Lockton Launches Outsourcing, Data Breaches Risk Management Service

Lockton announced that is launching a unique set of risk management services to help companies address outsourcing risk and corporate response plans for data breaches.

“These services are supported by leading cyber insurance underwriters at Lloyd’s–ACE Global Markets, Brit Syndicates Limited, Hiscox — and legal and security experts,” said the bulletin.

The two services, “Vendor Risk Management and Contract Governance” and “Designing a Security Breach Incident Response Plan,” address the increasing scope of risks associated with outsourcing/off-shoring critical business and information technology (IT) functions.

Lockton noted that “this affects the international business community from both the client and vendor perspective. A wide variety of industries including financial services, retailing, healthcare, utilities, and hospitality/travel outsource core functions. The risks associated with outsourcing may be identified too late in the procurement process to properly handle due diligence, contract, and vendor insurance issues.

“Likewise, U.S. organizations alone reported more than 600 security breaches in 2008, involving personally identifiable financial and/or medical information. This demonstrates the pressing need for a corporate plan to address the major costs of notification and credit monitoring and protection services after a data breach.”

Lockton added that from its experience, “most companies lack such plans, and therefore have increased exposure to potential litigation or regulatory investigation, as well as the cost of notification to comply with more than 44 U.S. State laws.” In addition, Lockton said: “Mandatory notification requirements are likely to be introduced in other countries around t he world as well.”

The broker will launch a series of workshops, as well as individual client consultations, to provide tools, access to experts, and best practices to enable a cross-functional risk team to develop and implement an effective vendor risk management and security breach incident response plan.

Lockton’s goal is to facilitate initial discussion and support to risk management, legal, IT, internal audit, and operations. It calls for introducing the following:
— Creating a multi-functional task force to define and lead the project
— Defining key elements of the plan
— Providing access to specialized external IT and legal resources
— Offering tools, best practices white papers, and contract wordings (including draft insurance clause for vendors)
— Offering review of insurance policies regarding cyber, professional liability, and operational risks

Lockton Executive Director Emily Freeman, who leads the broker’s Technology, Media, and Telecom Practice in London, commented: “As insurance brokers supporting our client’s risk management efforts, the Lockton program is both innovative and timely. Many organizations remain critically unprepared for risk issues with outsourcing to third parties and data transfers outside of their country of domicile. Unfortunately, security breaches, either direct or through vendors, happen with increasing frequency and severity. Preplanning is a necessity if business activities involve personally identifiable financial, personal or medical data.”

Rick Dakin, a forensic expert and President and Co-Founder, Coalfire Systems, Inc., added: “Information risk and compliance management programs are key drivers at the enterprise level for many organizations in response to a wave of significant data breaches and increasingly stringent data privacy regulations.

“After the fact, executives from these compromised organizations often express a sincere wish for someone to help them understand these risks and associated mitigation strategies before and after the incident. The fastest growing part of Coalfire’s business is forensic analysis and e-discovery to support incident response efforts. The Lockton approach mitigates risk by adding insurance to augment controls deployed through internal programs and service providers.”

Mark E. Schreiber, Chair of Edwards, Angell, Palmer & Dodges Privacy Group, agreed with this approach. He noted: “New collaborative efforts of this sort, especially coming from different disciplines, will provide key elements in corporate risk reduction in the data breach response and data compliance area. The fixes for these problems will inevitably require fresh approaches and the combined efforts of focused brokerage, insurance, forensic IT, legal and risk professionals, and increasingly on an international basis.”

Source: Lockton – www.lockton.com