Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

Cyber & Info Security

OAIC Data Breach report: January – June 2020

by

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020.

Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia.    Commissioner Angelene Falk said,  'this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.'

In other findings:

  • Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time.
  • The number of notifications resulting from social engineering or impersonation has increased by 47%.
  • Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.
  • Human error accounted for 34% of data breaches. As Commissioner Falk stated, 'it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.'

The Commissioner has also reminded organisations that they must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.

Read the Notifiable Data Breaches Report for January-June 2020.

Information Security Risk Management Practitioner Guide – OVIC

by

The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS).

This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.

Information Governance + COVID-19 Roundtable Report

by

To celebrate Information Awareness Month (IAM2020) and Privacy Awareness Week (PAW2020), we kicked off with an online panel discussion on the myriad of Information Governance issues arising from the COVID-19 pandemic.

Our panellists included – Melanie Marks, Christopher ColwellSonya Sherman, Dr Peter Chapman, Matthew Golab and the discussion was facilitated by Susan Bennett

The importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period were all highlighted. Discussion around the COVIDSafeApp emphasised that privacy by design and governance of data are key for user trust.  A key focus of the discussion were increased information security and cybersecurity risks with the move to working from home.  These include the risks of data leakage, data breach, shadow IT and cyber-crimes. In summary, the discussion emphasised that the myriad of information, records, privacy and data challenges arising from COVID-19 require robust information governance structures to meet changed work environments with updated policies, processes and training.

Sonya Sherman on public records, information access and information governance

  • Connectivity: Access to trusted information is critical, today.
  • Sustainability: Today’s solutions also have to support the business of tomorrow.
  • Accountability: Decisions and actions will be scrutinised. Inform response ‘next time’.

Sonya noted that the COVID crisis has in some ways been a “burning platform” for digital transformation. Previous barriers to change have been pushed aside, but there is a risk that information strategy and governance are being overlooked in the rush. She believes it is possible to transform quickly and securely with the right tools, policies and practices.

Organisations today are focused on connectivity, providing access to equipment so their staff can carry on business as usual. But Sonya pointed out that access to information is just as important as access to technology. Information is what underpins important decisions and actions in crisis response – so the information has to come from reliable, well-managed sources.

These changes have marked a major shift in the way we work and Sonya predicted we will likely never go back to the old ways of working. The systems and processes we put in place today will be in use for the future. So we have to ensure they are sustainable and help us apply good governance across a remote workforce and a distributed information ecosystem.

Sonya’s final observation was that we also have to prepare to be accountable. She noted the inquiries have already begun into the recent bushfires and the Ruby Princess cruise ship. All the decisions and actions being taken during this time are likely to be subject to scrutiny in the months ahead, so good records and the ability to respond to requests for information, will be critical.

Just as we are now relying on records of how the SARS and Ebola epidemics were managed and the research into vaccines at that time, the records of our actions today will help us respond more effectively when the next deadly virus evolves. But Sonya emphasised this will only be possible if the data and information are well-managed today.

Christopher Colwell on records management challenges

Chris started out by observing that for many organisations the current environment and remote working had highlighted the importance of documents and records to the efficient running of business.  Records in their various forms are not just evidence of past actions but they are in effect the “lifeblood” of most organisations.

Following on from Sonya’s observations Chris noted that there were two major challenges facing organisations at this time. The first is having fit for purpose systems to capture the appropriate records of business during a crisis incident such as this one.  The second challenge at present is being able to access all relevant systems and records remotely.  This will be especially challenging if some of those records were in hardcopy form rather than digital.

Chris pointed out that the ability to capture records into organisational systems and then preserve them for their correct periods of time is especially important not only for accountability, transparency and business efficiency, but also for the greater public good as well.  Records of what steps were taken and by whom and when will be especially important for learning from the current pandemic as a society.

