The U.S. economy has traditionally been product based, with companies increasing revenue by selling more products. However, as technology has expanded, the emphasis has shifted, says Kevin P. Kalinich, co-national managing director of Aon Risk Solutions’ financial services group.
“There has been an evolution and transformation in the economy from product based to service based, and an increasing reliance on electronic data,” says Kalinich. “These two changes apply to all companies, both product and service oriented. As a result, analysis has determined that more than 75 percent of an entity’s value is in its information assets.”
Smart Business spoke with Kalinich and with Chris Mower, senior vice president of Aon Risk Solutions’ financial services group, about how to protect your company’s valuable information from cyber threats.
What is cyber liability?
Cyber liability is the potential exposure of losing, destroying, or unauthorized disclosures of that goldmine of data. The data can be trade secrets, customer lists, or third-party data, such as customers’ personally identifiable information, credit card, Social Security or bank account numbers.
The unique exposure issue with cyber liability is that it is not based on the size of your company. If you look at directors’ and officers’, property insurance or general liability, the biggest factors are the capitalization of the company, revenue or amount of property. Analyzing these factors is how you evaluate exposure. With cyber liability, a small or medium-sized company could have catastrophic amounts of data.
What are the most common cyber threats?
The highest profile threats are hacking attacks. Third-party hacker attacks are getting the most attention now that the federal government created a cyber protection policy and is promoting an international strategy for cyber space. The larger exposure is social engineering, which is the negligence of entities in dealing with their data and mistakes people make apart from any IT security issues.
Both types of exposure can be addressed. To combat third-party hackers, entities must understand the best methods for risk mitigation. Companies can also ensure they have the best IT standards implemented.
For insider or negligence exposures, training and implementation of those practices is still important, but so is human behavioral engineering. When your HR department employees interview someone, are they trained on what they should or shouldn’t be doing? Do you have annual usage monitoring of employee computers? Do employees take an updated training course every year and click a box stating they understand the company’s data protection policy? While third-party hacking is more about IT security and encryption, there are more policies, procedures and guidelines involved in avoiding negligence.
How can employers fight these threats?
The first steps are identifying critical information and classifying the data. Critical information could involve credit card numbers for a business, patient information for a medical organization, or student information for an educational institution. You should classify critical data versus not-as-critical data, such as e-mail addresses or addresses without personal information. Once you classify that data, treat it differently. Different people might have access or there might be different protections; for example, critical data may have 100 percent encryption.
Why is it important to classify lower-priority data as less critical?
Because of cost and efficiency. You can paralyze yourself if key employees don’t have access to the data they need to do their jobs efficiently without being burdened. There is also a greater cost involved to implement more stringent IT procedures. It’s just not practical for everything to be 100 percent encrypted.
How can cyber threats hurt your company?
You can have third-party liability for the breach, in which you must pay defense costs and indemnity for individuals who have been harmed. You can have a loss of reputation. Also, there could be fines and penalties from government authorities, HIPAA, or credit card companies. Data exposures introduce a number of potential lawsuits.
How can companies determine if they need cyber liability insurance?
There are a few issues to handle before considering insurance. Most entities have outsourced information and you have to make sure that third-party vendors are in compliance with your IT security protections. You need a representation and warranty from the vendor stating that its company is up to standard and will hold harmless and indemnify you, because it has your critical data.
Contractual allocational liability is a critical component of the risk transfer, because cyber insurance is based on how much exposure the entity has versus how much is outsourced to third parties and how liability is allocated.
The next step is drafting and implementing a data breach response plan that identifies what to do in the event of a breach. The plan should identify a legal expert to assist with the breach, a forensics expert to determine the extent of the breach and how to stop it, and whether an auditing investigation or credit monitoring is necessary. Also, explore your existing insurance. Look at your general liability, property, crime and D&O policies. You may already have coverage for breaches of data, data loss and media, copyright and trademark issues.
What should companies do if they find gaps in those areas?
If you’ve identified gaps, then consider cyber insurance, which is intended to address the gaps in privacy and security exposures in current policies. Begin to address it and continually evolve. You can use data and technology as a tool to differentiate and enhance your company, instead of it being used as a weapon against you.
Kevin P. Kalinich is co-national managing director of Aon Risk Solutions’ financial services group. Reach him at firstname.lastname@example.org. Chris Mower is senior vice president of Aon Risk Solutions’ financial services group. Reach him at (314) 854-0806 or email@example.com.