A new
wave of hacker attacks is breaching corporate and outsourced
information systems with one
information security firm recently detailing coordinated hacker
attacks on 2,400 companies and government agencies during the past 18
months. The hacker attacks create headaches and potential liabilities
for corporate risk managers by exposing vast amounts of personal and
corporate secrets to cyber thieves.
Lockton, the world’s largest
insurance broker, warns risk managers to prepare by taking an enterprise
risk management approach. Risk managers can prevent cyber thieves
from harming systems, data and reputations using the approaches noted in
a new industry report from the insurance broker, "What
should you do to prevent cyber thieves?"
"This is not just an IT security issue, rather an enterprise risk
management issue that involves not only IT, but also the risk manager,
legal department, compliance, internal audit, procurement, and
operations," says Emily Freeman, head of Lockton’s Technology,
Media and Telecommunications practice in London.
Freeman adds that, "Many corporate executives mistakenly believe that
by outsourcing the work to vendors, they have also transferred the
liability that may arise from a data breach or system failure.
Unfortunately, that is not the case. The
legal and regulatory liability primarily remains with the data
owner."
Lockton’s cyber
theft report offers additional recommendations to prevent breaches
and to minimize the damage when they happen in the report, including:
— Focus on people and processes, not just technology aspects of security controls. Physical security and technology tools are an excellent part of a comprehensive approach, but focus as well on people and processes failures and potential for malicious acts.
— Manage your high risk vendors. Identify all your high risk vendors for security and privacy risks, including credit card processors. Ensure that they are in compliance with industry standards or PCI if applicable. Include strong indemnity/insurance requirements for data risks in your vendor contract.
— Test your controls and fix vulnerabilities continuously. You cannot prevent criminals from trying to break in, but testing and controls, especially with the assistance of outside security firms, can contain or minimize incidents and prevent breaches.
Freeman concludes in the report on information
security breaches, "Companies must protect themselves as the
ultimate responsibility lies with the data owner and there is the very
real possibility that the vendor could commit a breach in security that
could overwhelm them and their available insurance limits."
