Cyber Risk Assessments are a Critical Component of All Cybersecurity Programs

The National Institute of Standards and Technology (NIST) is the leading U.S. organization in developing a framework for cybersecurity. Its current Framework for Improving Critical Infrastructure Cybersecurity is a leading report on implementing a cybersecurity program. NIST advocates the use of a cyber risk assessment. As is clear at this point, businesses must take an enterprise risk management approach to cybersecurity. A thorough cyber risk assessment allows a company to understand the current state of cybersecurity risk, and to then make informed decisions on prioritizing improvements and expenditures. Id. While NIST provides well-informed recommendations, we are beginning to see that cybersecurity is becoming a mandate for many.

Last year, the New York Department of Financial Service's cybersecurity regulation (NYDFS) took effect. Any business that is subject to oversight by the NYDFS must comply with the new regulation, regardless of physical location of the business. In other words, if you want to do business in New York, and are subject to oversight, you must comply with the new regulation. The initial deadlines for compliance already have past. The regulations also require covered entities to ensure their outside vendors also are compliant. The new law mandates that covered entities conduct a cyber risk assessment. See, 23 NYCRR §500.09. Furthermore, this is not a one-time process. Cyber risk assessments must be performed periodically to ensure cybersecurity programs remain up to date in light of the continuing nature of new cyber threat vectors.

Self-help in conducting a cyber risk assessment is a poor idea. First, an outside neutral evaluation is the best route. Allowing an internal IT department to conduct the assessment creates a conflict of interest that is fraught with peril in yielding a valid overview and legitimate recommendations. This is not an area to be penny-wise and pound foolish on expenditures. The only way to know the state of your cybersecurity program is to obtain a valid neutral prospective by outside experts.

Where to Start Your Cyber Risk Assessment

Hopefully by now you recognize that a cyber risk assessment is not only invaluable but really “a must” in ensuring the company has the best cybersecurity program in place. CyTech Partners, LLC, a cybersecurity advisory believes: “A comprehensive cybersecurity risk assessment should enable the enterprise to: 1) identify cybersecurity risks to the company's systems, assets, data, and capabilities; 2) implement steps to protect the enterprise and ensure continued operations; 3) develop the ability to detect a cybersecurity incident; and 4) implement appropriate steps to respond to a cyber event.”

One must also recognize that using outside resources for the assessment is a best practice, and be willing to commit to that financial spend. Do not start by retaining a cybersecurity consultant, however, which is a recipe for disaster down the road. Why?

You retain a cybersecurity consultant who has wowed you with their abilities. The outfit comes in and conducts the cyber risk assessment. You receive a detailed assessment report that outlines the good, the bad and the ugly. It also prioritizes what needs to be done to upgrade the current cybersecurity program. However, the cost is substantial for the business and comes in the middle of a budget cycle. You implement the first two recommendations but are breached before you get to the remainder of them. The cause of the breach likely would have been prevented had your company gotten to that fifth recommendation. Any claimant bringing a legal action will likely obtain the risk assessment in discovery. Now the plaintiff has a roadmap to argue not only that your cybersecurity program is inadequate, but also that your business was placed on notice of these inadequacies by your cyber consultant.

Instead, begin your process by retaining an outside cyber attorney to oversee the cyber risk assessment and to retain the consultant. This should allow the work and report to be protected by the attorney-client privilege. The attorney should be involved in all communications and the assessment report should be delivered to counsel for further dissemination to the company. The same is true for billing by the consultant for the work. The attorney retains the outside cyber forensic expert and handles the billing. Everything is structured to preserve the attorney-client privilege. The added benefit is that an experienced cyber attorney can bring a substantial value to the review, and updating of policies and procedures to ensure compliance with the myriad of privacy laws around the country and globe.

Protect Your Risk at the Outset

Now that the attorney and consultant are identified, ensure they can handle the work in a secure manner. Remember, both are going to have access to your data, policies, and information systems. These vendors should signed engagement agreements that acknowledge the risk and outline how they will handle the information, including encryption. It remains surprising how many law firms lack the ability to encrypt a client's data as well as email communications. Your information security officer should assist in setting some standards for the protection of information during the engagement. Also, require both vendors to maintain cyber insurance that will respond to errors and omissions that may occur during the assessment and afterwards when caused by the vendor. Due diligence in the retention of the law firm and the consultant should not be overlooked at the juncture.

The Cyber Risk Assessment Process

Once the vendors are properly vetted and engaged, the next step should be a meeting of all stakeholders to provide information in order to design the assessment. The consultant will want to learn about the information system architecture, cybersecurity software, patch protocol, and other issues in order to understand how the networks can be accessed and analyzed. The attorney will want to know about current cybersecurity, privacy policies and procedures, including the current incident response plan. The attorney will then work with the consultant to design the overall assessment.

The broader the assessment's scope the better for the company. An enterprise-wide scope is optimal. For example, it does no good to analyze the security software but fail to review cybersecurity training modules for employees, because the company needs to know that it associates are being trained properly on the network security in place. Too many businesses try to save money by doing less than a 360-degree assessment.