He noted that records and information management professionals are particularly well placed to assist organisations to make judgements about what kinds of records they should be focussing on to ensure that the corporate and societal record of this time is preserved.  That is one of the key skill sets that they can bring to bear at this time. Chris also noted that when things return to some semblance of normal it may also be important to conduct some kind of reconciliation exercise to ensure all the right records are captured.  This will be especially important where manual workarounds and personal devices may have been used at particular points when corporate systems failed or had been off-line for a period of time.

These points were further highlighted and reinforced during the webinar chat as participants drew everyone’s attention to the declaration made by UNESCO through its Memory of the World program calling on member states to turn the “threat of COVID-19 into an opportunity for greater support to documentary heritage”. On the day of the webinar six leading information management associations including ARMA International and the International Council for Archives also issued a further statement and advice highlighting that “the duty to document does not cease in a crisis, it becomes essential”.

Dr Peter Chapman on cybersecurity & remote working

Peter noted that massive social upheaval combined with equally large changes to our standard business processes has created a perfect storm scenario for cyber-crime and data breaches – both deliberate and accidental. However, for agile organisations this unique event can be used as an opportunity to improve their cyber resilience.

With most of our business process workforce currently working from home, Peter highlighted that we are effectively flipping the concept of “BYO device” on its head. Larger, well-resourced organisations will likely have already had some IT security infrastructure in place to assist with this change; secured laptops running locked down standard operating environments, VPNs for connection through home wifi and multi-factor authentication requirements for critical systems. While smaller and less well-resourced organisations may not have had these systems in place and will struggle to implement them in the current environment, leaving them at significant risk of serious IT security incidents.

It logically follows that the work from home arrangements we have had over the last couple of months have substantially increased the risks of organisational data and records spreading into the “shadow IT” environment, such as personal computers and USB devices, cloud storage accounts and the like.

Peter stressed that while storing sensitive internal or client data on personal devices should clearly be ruled out in any appropriately worded Acceptable Use of Technology policy, organisations have to meet their employees half-way in this endeavour by providing secure, functional and easy-to-use devices and applications to conduct their work. Insisting employees utilise clunky, inefficient or otherwise broken “approved” technology is just asking for trouble.

As has been reported widely in the press, organised cyber-criminals and other groups are very effectively utilising the COVID-19 pandemic to supercharge their activities – with the possible exception of the call-centre scams, quips Peter, who are also apparently struggling with the whole work from home thing as well.

He reminded all participants that cybercriminals generally exploit one or more of our negative attributes when they use social engineering to trick us into clicking on something we shouldn’t – whether it is greed, fear or ignorance – and the current environment has plenty of those things going around, so it unsurprising we have seen so much phishing activity of late.

Cybercriminals can deploy authentic looking websites, applications, emails and SMS broadcasts, even quicker than the official channels – scam emails and SMS messages about accessing government payments were in the wild within a day of policy announcements – which should be the biggest tip off as the government would never move that quickly.

Peter highlighted that while many of these attacks are aimed at private individuals, they are equally effective at compromising the personal devices of employees that are trying to work from home with insufficient technology resources.

Apart from deploying ransom-ware and other malicious software, once access has been obtained an attacker may just quietly monitor an employee’s emails, waiting for an opportune moment to launch a high value “man in the middle attack” or just siphoning off sensitive data.

It’s easy to get caught up and overwhelmed in the doom and gloom of IT security risks, especially when they are exacerbated by the rapid changes we have seen in the last few months. However, Peter spotlighted that many organisations and many employees have demonstrated a lot more flexibility and capacity to change than would have been guessed at pre-COVID. He’s hopeful that organisations can use this experience as a platform for implementing improved security of their data, bringing employees along for the journey by clearly showing the need for things like anti-phishing programs and restrictions on the use of non-vetted applications and devices in the light of the increased cybercrime activity while we have been battling COVID.

If you would like to listen to the full discussion you can access a recording of the session here.

Broken Trust – The Information Security Dangers of Insider Threats

by

 

The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat.

