Cybersecurity threats are constantly evolving, and so are the strategies required to stay ahead of them. As new risks—and new regulatory considerations—take shape, business leaders can benefit from embracing more proactive, holistic approaches to data security.
Protecting digital data is more important than ever. Now that remote work and e-commerce are more essential parts of many people's lives, companies have an increased responsibility to not only keep their systems secure, but also understand how customer information flows through them. Without that understanding, they have little ability to spot or rectify the vulnerabilities that hackers can infiltrate.
That’s why the new keys to cybersecurity start with knowledge and continue with action. Businesses that invest in considering how their systems, people and insurance coverage work together will have the best ability to stay ahead of new threats in the uncertain times ahead.
Recognizing Service Provider Risks
As companies embraced a “data is the new oil” mindset, many rushed toward new technology solutions and data sets to take advantage. But bringing in new tools without a security-first outlook has the potential to add undue risk to a company's tech stack.
Business leaders and the SEC alike increasingly recognize that the role of vendors in cybersecurity is significant. How an organization uses third-party solutions—and the access those vendors receive to customer or partner information—can be some of an organization's biggest (and least understood) liabilities.
Establishing an end-to-end vendor management program, with clear sightlines into how data is collected or used by each service provider, is essential to mitigating risk. Understanding each provider’s legal obligations—especially in the event of a data breach—is an important part of vendor management, as well.
Sometimes, companies are notified by a third-party software vendor that a breach incident occurred, but then do not receive further follow-up with additional information for days (or weeks). This is technically allowable, since the third party can take as long as it wants to unless it’s contractually obliged otherwise. While the company waits for answers, their deadlines for reporting the breach to customers in a certain timeframe may pass unmet. (The EU’s General Data Protection Regulations, aka GDPR, stipulate reporting within a 72-hour window, for example. Many U.S. states also have their own requirements.)
Reconfiguring Personnel and Governance
Cybersecurity laws are evolving state-by-state. Currently, 48 states have data-breach-notification requirements in place, and more than 300 separate bills related to cybersecurity have been introduced across 43 states, at last count.
With so many regulations and consumer expectations around data collection continually changing, companies are facing down new compliance and reputational risks in addition to criminal threats: 61% of organizations that are subject to GDPR, for example, collect more customer data than the law permits, and 54% do not review internal-user access rights to customer data on a regular basis.
Adhering to best practices by developing comprehensive written policies that outline internal controls and processes for each data set and software system—spanning all concerns related to security, access, storage, infrastructure—can mitigate the potential for miscollection or misuse of customer data.
Companies also should approach personnel decisions, access levels and internal hierarchies with a mind for limiting undue access. In the event a data-breach incident occurs, a strong approach to governance can also make it easier to pinpoint where and how data was compromised (and by whom).
And as remote work grows more and more common, having direct insight into the in-system activities of personnel is a growing priority for many companies. Investing in robust identity-and-access management efforts and solutions that can help companies track and monitor data access points more effectively.
Revisiting Your Cyber Insurance
Even with the best protections, the likelihood of a data-breach incident is high for most companies. Knowing this, insurers tend to offer cybersecurity coverage as a commoditized, one-size-fits-all product. Companies often don’t know what’s covered, or misinterpret what is.
For example, some plans may cover “erroneous” fund transfers but with “theft-of-funds” exclusions. In the case of a social engineering attack, in which funds are stolen via their transfer to an outside account, the losses likely wouldn’t be insured (as companies often expect them to be). Business interruption coverage related to cybersecurity attacks also tends to have high limitations.
Experts increasingly recommend companies to take a “design your own” approach to cyber insurance—starting by researching to understand the unique risks the insurer would be taking on, and the key threats their systems are most vulnerable to. From there, they can speak to various providers to get appropriate coverage across all areas of need.
Key to keep in mind are the differences between first-party and third-party insurance. First-party covers a company’s own damages from cyber losses, whereas third-party covers legal expenses incurred for being blamed for causing another party’s cyber losses. Depending on what types of services a company offers, they may need one or both types of policies.
As companies move from reactive to proactive approaches to security, the importance of focusing on underlying infrastructure and processes (and having coverage for any future incidents) is only growing. Meeting the challenges of a changing landscape takes the right combination of knowledge on how systems work, and actions to address them, across all foundational areas of security.