Managing any organization's cybersecurity risk in today's environment of rampant cybercrime has become a critical management responsibility in organizations of all sizes.
Recent organizations experiencing major losses from cybercrime include the IRS (700,000 tax returns), Anthem Healthcare (100 million+ health records), even the NY Federal Reserve, which had $81,000,000 stolen from its customer's accounts in February.
According to the US Chamber of Commerce, businesses with fewer than 100 employees experience 71% of all cybercrime attacks. This is due to the relative ease of breaching organizations that many times do not make the investment in cyber defenses and employee training.
Ransomware, the current cybercrime method of choice, is up ten-fold in the first quarter of 2016 over the 2015 period. Recent ransomware targets include hospitals such as Hollywood Presbyterian in Los Angeles, city governments and even police departments.
For perspective on this topic, I turned to Cybersecurity insurance expert Roberta Anderson, partner and head of the cybersecurity practice in the Pittsburgh office of the global law firm K&L Gates.
"Recovery from data breaches is a time-intensive, distracting and resource-consuming process that impacts not only the operation of the organization but potentially its relationships with customers, suppliers and financial partners.
"Every organization has its crown information jewels, whether it be customer data, financial records, or proprietary business tools. These must be protected. Seeking to limit their losses following attacks, many organizations are investigating cyber insurance as a means to help them recover and to maintain financial viability.
"Cybersecurity is becoming increasingly recognized as more of a management and organizational cultural issue than a technology issue. The four words that cause cyber vulnerability more than anything else are 'Cybersecurity is IT's problem.'"
Clearly, cybersecurity events will happen. What is essential is to plan for them so they do not take you down if they occur.
Ms. Anderson added, "One of the true values of evaluating cyber insurance is that it causes the organization to look at cybersecurity practices, network protections, data backup and employee training - which in turn actually reduces their risks because of the increased awareness and planning. Management ends up with a roadmap for improved cyber security. This alone is worth the cost of the insurance."
Smaller firms, she emphasized, should sit down with their insurance agent, look beyond their general liability policies and evaluate cyber coverage: "The risks of not providing financial cushion from cyber intrusions are simply too high for most small organizations to deal with successfully."
The net-net of the conversation with Ms. Anderson: "Those with cyber insurance benefit from both a greater peace of mind and improved cybersecurity practices. These are gifts most do not expect but which many receive."