You know how important data is to your business and you have been hearing about data breaches for more than a decade, but where do you find a simple, straightforward summary of how to protect your company? That is a question we hear a lot, and not having a really great place to send people who ask, we take advantage of two decades of helping to protect companies’ data to offer you the following orderly checklist, which will set you on the right path to resilience in the face of all of the risks of our data-driven world.
1. Know what you need to protect
- Customer data, e.g., transaction and account records, profiles and contact information, personal data and perhaps protected health information of your customers or theirs, and perhaps including sensitive information like social security numbers or payment card information;
- Your “crown jewels,” information that’s special to your business, like your financial records, marketing plans and trade secrets;
- Confidential information, including things you’ve promised to keep in confidence; and
- Employee records.
2. Know where it is
In thinking about how to protect your important data, you want to know what you can about that data, including where it is collected, created and resides and how it moves:
- on your servers;
- in a variety of types of “clouds” with which you have contracts;
- on mobile devices; and
- through email, wifi and other transmissions.
3. Protect it, reasonably
- Do you encrypt the most important information at rest or in transit?
- Do you require strong passwords?
- How do you use anti-virus software, firewalls and intrusion detection to keep the bad stuff out and know when it has gotten in?
- How do you know when your important data is leaking, or being accessed or taken?
- Is cardholder information handled exclusively by a secure payment portal?
- How is your important data backed up?
4. Limit access and train
- Can you limit access to the data you need to protect to those who need it, and terminate their access when they no longer need it?
- Can you train those with access in security awareness, e.g., to avoid phishing attacks and to use strong passwords?
- What physical security is in place?
- Do you know at all times who should have access or has had access to the data you need to protect?
5. Control vendors with access to your data
Small and medium-sized businesses generally have difficulty keeping up with constantly changing threats to data, so entering contracts containing the right protections with the right secure cloud platforms is critical to protecting your important data. Cloud offerings vary widely in their security and related assurances, so it is important to pick the right one first, and then to get the right contractual provisions in place. And because you will rely on vendors to protect a lot of your important data, contracts matter. Particularly important questions include:
- What does the vendor offer in third-party audits and certifications?
- What else can the vendor promise about its safeguards?
- Will the vendor know if there is unauthorized access to your important data, and will it tell you at the first signs of such access?
- What rights, if any, will you give the vendor in your data, or to any data derived or created from your data?
- How, if at all, can the vendor share your data with any other entities, and other what conditions?
- How will you get your data back at the end of the contract, or how will the vendor protect what it keeps?
- If the vendor has access to your systems, how have you limited that access to what the vendor needs to do its work for you?
These are the promises you make regarding personal data to which you may be held accountable. You almost certainly need one on your website and provisions in your employee policies, and may need others depending on your business.
7. Plan for data loss or theft and other incidents
Data loss or theft will happen, no matter how good your safeguards are, or your vendors’ safeguards are. The key to preserving your customer relationships and the value of your business and preventing lawsuits is often great response, which, after doing it a few thousand times, we can tell you is not so complicated:
- Your employees and contractors must know where they must report any suspected loss or theft of your data or unauthorized access, immediately.
- You need to have a team ready to respond, who can deal quickly and effectively with:
- containment and prevention of harm;
- communication with customers, other stakeholders and media;
- notification and other legal obligations; and
- remediation and improvement of safeguards.
If you respond right, an incident that could really hurt your business can actually build trust.
8. Get coverage
The risks of lost or theft of data and business interruption are precisely the type that insurance best addresses, because incidents will happen to your data that are WAY beyond your control. When you understand what your risks are, and have taken the basic steps to prevent and prepare for security incidents, you can choose the coverage that best addresses your risks and needs. Today, that coverage almost certainly includes specialty cyber-risk coverage in addition to standard E&O, crime/fidelity and commercial general liability coverages. Companies should also review their D&O and cyber-risk policies to determine whether there is coverage for shareholder actions arising out of breaches or security events. By taking basic steps to protect your important data like the ones above, you can answer the questions on the insurance application better and have a better chance of avoiding the risk of claim denials later.
There is a lot to say about all of the available specialty cyber-risk coverages. Here are some basic considerations for starters:
- Definition of Computer Network: This definition lies at the heart of all cyber policies. If your organization relies heavily on cloud services be sure that “cloud computing” is included in the definition and is considered a part of your “network” or “computer system.” In addition, if you have a BYOD policy or suspect many of your employees are using their own personal devices for work purposes, be sure that “mobile” devices are included within the definition. Perhaps more importantly, consider whether the definition contains an “ownership” requirement. Many definitions may include mobile device, but only if the device is “owned” or leased by the insured organization. If your employee conducts business on a personal device (one not owned by the insured organization), and there is a breach traced back to that device, will the cyber policy respond?
- Acts by Employees: Many cyber policies preclude coverage for intentional acts by past and present employees under both the third-party liability coverage parts as well as the first-party coverage parts. The exclusion under the liability coverage parts usually contains an exception and is not applicable, unless or until there is a final adjudication that the employee did, in fact, commit the intentional act. However, this exception often does not apply to the first-party coverages such as cyber extortion, business interruption, or network asset protection. In addition, some policies have broad exclusions that could be read to apply to employee negligence in addition to intentional employee acts. Business leaders need to have a full understanding of the extent of coverage for acts by their past and present employees and other members of their organization.
- Minimum Requirements: Some policies contain exclusions or conditions that require the maintenance of minimum levels of network security, or provide that coverage may not be available if the policyholder did not implement certain security measures it stated it was implementing, in the application for insurance. Business leaders should be very cautious of these provisions and consult with a lawyer, experienced insurance broker and/or a network security expert to be sure the requirements are reasonable and you can meet them.
- Sublimits: All specialty cyber-risk policies provide for certain “buckets” of insurance coverage applying to particular losses arising out of the breach or security event. Many specialty cyber-risk policies have limits for certain buckets that are much lower than the policy aggregate limits. This is particularly true for certain first party losses, and regulatory liability, payment card (PCI-DSS), and consumer redress coverages.
- Coverage for Bodily Injury and Property Damage: Many specialty cyber-policies exclude loss arising out of bodily injury and property damage caused by a cyber-security event. If you are a company with a risk of such losses, review your coverage options carefully. Some policies available on the market provide such coverage.
9. Get practice
Cybersecurity programs cannot be left gather dust on the shelf, because the threats from outside are always changing, and even the threats on the inside that are not changing as quickly can be soon forgotten. If you have visibility into your security incidents, you may not need tabletop exercises, because you will be implementing your response program regularly in the real world. If you do not have the benefit of these regular, real-world drills, however, consider a periodic practice session to kick the tires of the process and see if there are opportunities to make it better.
10. Expect new threats & solutions
Many of the threats to your important data that are new come in big waves, like a new virus or exploit or series of attacks from a nation state. The cybersecurity world is always watching and sharing information about these changing threats and what companies can do to protect themselves. You do not have time for that fire hose, but industry groups and your friends can help.
In the last few years in particular, we’ve seen an increasing trickle of technology that makes protecting your data something that small and medium-sized businesses can do better than before, including new encryption solutions, secure development platforms and limitations on where sensitive data can be processed. The threats to your important data will just keep growing, but solutions to help us all cope with those threats keep on coming as well. The risk transfer solutions will be getting better all the time as well. We will get through it all with a little help from our friends.