‘Hackers’ Prompt Lockton to Advise Risk Managers on Cyber Thieves

February 25, 2010

“A new wave of hacker attacks is breaching corporate and outsourced information systems with one information security firm recently detailing coordinated hacker attacks on 2,400 companies and government agencies during the past 18 months,” says a bulletin from Lockton’s London office.

“The hacker attacks create headaches and potential liabilities for corporate risk managers by exposing vast amounts of personal and corporate secrets to cyber thieves.”

Lockton has consequently warned risk managers to prepare to meet the attacks “by taking an enterprise risk management approach. Risk managers can prevent cyber thieves from harming systems, data and reputations using the approaches noted in a new industry report from the insurance broker, ‘”What should you do to prevent cyber thieves?'”

Emily Freeman, head of Lockton’s Technology, Media and Telecommunications practice in London, pointed out that it’s “not just an IT security issue, rather an enterprise risk management issue that involves not only IT, but also the risk manager, legal department, compliance, internal audit, procurement, and operations.

“Many corporate executives mistakenly believe that by outsourcing the work to vendors, they have also transferred the liability that may arise from a data breach or system failure,” she added. “Unfortunately, that is not the case. The legal and regulatory liability primarily remains with the data owner.”

Lockton’s cyber theft report offers additional recommendations to prevent breaches and to minimize the damage when they happen in the report, including the following:
— Focus on people and processes, not just technology aspects of security controls. Physical security and technology tools are an excellent part of a comprehensive approach, but focus as well on people and processes failures and potential for malicious acts.
— Manage your high risk vendors. Identify all your high risk vendors for security and privacy risks, including credit card processors. Ensure that they are in compliance with industry standards or PCI if applicable. Include strong indemnity/insurance requirements for data risks in your vendor contract.
— Test your controls and fix vulnerabilities continuously. You cannot prevent criminals from trying to break in, but testing and controls, especially with the assistance of outside security firms, can contain or minimize incidents and prevent breaches.

Freeman concluded: “Companies protect themselves as the ultimate responsibility lies with the data owner and there is the very real possibility that the vendor could commit a breach in security that could overwhelm them and their available insurance limits.”

Source: Lockton – www.lockton.com

Was this article valuable?

Here are more articles you may enjoy.