The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded.

While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider threats to their intellectual property and commercially sensitive data.

From an external threat perspective, the concept of information security is relatively straightforward in that our confidential information should never be accessed by cyber-criminals and untrusted external parties. Organisations deploy strong perimeter and controls targeted at external parties (e.g. firewalls, intrusion detection systems, anti-virus, penetration testing) to thwart the efforts of external attackers. It is more difficult to establish effective control systems to prevent and detect internal threat activity.

External-focused controls often do little to prevent or identify the actions of a rogue employee intent on removing sensitive information from the control of the organisation.

Without the constant flow of information between employees, business partners and other entities, organisational performance will rapidly decline. It is also the case that much of the information held by an organisation may be confidential or commercially sensitive. As a result, organisations must extend a level of trust to their employees and business partners which is not afforded to external entities. While this trust is generally respected by the majority, there will always be a minority who will abuse and exploit this trust for their own purposes.

Organisations must balance the inherent tension between making information available to boost performance and securing information to mitigate risk.

Internal attacks were only considered the eighth most serious cyber threat by C-suite leaders and IT executives in the 2018-2019 EY Global Information Security Survey (1). The quarterly statistics published by the Office of the Australian Information Commissioner regarding the Notifiable Data Breaches scheme appears to support this view, at least on first glance. Since the start of reporting in February 2018, insider threat related breaches only account for 9% (on average) of maliciously motivated data breaches that have been reported under the scheme, far outweighed by reported breaches caused by an external malicious actor (2).

Unfortunately, the Notifiable Data Breach statistics are not a useful source for assessing the quantity and severity of malicious internal threat incidents. Organisations do not need to report a breach event if they are confident the data does not contain PII and even where PII is present in the data taken (such as client contact lists), organisations suffering an internal breach generally will have more insight into the motivation and intentions of the perpetrator. The majority of malicious internal breach events relate to employees who take data in order to operate in competition with the organisation. It may be reasonable to assume that the chances of serious harm befalling the persons whose PII data has been taken in such a scenario is low. This in turns means that that reporting the breach is no longer mandatory.

The commercial consequences of an internal breach may still be severe even if the incident does not meet the criteria of a mandatory breach notification.

Despite the apparent lack of visibility and profile when it comes to internal threats, it is evident that most IT security incidents originate from the actions of internal actors (three quarters of incidents originated from the actions of employees, former employees or third parties such as suppliers according to the 2018 PwC Global State of Information Security Survey (3) and the Clearswift Insider Threat Index 2017 (4). These figures combine both malicious and accidental breaches, demonstrating that when an insider acts in a malicious manner, or causes a breach through misadventure, it is much harder to prevent the attack or mistake as the insider is already operating with a level of trust within the organisation’s security perimeter. Accordingly, ensuring all staff are educated on data breach risks and the promotion of a strong culture around data security are worthwhile objectives for all organisations.

Malicious insider attacks can lead to the loss of targeted strategic and commercially sensitive data directly into the hands of a competitor. This means that despite their lower visibility, internally originated breach events can be a more serious threat to organisations than externally originated ones (5).

Internal Data Breach Case Study

A recent internal data breach investigation highlights how even a seemingly innocuous and “non-malicious” insider data breach can rapidly escalate into a serious risk issue for an organisation.

The organisation in this case, referred to as Upsilon, is a large multi-national which has made significant investments in information security policies, training and infrastructure. Like many organisations, Upsilon holds confidential information and sensitive data about its own operations as well as confidential information relating to customers and business partners.

The employee responsible for the internal data breach was a highly skilled senior employee, who was trusted with access to highly confidential internal and client information as part of his role. The employee also operated a small side-business in his area of speciality. While this side-business was declared to Upsilon and flagged as a potential conflict of interest at the time, it was agreed that the employee’s side-business did not directly compete with Upsilon and any conflicts would be managed should they arise in the future.


