As cyber attacks become a growing concern with advances in technology, firms should be working to establish a cybersecurity plan that is cohesive across business operations to effectively reduce damage and cyber insurance claims, according to panelists at the 2016 Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium held Tuesday at the Hilton Midtown in New York City.
“That is the biggest barrier to quickly acting when you have a risk event,” said panelist Cari Toneck, chief compliance and risk officer at Methodist Hospital of Southern California. “You need to think of [cybersecurity] like disaster management – similar to your plan for an event like hurricane Katrina – where everybody is on the same page. The key players in an organization need to immediately get together to respond to an event in a cohesive fashion and look at cyber risk as something that has the potential to domino into other claims and exposure.”
Toneck pointed to one example of a local hospital in California that recently suffered a ransomware attack, where attackers demand ransom payments in exchange for the return of stolen data.
“The hospital didn’t have that cohesive structure,” she said. “Its backup data wasn’t available for days, so it had to divert all patients from the 400-bed hospital to another location, figure out how to manage patients en route and were late in notifying state authorities. As a result, there was a full blown department of health survey, in which unexpected violations were found and [the hospital] had to be shut down for two weeks.”
Indeed, business interruption can present as big a risk of damage for companies as stolen data, according to Linda Betz, chief information security officer at Travelers.
“When attacks happen, attackers are either trying to gain access into your system or trying to interrupt your business operations,” she said during the panel discussion, emphasizing the importance of having a plan that is integrated across business operations so firms aren’t scrambling to work together and regain functionality when an attack occurs.
N. MacDonnell Ulsch, senior managing director at PricewaterhouseCoopers LLP, added that it is important for companies to adapt business processes to work together in establishing a unified cybersecurity plan. Today, cybersecurity needs to be built into hardware and software products the day they are implemented, since that is how the Federal Trade Commission (FTC) has said it will evaluate companies going forward in the event of a breach, he stated.
“A lot of these things sound extreme until you start to implement them,” he said. “Business processes are critical, but cybersecurity is also critical. We just need to make them work together.”
As cyber risk begins to be perceived as a risk equal to or sometimes greater than certain types of physical risk, companies need to be asking how their cybersecurity plan allows them to recover from an attack and how it furthers the company’s viability in the event of an attack, whether it’s a data breach or a business interruption, Betz said. Companies can do this by developing a cybersecurity plan that is not only inclusive across all business operations, but is forward looking as technology continues to evolve, she stated.
“There’s probably something else that will happen tomorrow we haven’t thought about,” she said. “We have to be moving forward to stay competitive, unless we turn off all of our computers, which isn’t an option. So, companies need to be thinking about the future as they’re forming a cybersecurity plan.”
Was this article valuable?
Here are more articles you may enjoy.