The Future of Cyber Defense

A Q&A with Wyatt Hoffman of Carnegie Endowment for International Peace

As cyber-attacks continue to mount, private organizations are ramping up their security activities, and many wonder whether “active cyber defense” is the answer. Of course, what constitutes “active cyber defense” is an emerging debate for international lawmakers and policy makers, says Carnegie Endowment for International Peace senior research analyst Wyatt Hoffman. I asked him about this concept and the related issues at hand.

Continue Reading

Interview with a Risk Manager: Why the concern about cyber risk?

A Q&A with Emily Cummins, Risk Manager and Chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS)
Though it may have only captured the public’s attention recently, cyber risk has been an emerging risk management concern for decades. To find out more about what keeps risk managers up at night, I spoke to Emily Cummins, CPA, CPCU, ARM, ARe, risk manager and current chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS), which has chosen cyber risk as an area of focus for 2012.

“Cyber risk” includes both first-party liability (business interruption; crisis costs) and third-party liability (privacy class action; IP infringements). As a risk manager, what are some of your concerns?
What we see as “cyber risk” is probably only the tip of the iceberg. We are always concerned about the capture of confidential data including PII, PHI and financial information, no matter the cause of the loss or breach (hactivists; malware; rogue employees; or mistakes). For the risk manager, the regulatory burden increases all the time. For example, as of a few months ago, publicly traded companies must now disclose any cybercrime incident that has a financial impact on the company. . Above all, risk managers want to protect customers and members, both ethically and legally. There’s a lot at stake and that’s why it’s critical to have a loss-control plan in place.

Can you speak to any specific threat or risk exposure that’s more of an ongoing or emerging concern? I’m thinking, for instance, of third-party partner and SP mishaps; lack of budgets for IT security; hackers accessing corporate databases; the loss of laptops; and new state or federal regulations such as California’s Song-Beverly Consumer Protection Act that create duties and legal liability.
All of the above are concerns. But in addition, it’s worth pointing out that multichannel retailing is a risky area. On the RIMS TAC, we try to educate members,. Many institutions think they might not have an exposure, but any organization that runs a virtual shop or a retail website, offers smart phone apps or mail order or has any other channels to market products, is carrying more risk. I’d also say in general that social media presents us with great opportunities along with more risks, as does the fact that as a society we have become more dependent on virtual devices.

Can you tell me about the RIMS TAC group?
The RIMS TAC group includes volunteers—risk managers as well as industry partners— and we hope to deliver value in thought leadership. I have been involved in RIMS for six years. As risk managers, we are always looking for good information and we support the NetDiligence® Cyber Liability & Data Breach Insurance Claims study as a valuable resource.

Is there anything else a peer risk manager just beginning to delve into cyber risk issues might want to hear from a pro?
It’s all about education, seeking out resources, taking a holistic view, developing teamwork among departments. Cyber risk is a component of enterprise risk management and it encompasses multiple silos. Part of managing that is breaking down silos and building up partnerships.

In conclusion …
For a CFO or risk manager just starting to study their own cyber risk exposures, one of the best things to do is sit down with the IT team and have a straightforward discussion about safeguards, detailing where the IT staff feels they have reasonable security and privacy practices in place—and where might they have some known weakness. It’s also important to include in this conversation any third-party service providers or contractors who might touch the network or data in any manner as often they are the cause of data breach incidents. In closing, here are a few questions to get the conversation going:

  • Has our organization ever experienced a data breach or system attack event?
    Some studies have shown that 80-100% of executives admit to a recent breach incident—each year.
  • Does our organization collect, store or transact any personal, or financial or health data?
  • Do we outsource any part of computer network operations to a third-party service provider?
    Your security is only as good as their practices and you are still responsible to your customers.
  • Do we use outside contractors to manage our data or network in any way?
    The contractor, service provider or business partner is often the responsible party for data breach events.
  • Do we share data with partners, or do we handle a partner’s data?
    You may be liable for a future breach of their network and business partners often require cyber risk insurance as part of their requirements.
  • Does our posted Privacy Policy actually align with our internal data management and sharing practices?
    If not, you may be facing a deceptive trade practice allegation.
  • Has our organization had a recent cyber risk assessment of security/privacy practices to ensure that they are reasonable and prudent and measure up to our peers?
    Doing nothing is a plaintiff lawyer’s dream. It is vital for the risk manager to know if the company’s practices are reasonable and in line both with peers’ practices and the many regulations concerning data safety.