A BYOD policy was in place at Upsilon and the employee was allowed to utilise a BYOD laptop under certain conditions, one of which being a prohibition on accessing or storing confidential client data on the BYOD laptop. Despite this explicit requirement, the employee decided to use his BYOD laptop to access and store confidential information, later stating that he needed to analyse the confidential data with custom applications that he could only install on his BYOD laptop. The employee also utilised a personal cloud storage service to back-up the content of his laptop without the knowledge of Upsilon, including confidential client information.

The breach in data management procedures remained undetected for a significant period of time, as is common in many data leak scenarios. In this particular case, the employee did not appear have any malicious intention with regards to the data. He simply perceived that it was easier for him to undertake his work on his BYOD laptop. However by doing so, the employee allowed confidential information to be stored on an unencrypted and transportable device that could have been lost or stolen. The employees also caused the data to be uploaded to the servers of an unrelated third party (the cloud storage provider), an action which could have led to data sovereignty issues depending upon the data characteristics and the physical location of those servers.

The breach was eventually discovered when a senior manager happened to discuss a particular work procedures issue that pertained to data held on the BYOD laptop. The senior manager was well aware of the sensitivity of the confidential information the employee worked with, and became immediately concerned that the employee used his BYOD laptop in contrary to data management procedures. The senior manager raised the incident with the IT security team at Upsilon, who in turn initiated an incident response.

Incident response procedures at Upsilon were primarily designed on the assumption that accidental internal data breaches did not require substantial investigation and simply required containment and rectification. Upon request of the IT security team, the employee handed over part of the data and deleted a few files on the BYOD laptop, claiming that this was the extent of the confidential data he had in his possession. Despite his claims to the contrary, it was later identified that much of the confidential information was deliberately retained by the employee on both the BYOD laptop and the cloud storage account. By deliberately avoiding full disclosure and handover of confidential data when initially confronted, the employee demonstrated a clear indifference towards organisational policy, the potential seriousness of the breach and the best interests of Upsilon.

Clear and detailed information management policies at Upsilon required that the incident be escalated to a steering committee for urgent review, even though the initial response appeared to have contained the data breach. The committee identified that a more detailed investigation and forensic analysis of the employee’s devices was required to ensure that all confidential information on the BYOD laptop had been identified and removed.

The employee was requested to hand over the BYOD laptop for review. He initially refused on the grounds that the device was not property of Upsilon and also because personal data and data belonging to his company was present on the device. Once access was negotiated and obtained, the subsequent forensic analysis of the BYOD laptop identified that numerous files had been deleted immediately prior to the laptop being handed over for review and also that a backup of the files on the device, including the confidential data, had been copied to an external storage drive immediately prior to the deletions.


The employee admitted to making copies of the confidential data, handing over the external storage drive and access to the cloud storage repositories. The employee also provided assurances that the confidential data had not been further copied. Despite this second round of assurances, forensic analysis of the online repositories identified that the employee had recently acquired a new laptop and it was likely that the confidential data had also been transferred to this new device. When confronted with these new findings, the employee admitted that he lied for a second time and handed over the new computer. The copies of the data were cleared from the new laptop and forensic analysis confirmed that no further devices or cloud storage accounts appeared to have been used to further propagate the data.

Despite the employee’s best efforts at deception and attempting to disguise the extent of his actions, all confidential data was reclaimed and removed from the employee’s control, providing Upsilon with sufficient assurance that the data breach had been contained and rectified.

Lessons learned

1.     Investing in culture and awareness training around data security

While there were red flags that could have identified that the employee was in breach of policy earlier than it was, the initial detection of the data breach was still a result of Upsilon’s security awareness and policy training.

2.     Incident response policies must address the potential for malicious insider threats

The data breach protocols in place at Upsilon were primarily designed to deal with deliberate breaches caused by an external attacker as well as accidental internal breaches originating from employee error or mishap. The initial response to the breach lacked rigor and required a more investigative mindset on the part of first responders.

