The Equifax data breach — which may have exposed the credit card and social security information of as many as 143 million U.S. customers — doesn’t just have consumers concerned: Businesses are realizing their vulnerability to cyberattacks and the potential far-reaching impacts and financial consequences. Companies need to go beyond taking the appropriate steps to reduce cyber-security risks internally and ensure that their external technology vendors are also exercising best practices when it comes to protecting data.
Data breach, top risk for businesses
Equifax, a U.S. consumer credit reporting agency, announced the cybersecurity incident late last week, causing shares to tumble as much as 14 percent. Per the announcement, criminals exploited a U.S. website application vulnerability to gain access to information — including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers.
And while Equifax is unique in that its entire business model essentially runs off highly-sensitive customer data, most businesses have such data stored either on customers or employees — particularly when it comes to personal insurance and claims data, much of which mirrors the information confiscated in the Equifax breach. This means essentially no company can be too cautious.
Cybersecurity is consistently named a top risk for businesses — with cybercrime costing the global economy an estimated $445 billion annually, according to a report from the Center for Strategic and International Studies called, “Net Losses: Estimating the Global Cost of Cyber-Crime.” In this unfortunate environment where cyber attacks are seemingly “when” more than “if” events, organizations are obviously looking for ways to minimize the impact of a cybersecurity breach on their businesses.
Naturally, companies think of turning to insurance for help reducing potential damages, but securing cyber-liability policies is no simple task because insurers are struggling to accurately underwrite these risks, according to information from the National Association of Insurance Commissioners (NAIC). That being said, companies need standards and processes in place to reduce cyber risks and the associated damages — for both risk mitigation and cyber-liability insurance eligibility purposes.
According to NAIC, insurers will likely want access to businesses’ disaster response plans so they can evaluate their risk management of networks, websites, physical assets and intellectual property; details around how employees and others can access data systems; and information about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.
How risk management technology aids cyber-security efforts
The right risk management technology can actually help with several pieces of the cyber-security puzzle facing businesses today — particularly, lessening the burden on your IT department and improving your disaster response processes.
For instance, truly integrated risk management technology can replace innumerable applications (from enterprise risk management and Sarbanes-Oxley solutions, to claims management and compliance and regulatory management solutions, to health and safety management solutions).
With fewer applications or systems to manage, and less burden on your internal server, your IT department might actually have more time to focus on broader and more impactful cyber-security efforts. This is really just the tip of the iceberg in terms of what risk management technology can do for your IT department and cyber-security.
As for disaster recovery plans, risk management technology can automate the the entire disaster response process: Should a cyber-security breach occur, the system can automatically put the disaster response plan in motion — alerting stakeholders of the event and next steps accountable individuals need to take.
Not only will a well-oiled and timely approach likely help with reputation management in such scenarios, it could help with compliance, too, as requirements are increasing globally for how data and subsequent breaches must be handled.
Risk management technology serves to help organizations with the wide array of risks facing their businesses today, including cyber-security. Cyber-security is an issue organizations cannot afford to take lightly — either internally or with their vendors. Cybercrime costs the global economy an estimated $445 billion annually, according to a report from the Center for Strategic and International Studies called, “Net Losses: Estimating the Global Cost of Cyber-Crime.”
No matter what type of technology you deploy at your company and its intended function — whether it’s to manage risk, content, customers, etc. — you need to ensure it is secure and that the supporting technology vendor has best-in-class cyber-security procedures in place.
Here are four questions you should ask any technology vendor providing you software-as-a-service or handling your data to ensure they are minimizing cyber-security risks to your company:
- Is your company data-security certified (i.e., SSAE-16 Type 1 and Type 2, SOC-2, etc.)?
- What is your company doing, beyond certification, to be prepared for new threats?
- Does your company have cyber security response teams?
- Does your company or your partners have your own cybersecurity insurance coverage?
These questions are certainly pertinent when engaging with risk management technology vendors since risk, insurance and claims data can be highly sensitive. In fact, the right risk management technology should not only secure, but it should be able to actually assist with how your cyber-security program functions.
For instance, truly integrated risk management technology can reprieve your IT department from managing so many applications; streamline the disaster recovery process in the event of a breach; or assist with prevention and compliance efforts by tracking cyber-security training requirements, alongside employee training completion.
In conclusion, while it’s important to appropriately vet your vendors’ cyber-security practices, don’t forget to ask your internal IT leadership the above-mentioned questions as well. Ironically, organizations oftentimes realize they don’t meet the very data security requirements they are asking their vendors to meet during either the procurement or implementation processes.
Cyber risks are top of mind for businesses today as more companies find themselves falling prey to expensive and damaging data breaches. Prepare for this risk — and so many others — with the help of risk management technology.