Each new data breach highlights the challenge a company faces in securing personal information and intellectual property. In our age of information, data is often one of the most valuable assets of a company.
Every company should be taking steps to defend itself against the inevitable cyber security attack. A panel of experts at FEI’s Future of Financial Technology Conference, including an FBI Agent, Chief Risk Officer, and insurance expert, shared their suggestions for both protection and recovery.
Build relationships with law enforcement
Melissa Krasnow, Partner, VLP Law Group LLP and moderator of the Preparing for the Inevitable Cyber Security Attack session, pointed out that, at a minimum, executives should have contact information for the front desk of their local FBI and their U.S. Attorney's office.
Michael Krause, Supervisory Special Agent, Federal Bureau of Investigations, asked the audience, “Are you comfortable engaging with law enforcement and trusting them as part of this process? Because if you have a wire transfer to Hong Kong, and you wait a week to come and notify us, odds are there's nothing we can do. We can investigate it, but the money's gone. By contrast, if you get that to us ASAP, we have the potential to actually be able to help you freeze those funds before a bank could tell us, and that will give you an opportunity to go ahead and work through corresponding procedures to potentially recover some of those funds. We've had great success. Time is of the essence. If you don't know who to talk to, you're going to miss that window.”
Build relationships with the media
In a worst case scenario, breaches are found out by media, putting the company in the awkward position of having to respond. Krasnow stressed the importance of getting to know local media: building relationships with the reporters, and more broadly, learning who covers breaches for local outlets.
Krause agreed. “Media is not friendly right now. Yahoo was breached, lost five hundred million records. And there were three people that were actually indicted. When those three people were indicted, what did the press release have as a picture? A picture of Yahoo. Not a picture of three people being indicted. We still victimize the victim. So, you have to be thinking about, if the breach happens, how am I going to manage that from a communications, a PR standpoint?”
Create an incident response plan
Unfortunately, many companies have not established sufficient incident response plans. Think about who in the organization will get together and deal with the implications of the attack. This group will decide which components to escalate.
Companies may decide to hire an outside cyber security forensics team to help mitigate the problem. But, as Krause pointed out, “If I'm in the middle of a crisis event, am I now going to start searching for potential external cyber security companies? I'm going to have to start the negotiation of what they're actually going to charge me to do that when they know they have me over a barrel.”
Insurance
The insurance marketplace is looking at improving the risk profile for companies. As Mario Paez, Vice President, National Practice Advisor, Wells Fargo Insurance, pointed out, it's in the insurance companies’ best interest to make sure you have an incident response plan.
To determine how much insurance coverage you need, use a calculator, assessment tool, or modeling to assess your overall risk. Paez recommended using an interruption worksheet, similar to what you may see for property insurance. Your insurance can provide templates, employee awareness training, regulatory preparedness, and PCI compliance readiness.
Look at cyber attack risks from a business interruption perspective. “There may be organizations that are not in the, what I would term 'high hazard' class-- business retail, hospitality, financial institutions, healthcare,” Paez explained. “If you're outside of that realm looking at it from a business interruption standpoint or supply chain perspective, or utility or critical infrastructure, that's a different conversation altogether in terms of assessing that risk. You may not be dealing with credit card information that you've seen in the headlines in the past. If you are affected by some type of ransomware or malware that disrupts your revenue cycle, how is that going to impact you?”
Tabletop exercises
Equally as important as establishing an incident response plan is testing the plan. Companies should go through hypothetical simulated scenarios, known as a tabletop exercises. Krasnow pointed out that boards are inquiring about incident response plans, and whether or not those plans are being tested and updated.
Tim West, Chief Risk Officer, Atredis Partners, agreed. “I'd say that most organizations learn a huge amount from doing tabletop exercises. Even just getting the respective leaders of the different silos - marketing, promotions, whoever owns your public relations channel, IT, legal - in a room for four hours to talk it out. Most organizations should at least do it once, and learn from that experience.”
Agent Krause is often invited to join these exercises, and frequently consults with companies in the case that he can’t attend, to give an idea of what the FBI’s interaction might be. “I think it's invaluable. In fact, if you're struggling, because some people get caught in this 'planning to plan' cycle, and it takes them four years to develop an incident response plan. Or they just pull one off the internet and say 'that's good'. If that's the case, I would say jump right in and actually do an exercise and get the people together and start talking about it. It will improve your risk management process.”
Tabletop exercises can change the way you handle business and IT practices and IT practices. As Agent Krause pointed out, IT tends to be great problem solvers, but not necessary trained to be pure risk managers. IT may not know where to focus their resources without interacting with the other business components.
Paez strongly recommended that all organizations across the board do these exercises not only internally, but also externally. Bring in outside vendors, whether it's your insurance broker, your insurance carrier, forensics firm, and regulatory authorities so that you understand who those players are in advance and you can realistically play through the scenario.
Paez shared, “Often times, depending on the size of an organization, the cost to conduct the tabletop can be put on the insurance carrier's tab. So, that's another nuance that I would encourage organizations to at least look into if they do currently purchase an insurance policy to see how they can offset some of the costs.”