3.     Implement appropriate governance and oversight

The initial risk assessment regarding the employee operating a side business appears to have focused primarily on the commercial conflict and did not identify the potential risks relating to confidential data. A more expansive view of risk should be considered when assessing potential conflicts such as this.

Despite the less than optimal initial incident response, Upsilon did have an appropriate escalation and incident management process which identified that the initial incident response may not have been comprehensive and took appropriate steps to address it.

4.     Get the basics right, then implement appropriate controls

Prior to investing in technical and policy control updates, it is imperative that organisations ensure they understand what their critical data is, where it is stored, what it is used for and who needs access to it. Once this is understood, the difficult task of balancing security and accessibility of the data can be undertaken, ideally with a suite of overlapping controls such as: acceptable use policies, data security culture and awareness training, technical controls regarding the use of portable USB storage devices, personal email and Cloud storage, access audit, monitoring and DLP solutions, and an appropriately designed Incident Response policy.

5.     BYOD with care

With regards to BYOD policies, organisations should ensure that a proper risk assessment regarding employee roles, data classification, device security, data access and recovery procedures and legal rights over company data is undertaken PRIOR to allowing employees to access and store commercially sensitive data on personally owned devices.

6.     Trust, but verify

It is essential for organisations to trust employees to do the right thing most of the time. Over-surveillance and deployment of obstructive controls can be just as damaging as being overly lax. However, organisations should be prepared for a scenario where one or more employees deliberately breaches their trust. With this in mind, it is useful to remember the Russian proverb made famous by Ronald Reagan – “Trust, but verify” – when implementing data security policies and controls and also when responding to internal data breach incidents.


References

1.       https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

2.       https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/

3.       https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html

4.       https://www.clearswift.com/about-us/pr/press-releases/insider-threat-74-security-incidents-come-extended-enterprise-not-hacking-groups

5.       https://digitalguardian.com/blog/insider-outsider-data-security-threats

Dr Peter Chapman is a Director in the Ferrier Hodgson Forensic Technology and eDiscovery team, lecturer in the Accounting Discipline Group of the UTS Business School and advisory board member of Information Governance ANZ.

 

Information Security & Information Governance – how they work together

by

Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation.

A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical knowledge of all areas of the body. Tinea treatment? – see somebody else please.

In other words, people specialise in a particular aspect of their work. You can’t be an expert in everything. People prioritise – for example, in busy times, a SysOp will not be as vigilant with security when their primary role is to keep the sales /finance system up and running for all users.

This is exactly how Information Security Systems operate. For example, an Information Security Management System (ISMS) such as ISO27001 or the NIST Cybersecurity Framework offers great best-practice information security methods. While an ISMS operated by the Security function will have a security-centric focus, and provide protection from their perspective, it may not integrate completely with Privacy, Legal, Risk and other functions. As a result of these different specialisations, gaps in coverage can arise. And unfortunately for organisations, is often the risks that they are unaware of that hurt the most.

This is where the benefits of Information Governance are most apparent – as IG provides a framework for these business functions that have a valid interest in information protection. These functions, such as Security, Privacy, Legal, Risk, Audit, Records Management and individual operational Business areas, often operate as silos to good effect vertically but with poor integration horizontally. Information Governance is where the horizontal connections are structured, made, and reinforced, using suitable controls such as the familiar sounding ‘policies, processes, procedures, organizational structures and software and hardware functions’. The Sedona Conference has defined Information Governance as ‘an organisation’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value’.

Overall, comprehensive and effective security comes about from covering all of the risks that exist against the assets you want to protect. Despite the three character length, ‘All’ is a big word.

In the end, it’s down to appropriately protecting your assets. To protect, you need to know what assets you are protecting, you need to know what threats exist, and you need to know that your protection methods cover all angles. Information Governance provides for orchestrating all of the protection functions together.

