risk management, insurance brokerage and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 72,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative risk and people solutions. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com.