Once the assessment is complete the vendors should work together to prepare a comprehensive cyber risk assessment report. The attorney must lead the preparation in order to provide attorney-client privilege to the report. Counsel will deliver the report to the company for review, and then a meeting of everyone should occur for a review of it. Internal stakeholders must ask any and all questions to ensure what is called for by the report and proposed implementation of the recommendations. It is critical to get the priority of recommendations correct in order that the highest risks are addressed as quickly as possible. No one should exhibit pride of authorship or turf protectionism in the review process. The goal is to ensure that the recommendations can be carried out as quickly and effectively as possible.

Cyber Insurance Is a Critical Component to Consider

A company's traditional insurance program may not cover cyber losses, or likely contains gaps in such coverage for cyber/data breaches. As part of the risk assessment process, it is recommended that companies undertake a review of their current cyber insurance program. Such insurance is the backstop to recovering from a serious cyber event. Moreover, many cyber policies provide vendors in responding to breaches and other cyber related incidents. During the cyber assessment is the perfect time to vet these vendors and work them into the incident response plan. Pre-selecting vendors is critical so that they know your cybersecurity program prior to an incident. A policyholder does not want to meet the vendors for the first time during the ongoing cyber breach, which can lead to costly mistakes. Ask the insurer for the list of vendors it uses, and then vet the ones your company wants to use. If you have a preferred vendor, such as a cyber attorney, you may be able to negotiate their use.

In addition, requirements of cyber insurance, such as encryption of mobile devices, must be worked into the company's cybersecurity program. The goal is all of the moving parts of a full cyber assessment are taken into consideration so everything works in synch once updated and implemented.

Businesses can obtain cyber insurance for losses. It is critical to understand the full scope of the coverage you buy. Today, “cyber” can be a misnomer for the breadth of coverage available. But this is a line of insurance that the buyer must exercise extreme diligence. Cyber insurance is a newer form of coverage that does not benefit from long-term placement in the market. Policyholders and insurers are grappling to understand the scope of coverage through negotiations and court opinions. Coverage disputes are just now yielding some initial legal decisions. All cyber insurance policies are definitely not created alike. For example, some policies may exclude coverage for breaches by rogue employees. Companies need to develop a thorough understanding of their risks and the scope of the cyber insurance they are placing. Policyholders must look well beyond the declarations page and coverage grant when considering this type of insurance, although those are obviously important. The devil is in the details.

A few critical items to consider when obtaining cyber insurance:

Watch the sublimits. A critical area to watch for with cyber insurance is the sublimits. While many policyholders have a far better understanding of standard CGL and property coverage, it remains critical for them to take extra time to truly understand the nature of a new cyber policy being added into their insurance program. It is not uncommon for the most expensive and necessary aspects of coverage to have the lowest sublimits.

The definitions can be a real “gotcha.” Since insurers all use different forms for data breach and privacy insurance the definitions used in the policy are critical to the scope of coverage. For example, how does the policy define “computer system?” That definitions may make all of the difference in whether there is coverage or not. The same is true for “wrongful act” and a host of other definitions that are highly specific to the insurer's forms.

Cyber policies have exclusions just like all policies. No surprise, these policies also contain a litany of exclusions. A prospective purchaser of cyber insurance must pay particular attention to the exclusions. Match the exclusions up with the numerous definitions and it becomes easy to see how tough it can be to have coverage at the end of the day.

It's cool to be retro. The average number of days a hacker is in your system before discovery is easily 230. Of course, many businesses continue to struggle with detecting a breach. A company needs a retroactive date of at least a year to ensure coverage for this lag time in breach discovery. Ideally, an insured would really want a minimum of two years, if possible.

Time spent upfront from an in-depth analysis when considering such insurance may prevent the type of coverage fight many policyholders are facing in order to get the coverage they paid for from their insurer. Working closely with your broker and coverage counsel may seem tedious, but ensuring the correct coverage can prevent unwanted litigation to try and secure it after the fact.

Conclusion

Cybersecurity seems daunting to consider, and many business ignore it due to its overwhelming nature. A strong cyber risk assessment allows a company to tackle the problem in logical steps in a cost-effective manner. Identifying and mitigating the largest risks can save businesses from the adverse consequences of a major breach. The average cost of responding to a breach is approximately $3.62 million. Reduction of risk can save substantial amounts. Cyber insurance can cover much of the expense if properly placed.

While no company can become completely impenetrable from an intrusion, those that understand their cybersecurity risks and address them stand the best opportunity to survive a cyber incident. Obtaining a cyber risk assessment is a critical first step in addressing the concerns and achieving a holistic cybersecurity program.
*****

Collin J. Hite is an associate general counsel at Markel Service, Incorporated. He works with legal, underwriting and information security within Markel Corporation on a variety of cybersecurity issues and insurance forms. A member of the Board of Editors of Cybersecurity Law & Strategy, he can be reached at 804-864-3664 or [email protected]. The opinions and views expressed in this article are not necessarily those of Markel Corporation, or its subsidiaries and affiliates.