By Richard Kilpatrick

Richard is a highly experienced consultant in information technology, focusing on realistic data governance, security and privacy.  Richard has led programs of work to discover and classify data across multiple business units, within banks, telcos, health and media. In this article, he outlines the difference between Information Security and Information Governance, explaining why IG frameworks are essential for the successful orchestration of specialised security systems.

Connect with Richard on LinkedIn.

 

Cyber Insurance: how it works and the benefits of Information Governance

by

 

As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to the Ponemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research.

As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach.

This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them.

What is a cyber incident?

A cyber incident refers any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information.  Any violation of computer security policies, acceptable use policies, or standard computer security practices is classified as a cyber incident. (Source : CABQ)

Information governance, along with risk management, may not prevent a cyber attack from occurring, but it can certainly reduce its impact on the affected company. A cyber threat or breach leaves the company exposed to a loss of integrity and compromised access to information. This also results in the inability to provide the right information to stakeholders and the failure to respond to regulatory obligations. Mature cyber risk governance and risk management plans can prevent the disruption of information governance.

Transfer of risk

When dealing with questions of risk transfer, executives may choose to self-insure. According to the Ponemon Institute’s 2017 Cost of Data Breach Study,, the average per cost per capita (per compromised record) of a data breach was $139 per organisation surveyed, with the average cost of data breach totalling $2.51 million. Thus a business experiencing at least two data breaches a year could be expected to set aside $5 million of company funds for data breach response. In such a scenario, investors are likely to find shareholder returns diminish over time compounded with reputational loss.

Investing in cyber insurance not only frees up investors’ resources, it is also more cost effective in the long term. In transferring risk to the insurer, businesses must give proof of their information governance practices. If there are no practices in place, the insurance can facilitate businesses to devise a plan to prevent cyber threat and the risk of legal issues, financial losses and company failures – before accepting the residual risk.

Business Continuity

As all businesses revolve and evolve based on their data, information is critical for ensuring business continuity. Since cyber threats and cyber theft do happen, it is important that businesses possess the capabilty to respond well- this includes having a plan in place to respond to the incident swiftly, professionally and with minimal impact.

A business needs to recognise its capability to access the right information to mitigate the effect of a cyber attack.  Key questions that any manager, executive or business owner must ask themselves are:

–        Does the information governance system, including cybersecurity policies and procedures, mandate backup of information assets, systems and data that can retried if a cyber incident leads to operational downtime?

–        Is there proof the business has a written down business continuity plan and are all employees that will need to act on it trained and knowledgeable as to what to do if the risk occurs?

–        It is essential that all employees and effected parties have access to information on how to respond to an incident to minimise any damage? And is this process exactly what cyber insurers want to see in place, in order to mitigate their own exposure?

Trust

Trust and relationships are the biggest factor in ensuring long term sustainability of a business. A savvy cyber insurance company will not accept the transfer of risk if a business cannot demonstrate adequate measures for maintaining trust of all stakeholders and most importantly, customers. Businesses are expected to prove their integrity through questions such as:

–        In storing customer data, does the business ensure information governance in collection, storage, use and archiving of data. Is the information encrypted or deidentified? Should customer information fall into the wrong hands, can the customer trust that the business can keep their identity safe?

How frequent and proactive is the security management practice of the business? Has the business got access to notification templates for notifying its customers of a data breach?

Cyber incidents affect company reputation and investor relations, which is why it is important that companies build their risk management strategies transparently and with clarity.

People, Policies & Procedures

A cyber insurance company will delve in to the business processes and policies before agreeing to a commitment. They will analyse a number of things, including:

–        Are roles and responsibilities understood?

–        Does information governance dictate checks for monitoring access rights to the information and misuse of access rights?

–        Are their approval controls for transfer of funds?

–        Does the business have an adequate privacy policy that communicates to stakeholders how the business collects and manages information?

–       Does the business have a regular patch management policy?

–        Does the business have a policy of ensuring ownership of risk and liability is described in all third part contracts?

