Risk & Business Magazine Jones DesLauriers Insurance Fall 2016 | Page 8

ACHIEVING CYBER RESILIENCE Achieving Cyber Resilience How To Create A Plan C yber security has become the single most important risk on the minds of company boards of directors around the world. In the face of such a complex risk, what can a company do to protect itself? parties that will assist with remediation, provides for communication and crisis management plans, and includes operating strategies for various types of events. Having a plan prior to an event has been shown to dramatically reduce the cost, recovery time, and reputational damage of a breach. Proactively carrying out standard systems hygiene is first and most important. The Center for Internet Security suggests that these simple steps can prevent up to 80 percent of cyber attacks: Once the working group is established, it is important to map the firm’s cyber risk profile, identify a set of possible cyber events, and discuss the likelihood and impact of each. Narratives with higher likelihood of impact can be given the highest priority, and risk mitigation strategies can be discussed across the group. The cross-functional discussion is critically important. Strategies should consider all parties and their action steps. • Maintaining an inventory of authorized and unauthorized devices and software • Ensuring all devices have secure configurations • Conducting vulnerability assessment and remediation through an automated process • Actively overseeing the use of administrative privileges 1 This is a good start, but standard hygiene simply cannot prevent all attacks. As such, leading firms are moving beyond prevention and focusing on resilience.2 This can be achieved by developing a “cyber resilience” action plan to take effect when an attack occurs. A plan is best developed by a crossfunctional working group of departmental senior managers (including Operations, IT, Finance, Legal, Risk, and HR) that meets regularly to discuss cyber security, monitors evolving internal and external threats, and models and analyses hypothetical attacks. A good resilience plan details roles and responsibilities, identifies the external The next step in devising a resilience plan is risk assessment and measurement. The key here is to avoid analysis paralysis— discussing rough figures is more important than highly precise estimates. Fortunately, a growing data set is emerging that companies can use to estimate the cost of a major cyber event. This brings us to risk mitigation which can take on many forms, the most effective of which is to invest in defenses for the most likely attack modes and the assets that are most at risk. While investing in prevention is paramount, not all attacks can be fully mitigated. For these extreme events, cyber insurance is critically important. Cyber insurance provides contingent capital and expert assistance in the event of a cyber attack or data breach. A cyber policy can respond to both the liability as well as the first-party direct costs associated with a cyber event. Some policies can be customized and coverage offerings can be added or removed based on the company’s risk profile. Some policies also include risk management and loss prevention services that can aid companies in assessing and mitigating their exposure to events before they occur. In summary, cyber security is top-ofmind for boards of directors and senior executives across the world. The first step to improving the cyber risk framework is to ensure that standard cyber hygiene is properly addressed. This will mitigate many cyber attacks, but simply cannot prevent all of them. As such, companies should focus on cyber resilience, and a plan for action is essential to have in place before a breach occurs. For more information on achieving cyber resiliency, please email Jacqueline Detablan at [email protected], or call her at (416)-596-2772. This post is an excerpt from an AIG white paper, Achieving Cyber Resilience. The full version is available at www.aig.ca. + BY: GARIN PACE, ANTHONY SHAPELLA, AND GREG VERNACI, AIG 1 . Stew Magnuson, “New Cyber Hygiene Campaign Seeks to Curtail Attacks,” NDIA National Defense Magazine, (May 2014), http://www. nationaldefensemagazine.org/archive/2014/May/Pages/NewCyberHygieneCampaignSeekstoCurtailAttacks.aspx 2. “Cyber Resilience – The Cyber Risk Challenge and the Role of Insurance,” CRO Forum, http://www.thecroforum.org/cyber-resilience-cyberrisk-challenge-role-insurance/ 8 | FALL 2016