A new cyber analysis from Control Risks has found that IT departments lack confidence in the ability of their boards to manage cyber security threats as executives are not treating cyberattacks with the seriousness they deserve.
Insurance Business spoke to John Hannan, partner at
DLA Piper, who advised the following practical steps for executives and boards to take to protect against cyberattacks in addition to a legal analysis of cyber insurance options and coverage, identification of exclusions and notification obligations, a coverage review and preliminary advice on indemnity.
“Map data assets, compile key contracts and relevant obligations, tally up IT infrastructure and resources, review existing protocols and response plans, and check whether cybersecurity insurance is in place,” he said.
The next steps, according to Hannan, are to identify legal obligations governing information handling and security, assess vendor management and data legal risks, identify regional differences in target countries, prepare a checklist of breach notification obligations, and execute an ongoing legal review using customised review protocols which which can provide regular alerts and updates on developments in regulation.
He also recommended a report setting out weaknesses and deficiencies in cyber security/risk preparedness, a Red Amber Green (RAG) report prioritising rectification tasks in light of company culture and regulatory obligations, a review of a company’s governance structure as well as security policies and procedures.
“Also significant is the development of an incident response plan, which includes tabletop testing of the incident response plan and refinement of the plan in light of the tests,” Hannan pointed out.
For implementation, Hannan suggested the development of IT use protocols, cyber policies and procedures, personnel policies and level policies, and maintenance of cyber systems and implementation monitoring.
“Update contract methodology around cyber risk transfer and mitigation, including vendor template agreements and vendor risk review processes and establish business continuity and disaster recovery plans,” he said.
He encouraged engaging a technology partner to support penetration testing, set encryption standards, and establish network infiltration health checks.
“Legal should support forensic reviews by scoping technology support requirements,” he said.
And last but not least he advised customised cyber security and threat training for C-suites to build awareness and management buy-in.
“Conduct regular training with employees, including training for key functions such as finance, legal and compliance, HR, and IT security as well as regular mock runs on incident response protocols,” he concluded.
According to
Southern Cross Travel Insurance CEO Chris White, the inability of boards to effectively manage cyber security threats is a valid current issue.
“Boards are realising they can’t outsource responsibly and that they need to support their investment in IT and infrastructure to manage cyber threats,” he commented.
Delta Insurance’s managing director
Ian Pollard emphasised that boards cannot afford to ignore the cyber threat.
“In a world with ever-increasing reliance on technology, cyber threats to your business continue to grow,” he said. “With cybercrime annually costing an estimated US$1 trillion globally and estimated to be between NZ$250 million and $500 million here in New Zealand, cyber threats are an important and growing issue.”
Related stories:
Boards failing to take cyber seriously
Insurance opportunity in wake of WannaCry