Data Safeguard Policies

A Q&A with David Lineman, President of Information Shield
An organization’s security is only as good as its underlying policy. Besides guiding personnel on procedures, rules and protocols, policy is also a public signpost that will reassure customers, third party organizations and stakeholders that their data will be protected. To find out more about the common mistakes people make with regard to data safeguard policy, I talked to David Lineman, president of Information Shield (and eRisk Hub resource vendor).

What security/privacy provisions are most often missing from organizations’ policies, especially small to medium size organizations?
Among the security policies most often left out is “acceptable use” of internet and email, even though these are common areas for breaches. The technical vulnerabilities are always there, certainly, but many of the huge, public breaches occur when someone emails out personal data by mistake, or responds to a phishing email with data that then leads to a technical breach. So where organizations tend to be missing the boat is with the policies that relate to people and the way they behave—and making sure that people in the organization, no matter what size it is, are aware of those policies that apply to them. Really, all of the regulations in healthcare and financial services actually point to the same set of controls in security policies—passwords, for instance. You need to manage access control with passwords and that is as valid today as it was 30 years ago as a key element of personnel security. Employees need to be screened and they should be receiving security education and training. Companies are spending billions of dollars on technology and a minute amount on training for security. Another area that tends to be neglected is physical security: putting locks on doors, not leaving sensitive information out on a file cabinet or in a dumpster—but also the management of media such as phones and tablets.

Some companies will try to copy a policy (e.g. privacy policy) off of the internet as a template. What are some of the pitfalls of doing this?
Templates are fine but they all need to be customized to make them appropriate for your organization. People want to think that a template will make their job easier but there’s no way of getting around the fact that the policy needs to be adjusted based on the needs of the business. We sell templates as part of our business, but we make them customizable and we give people the tools and tips to help them. There are certainly risks to using a template. For example, many companies in financial services get audited quite often. And the worst thing you can do—almost worse than not having a policy or not following a policy—is to copy a template in a rush and leave it untouched with the wrong information. It’s a huge trend in security and compliance right now to validate third parties, and if you have a sloppy policy, you can also lose business and credibility with clients.

What are some of the most critical policies organizations need to comply with various state or federal regulations?
Well, the ones we’ve talked about already are required. Virtually every regulation specifies physical security, third party security, access control, and acceptable use of internet and email. Two areas I haven’t talked about are business continuity and breach response. Regulators spend a lot of time looking at breaches and what happened so that they can stop them from happening in the future. Breach response plans need to be written and incorporated into company policy. Disaster recovery and business continuity is a big area—we’ve seen over the past couple of years that natural disasters and it can knock out a business for weeks at a time. In general, I think people have to have an eye toward a comprehensive set of security policies and not just look at something like access control in isolation. You cannot comply with regulations by just picking one or two areas to focus on. If you have a small business you might not need the same intricate detail a big company will need, but you still need to have a comprehensive policy.

In conclusion…
As Mr. Lineman points out, good privacy and security practices start with a written policy. But that’s only the beginning. There then needs to be internal enforcement and fine-tuning of the policy to ensure adherence. We have also seen similar problems with templates. Plaintiff lawyers love to point out inaccuracies in a company’s policy, especially where it may say one thing but the company is doing another, so one may argue that using a template is a deceptive trade practice, thus increasing your negligence.

No more posts.