Cyber Risks

Risk Managers Struggle With Data Security

Many companies were ill-prepared to protect data or to respond should a breach occur.
By: | March 6, 2015

The much ballyhooed Sony Corp. hack, allegedly at the hands of North Korea, is hardly an isolated event, as two recent reports demonstrate.

While Sony’s recent experience garnered the most recent headlines, data breaches targeting JPMorgan Chase, Target (the retailer just revealed that its 2014 data breach cost the company $162 million) and others have resulted in expensive investigations, litigation and settlements, the costs of which are borne by customers,  the businesses and insurers.

Cyber attacks have become an almost daily event affecting all sizes and types of businesses.

Two surveys, from Trustwave and A.M. Best, bring home the reality that many businesses are still struggling with information security deficiencies and common security weaknesses that can elevate their risk of data breaches.

“Data tends to migrate to unexpected areas. You need to take inventory, identify, track and monitor that data, but many companies don’t have a process at all.” — Greg Rosenberg, security engineer, Trustwave

In its “2014 State of Risk Report,” (PDF) which surveyed 476 information technology and security professionals located in more than 50 countries, Trustwave found that many companies remain ill-prepared when it comes to cyber risk.

“Businesses must look at security as an imperative,” said Michael Aminzade, vice president of global compliance and risk services at Trustwave, in Reston, Va. “Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”

Trustwave found that one of five (21 percent) businesses do not have data breach incident-response procedures in place and about the same amount (20 percent) do not have a process that enables reporting of security incidents.

It also found that more than six in 10 (63 percent) businesses do not have sophisticated methods to control and track sensitive data and that less than half (49 percent) fully encrypt stored sensitive data.

As for the insurance industry, A.M. Best identified cyber security as one of the most serious emerging risks facing insurers, in its report, titled “Cyber Security Presents Challenging Landscape for Insurers and Insureds.”

Fred Eslami, a senior financial analyst at A.M. Best in Washington, D.C., said security issues will only grow more intense this year and beyond.

“These discussions will get increasingly more robust in 2015 as the insurance industry continues to ‘peel the onion’ on this evolving issue,” Eslami said, adding that it involves not only identifying general underwriting processes, the number of policies, types of coverage, policy forms, and limits and exclusions, but also how insurers manage and mitigate the many cyber risks and the ever-increasing threats of cyber-attacks on their own companies.

Nearly three in 20 (13 percent) respondents admitted that their companies had been targets of data breaches or cyber attacks.

A.M. Best found that just 10 percent of respondents said they had a dedicated cyber security policy, while another 10 percent said they bundled such coverage with errors and omissions, property/business interruption and general liability policies.

Nearly three in 20 (13 percent) respondents admitted that their companies had been targets of data breaches or cyber attacks.

Trustwave security engineer Greg Rosenberg said many businesses and risk managers hold a gross misconception that data security is purely a technical problem, a so-called “gearhead” conversation.

“Nothing could be farther from the truth,” he said. “Data security is about people, process and technology.”

Rosenberg said the notion of how to track truly sensitive data can be completely off the radar in some companies, adding that to understand cyber risk requires an effective risk assessment, including data discovery.

Many times, he said, risk managers don’t know all the types of data they have or all the systems that can result in data leaks.

“Data tends to migrate to unexpected areas,” he said. “You need to take inventory, identify, track and monitor that data, but many companies don’t have a process at all.”

Kevin Kalinich, cyber risk global practice leader for Aon Risk Solutions, said that while it’s certainly important to utilize surveys such as these and others when considering cyber exposure strategies, risk managers need to consider all the factors, including separating “critical” data from data with little value in terms of losses.

“The value of the data — how much damage would occur if it is stolen or exposed — and the amount of insurance protection purchased are critical factors in creating an effective risk management plan,” he said. “Even in some of the biggest cases media-wise, for the most part consumers have not been successful in proving damage.”

He added that despite some recent survey findings and data breach cases, research from Aon shows the percentage of companies actively focusing risk management on data security is much greater than even two years ago.

“Overall, awareness has been heightened and companies are reacting and responding,” he said.

“Of course, every organization should have an IT security strategy that uses reports like these to build best practices in protecting data assets, but it all needs to be in context,” he cautioned. “The surveys and reports are but one part of the process.”

Tom Starner is a freelance business writer and editor. He can be reached at [email protected].

More from Risk & Insurance