Compliance, Disclosure & Transparency

Compliance is vital to a cyber insurance company – particularly for the legal team. The insurer will look at the below aspects of the potential business:

–        What information governance, risk management, security standards does the business conform to?

–        Is the business PCI compliant?

–        Does the business comply with the Privacy Act?

–        Has the business had a data privacy incident in the past?

–        When completing the application form, has a Director of the company signed the insurance application form?

Transferring risk to a third-party insurer must be supported by evidence of information governance. Any negligence on information governance practices reflects the inability of a part of the business to take the right actions to prevent and mitigate a cyber incident.

Buying a Policy

Risk Register

While the myths on policy coverage are rampant, insurance policies are not to be blamed. Not only are the the complexities of cyber risk not well understood,  executives are unable to dedicate enough resources to demonstrate adequate information governance measures.

Policy wordings are designed to respond to specific cyber risk scenarios. Businesses seeking to buy a cyber policy must ensure that they articulate cyber scenarios in their risk register and seek insurance for them. Cyber risk scenarios and their potential impact must be eliminated and mitigated and only residual risk must be transferred.

Risk scenarios must be matched with plain policy wording and extent of coverage, for those scenarios must be obvious. Managers who do not carry out this exercise are lacking in the process to invest in insurance.

It is vital that cyber insurance policies suit both the insured and the business needs. This is easy to do with the help of a cyber insurance broker, as they will be able to recommend the most adequate cyber insurance policy and help negotiate the most suitable policies to match the business needs.

Risk Register:  Transfer Risk

 

 

Role of Insurance Broker

Cyber risks are evolving. With technology becoming more advanced each day, it is difficult for companies to keep up. With emergent risks, traditional brokers have found it hard to move up the learning curve. Specialist cyber insurance brokers are able to discuss and analyse the business needs, requirements and obligations. They also understand complexities of cyber risk.  A broker can help a business to understand coverage, limits, exclusions and deductibles. At the time of buying cyber insurance, a cyber insurance broker will advise a business on how to obtain a health check on all insurance policies so that gaps in total coverage are not taken for granted.  A broker will also alert clients on their ongoing obligations for all cyber risk scenarios for which policy wordings are sought and matched.

Businesses wishing to assess their cyber risk can source a quote from a broker and know the cost of their cyber risk. Seeking a quote is free of charge and obligation.

Seeking a Cyber Insurance Quote

Usually your broker can procure an indication quote based on the questions below. However, a final quote can only be based on information provided in the full application form.

1.     What was your revenue in last 12 months? Yes/No

2.     What policy limit do you require? Yes/No

3.     What industry is your business in? Yes/No

4.     How many records does your business hold? Yes/No

5.     Do you have a business continuity plan? Yes/No

6.     Do you encrypt data held by your company on mobile and other devices? Yes/No

7.     Do you have firewalls, malware detection systems in place? Yes/No

8.     Do you store data on a third party cloud? Who is the cloud service provider? Yes/No

9.     Do your contracts indemnify any third party for a data breach? Yes/No

10.   Has your business had a data breach in the last two years? Yes/No

11.   Do you regularly implement a written patch management process? Yes/No

12.   Do you have a privacy policy? Yes/No

13.   Which state is your business located?

Cyber insurance policies come equipped with a panel of experts who are able to identify risks and reduce the impact of an incident response. They also have a skilled PR team, legal experts to minimise any associated threats or breach costs, and forensic experts that are able to decipher exactly what happened, why it happened and how to best avoid future incidents from occurring.

 

by Meena Wahi – Cyber, Data, IP Insurance Specialist.

Meena Wahi is a cyber insurance and data breach broker, specialising in cyber risk, data privacy, intellectual property risk and cyber crime.   She helps organisations identify potential cyber risks and believes that cyber insurance should be a key component of a company’s enterprise risk management strategy.

Connect with Meena on LinkedIn.