A session last week at the Florida RIMS Educational Conference in Naples, FL on Cyber Liability provided stark evidence of how much technology changes are impacting business, by offering a glimpse at the “dark side” of this continuing revolution. Michele Centeno, and Glen Bailey, both of Beecher Carlson, joined Mike Rossi of the Insurance Law Group and Kurt Suhs of Ironshore to discuss the variety of risks that today's businesses face, and the extreme cost of not addressing potential risks in a connected world.
While I had originally hoped that this session would concentrate more on identifying and managing potential risks, I found it was primarily focused on the types of insurance and coverage levels businesses today should acquire to fully protect their interests. Still, it was a useful conversation, as exposure potential and the costs associated with it are most likely underappreciated by many corporate managers today, and the presenters provided adequate real life examples of potential technology pitfalls. While hackers certainly account for much of the potential risk, disgruntled employees and poor document handling procedures are just as likely to torpedo an unsuspecting company. The proliferation of portable devices, capable of containing critical data and important password information, also present a huge challenge.
So who should be concerned about cyber liability? Just about any company has a risk, particularly those that manage customer data electronically. Health care providers, and companies engaged in active e-commerce must be acutely aware of the risks. In fact, according to the panel, any company with a web presence that goes beyond the most rudimentary marketing information should be concerned with the processes involved with managing information generated by that site. Even small employers could potentially be at great risk. It is not the size of the company, it is the size of the data that the company manages. Managers should be fully aware of how that information is handled, who has access to it, and what protections 3rd party vendors provide to secure their data. The liability for data loss can be significant, as such an event could end up costing millions in fines, lawsuits and punitive actions.
But beyond the risks presented with your online presence, I would recommend that managers “look closer to home”, at processes within the office. What portable devices do you have, and what data is allowed to reside on them? Who controls them and what is the procedure in the event one is lost? Does your company have a policy regarding the use of thumb drives? Can your critical data leave your office in someone's pocket? Is your wireless network secure? Who has access to the passwords, and how often are they changed?
This last area is one that is a particular hot button for me. One of the session panelists related a story about his brother in law, a small businessman in Georgia, who began losing bids to a company that employed a former salesman. They discovered that their wireless network was completely unsecured, and the salesman was sitting in their parking lot at night, accessing all their files and proposals, and was using that information to undercut them in the bidding process. I am personally amazed at the networks out there that are not secured. While it has been improving over the years, it is a major vulnerability. One day several years ago, while sitting in my attorney's office waiting for an appointment, I fired up a laptop to do some work, and discovered the law office next door had a completely open wireless network. I was able to look at their computers, and if I had wanted to, been able to read individual documents. That firm was shocked when I gave them a courtesy call to advise them of the situation. They had that network set up by an independent computer vendor, and had no idea that they were completely exposed.
These are the types of situations that can catch any business off guard. Ask probing questions of your IT folks or 3rd party IT vendors related to the security of your information. Establish and train your employees on proper password management and data protection (often hackers can gain access to your systems via a simple phone call to an unsuspecting employee, who may provide password info to someone they believe to be in IT within your organization). Most importantly, be aware of HOW your data is managed and protected, WHO has access and WHAT you should do in the event of a breach.
And talk to your insurance specialist about what coverage you might need. Cyber liability is here to stay, and protecting your company's interests has never been so critical.