If you’re reading this, then I have probably joined you at a conference, read the same articles, or heard the same pitch from an insurer, law firm, accountant, or data security expert. No matter the source, we’ve been forewarned of the inevitability of our organizations falling victim to a cyber event. It’s certainty that a cyberattack looms costly in our futures. That fate has become as reliable as death and taxes.
I challenge you to make it through a cyber article or conference without at least one authoritative reference to, “It’s not if… it’s when.”
So, as a rational economic actor, steeped in business acumen and faithfully loyal to your company, how should you respond? Should you be guided by the way we manage the specter of death and taxes? Let’s see. You can try to live a righteous life, move to the Cayman Islands, or stay under the covers and hope to dodge the grim reaper. It’s futile. Don’t expect a quick trip to the Caribbean and a couple of Hail Marys to get you off the hook. The experts are sure that cyber criminals will find you. But’s there’s hope, and here’s a few suggestions while you’re waiting:
Go to lunch – If a cyber event is down the road, you’ll need some help managing it when it happens. And if that event impacts others, (remember we’re all interconnected) the best response teams will be in high demand. Your first requirement will be a law firm knowledgeable and experienced in cyber defense. They will be your response advisor, evaluating your potential liabilities and preserving your rights to indemnification from vendors and insurers. Confirm your law firm’s willingness to be part of your response team. At lunch, inquire about a crisis consultant, someone to assist in calming the waters, mitigating client and revenue loss, and whether you can use your preparedness as a marketing tool. While you may have a systems and data security consultant, find out if they are equipped to investigate, restore data, and rebuild and replace compromised systems and software. If the task is beyond their scope, get some recommendations. Once you’ve assembled your team, have them meet. While lunch is optional – coordination is not, so make sure that everyone leaves knowing their role and responsibility. You might want to have your insurance broker there too. If you have a cyber policy, your carrier will be funding the expense of your team, so have your broker explain the requirements for reimbursement and whether your response team needs pre-approval.
Use your imagination – This requires your CFO, accountants and IT staff. Estimate the amount of personal, client, and employee data you routinely maintain. Confirm whether any of your industrial controls, vehicles, vessels, or real estate are connected to public or private networks, and if you store any of your vital business data remotely. Add these to a list of vulnerabilities. Ask your CFO to take a guess as to the lost revenues or extra expense you would incur if any of these stopped working, and have your IT people determine how long it would take to restore and rebuild any of these systems. Budget for a best and worst-case event, and have your accountant tell you whether any of these would irreparably damage your balance sheet.
Read a cyber insurance application – We’ll make this easy for you. Try this link. There’s nothing particularly unique about this carrier or the application. Those who have applied for cyber insurance have had to complete one. Insurers want to know your preparedness, history, and commitment to incident avoidance. The questions make for good advice, and if you cannot respond affirmatively to questions concerning precautions and practices, these are a good place to start your efforts to make a cyber event a little less certain.
Stay lucky – The odds are you’ve avoided becoming a cyber victim. Luck? Skill? It’s probably a bit of both. While you can take some steps to become an unattractive target for a “bad actor”, the experts say that most events are mishaps or accidents attributable to employees, vendors, customers, and visitors accessing our systems or visiting our premises. By investing in cyber education, and adopting best practices for good cyber hygiene, you may stay lucky longer.
Heed the wisdom of Pascal – What’s a 17th-century inventor, physicist, philosopher and mathematician got to do with cyber? Blaise Pascal, the religiously awakened son of a revenue collector, and “father” of statistics and probability had a pretty good appreciation for death and taxes, and other things unavoidable. His now famous “Wager” applied the scientific method to his religious philosophy. He accepted that a supreme being may or may not exist, and that we have the choice to believe or not. Pascal urged us to “bet” on God. Believers could not lose, while skeptics could. If there is a God, believers will get the ultimate reward, and if God does not exist, there is no penalty. But skeptics could suffer for their doubt. If you’re rational you’ll always make the bet you cannot lose. So where’s the cyber angle? Preparation has no downside – and if you manage to avoid a cyber incident, whether it’s sound planning or staying lucky you can still take the credit.
By: Stephen A. Cooper, CPCU, and Tyler Schapiro, CPA, Fourth Insurance Office, Inc.
Fourth Insurance Office, Inc. is an insurance consulting business specializing in transaction related exposures, management and cyber liability, and broker assessment.