All aspects of modern business increasingly rely on electronic devices and the Internet. From finance to sales to HR – technology is completely enmeshed in our daily lives.

Unfortunately, it sometimes takes an attack to demonstrate just how vulnerable we really are to cyber intrusion. And while the media focuses attention on highly regulated industries like health care, finance and retail, the extent of the problem is much broader and deeper.

“There are those that have been breached and know it, and then there are those who have been breached and don’t know it. The media highlights the high-profile cases, which should serve as a wake-up call for all organizations. A cyber breach can happen to any company,” said Annamaria Landaverde, National Cyber Practice Leader for Starr Companies.

While it may be inevitable that you will be the victim of a cyber attack, there are many things that can be done to mitigate the risk. By focusing on an emerging set of best practices, your company will be much better positioned to defend and protect your systems but also to repair and recover if those defenses are breached.

“Every company needs to focus as much time on protecting their networks as the hackers do trying to get to them. We view our role as a partner to help you stay on top of the latest technological threats and give you the tools to protect your company from cyber attack.”
— Annamaria Landaverde, National Cyber Practice Leader, Starr Companies

Prepare, Prevent and Protect

A sound cyber risk management program is built upon many different and interconnected pillars. To assist clients in these efforts, Starr Companies offers a complete suite of Risk Management Tools.

“Our team invests a lot of time into curating and managing the tools available to our clients. We recognize that preparation is the most critical aspect in mitigating the risk and we want to help our clients prepare, prevent and protect to the best of their abilities,” said Landaverde.

These risk management tools include self-assessments, calculators, risk management frameworks and a web portal with news, pre-vetted experts and other resources. “While other insurers may offer a web portal, few invest as much effort to ensure that the information is as complete and high quality,” added Landaverde.

And while many factors need to be considered for a cyber risk management program, there are some critical steps that Landaverde recommends you pay particular attention to. These include:

• Create an incident response team – Know which person within the organization is responsible for which roles when responding to a cyber incident.
• Classify your data – Understand what type of data is stored on your systems, where it’s stored, and then take it a step further and segment the data so the most sensitive data has the most controls and protections around it.
• Analyze access points – Who has access to what systems and networks? Consider employees, vendors and third parties. Do they still need access? Can it be limited?
• Provide employee training – Surprisingly, inside user error is a growing cause of cyber security issues. Hackers can gain access to a company’s network through phishing emails and social engineering. Stop these incidences by making employees aware of these tactics and how to handle them.

“Once a company has a sound risk management framework in place, then you buy insurance,” said Landaverde. “Starr’s Security & Privacy Risk Response™ policy encompasses the full range of breach response and recovery, such as class action lawsuits or regulatory agency proceedings, business interruption and downtime, and expenses associated with the management of responding and recovering from a breach.”

Respond Effectively

Unfortunately, even the best risk management program can’t prevent every cyber attack.

But when the inevitable occurs, the effectiveness of responding to an attack is often proportional to the investment in preparing and protecting an organization’s digital infrastructure.

Immediately after an attack, the company’s incident response team will deploy its crisis plan. Communication with all affected stakeholders is key! Experts will need to help identify the type of incident, what was affected, and contain the loss. It may be necessary to consult with legal, and comply with any regulatory and privacy requirements, state and federal laws, and industry-specific regulations. It may be necessary to notify clients, provide credit monitoring or credit counseling services, set up a call center, or offer other services.

And if you are unlucky enough to be in the media spotlight during this time, the effectiveness and depth of your pre-planning will become very clear.

“In the case of a breach, we always recommend that our clients immediately notify us. While the natural reaction might be to wait until you know the extent of the damage before contacting your insurer, in the case of a cyber attack, time is of the essence,” said Landaverde. “We have the resources and experience to help you through the process and most importantly, minimize the damage.”

Starr’s eRisk Hub portal provides risk managers with various pre- and post-breach resources, including, law firms, IT experts and forensic investigators, who can walk through what steps to take. In addition, a Breach Coach® is available 24/7 to offer 30-minute free consultations. “They help assess the severity of the situation and provide guidance on the immediate actions you should take once a breach is discovered. This fast response is vital,” said Landaverde.

Recovery

After a breach, it is critical to understand how the breach occurred and to implement processes to prevent it from happening again.

Starr’s risk management tools provide access to IT experts who can help repair, replace, recover and rebuild after a loss. This is necessary to ensure that the vulnerabilities that led to the breach are patched and that all systems are secure. The incident response team will want to analyze what happened, how the company responded and what can be done to avoid future issues.

“You don’t really hear too much about the recovery piece in the media, as all of the focus is on the notification, but there’s a lot that has to go on after the dust settles,” said Landaverde. “Sit down with your incident response team and your C-Suite, and discuss lessons learned, identify where the improvements need to take place, and implement those updated controls or updated systems. Most importantly, update your crisis plan.”

No Company is Safe

As cyber attacks continue to increase in frequency, the costs to remediate the consequences also grow. It’s important for every company to recognize the real threat of cyber breaches and take steps like the ones mentioned here to prevent and minimize damage.

“Every company needs to focus as much time on protecting their networks as the hackers do trying to get to them,” said Landaverde. “We view our role as a partner to help you stay on top of the latest technological threats and give you the tools to protect your company from cyber attack.”

Starr Companies is the worldwide marketing name for the operating insurance and travel assistance companies and subsidiaries of Starr International Company, Inc. and for the investment business of C. V. Starr & Co., Inc. and its subsidiaries.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Starr Companies. The editorial staff of Risk & Insurance had no role in its preparation.