Because cyber crime has developed into a problem with potentially catastrophic consequences, cyber risk is arguably one of the single greatest threats facing companies today. The 2009 Computer Crime and Security Survey conducted by the Computer Security Institute found that 43 percent of U.S. businesses experienced some kind of cyber security incident last year.
In the face of these threats, formal protection efforts are inconsistent at best: The World Wide Web is global and borderless, and laws that govern the protection and disclosure of confidential consumer information vary considerably from state to state and country to country.
All organizations are at risk for some type of data exposure. After all, the use of interconnected networks and cloud computing is nearly unavoidable in today’s business world and can provide innumerable benefits.
Companies need to be investing in technologies and establishing policies that safeguard data and lessen the risk of a breach, which could cause a company to incur sizable direct cleanup expenses while severely damaging customer trust and loyalty.
There are five crucial steps a company can take to protect itself from the surge of cyber crime:
1. Enlist the CFO in the fight against cyber crime. The responsibility for preventing network security and privacy exposures extends well beyond the information technology department. Rather, the chief financial officer should lead the company’s efforts and develop a holistic, enterprise-wide approach. With a visible, senior-level executive directing the cyber risk management initiative, people at all levels of the organization are more likely to fully understand the financial risks involved and work to manage them.
2. Uncover the cyber crime vulnerability, and quantify it. To comply with corporate governance best practices, an organization should hire a third-party expert to evaluate the organization’s cyber risk and the potential financial impact of a breach. Questions to consider:
- Is our organization retaining any private data about clients, vendors or employees?
- What’s the best way for us to evaluate the costs and benefits of additional IT loss-prevention expenditures?
- Should we purchase cyber risk insurance?
3. Add a cyber risk expert to the company’s board of directors. Awareness and visibility begin at the top. By having a board member who is familiar with cyber crime and understands the level of risk and the loss potential, an organization can ensure this issue remains a priority. Additionally, a board member with a deep understanding of cyber liability can guarantee a holistic approach to risk management within the company and can oversee the adoption of formal procedures to control data security.
4. Consider risk transfer solutions. Now is the time to consider an insurance solution for cyber exposure. Because security breaches typically occur in areas of the organization generally considered to have adequate security protocols — or in unanticipated areas — insurance makes good sense. Fortunately, the overall property & casualty insurance market remains favorable, and numerous insurers are committed to this field. While there’s no replacement for sound risk management practices, a comprehensive insurance policy can be a solid last line of defense.
The number of data security breaches within companies is growing exponentially as they rely more heavily on technology and the Internet. Every organization must protect its priceless data and develop ways to prevent costly breaches.
Racioppo is executive liability practice leader, and Nelson is senior vice president and sales leader, risk advisory and brokerage, with global consulting firm Towers Watson.