What’s the difference between a company that has cyber coverage and one that doesn’t? It isn’t just that one will get a check from their carrier and one won’t. The biggest difference, according to RSM’s Andy Obuchowski is that one company will be directed to someone like him who can get to the bottom of what happened and the other company will conduct a Google search to find someone who may or may not be able to help.
Obuchowski is practice leader for digital forensics and incident response services as well as director of security and privacy consulting for RSM, a global tax, consulting and audit firm with 38,000 employees in 760 offices in 120 countries.
He’s been doing digital forensics work for nearly half his life, much of that time in law enforcement.
As with many types of insurance, when cyber insurance was first offered, most companies sort of yawned. Today, though, Obuchowski, whose firm doesn’t offer insurance, says people understand the need and are talking about it.
“Awareness is steamrolling. A few years ago a company had to take a public flogging before they were interested in cyber security or cyber insurance,” he said. Four or five years ago, he said he would go to investigate an incident and the client would say to him “as long as you’re here, what should we be doing to make sure this doesn’t happen again?
“Risk assessment was secondary. Companies didn’t act on it until after it happened,” he said.
Today, though, he said companies are a lot more proactive, coming to him before they have a problem and asking for a risk assessment. “We’re moving in the right direction. People in the C-suites are beginning to understand that not only are their companies liable, but that they may be personally liable in the event of an incident where people’s data is compromised.”
It’s funny, he said, that a lot of companies are introduced to him by their insurance agents or carriers only to find that they are already clients of RSM’s but didn’t know RSM offered cyber forensic services.
“There are a lot more conversations about insurance today. Four or five years ago, companies didn’t have cyber insurance and didn’t want to talk about it. Today, people want to talk about it. They want to learn how insurance can help protect them in the event of a cyber incident.”
He said that companies with insurance have access to experts who can help them when they really need it. Without insurance, he said, “People call their cousin Vinny, or they ask a friend who knows something about IT, or they Google ‘cyber forensics,’ and it doesn’t always work out so well for them. I’m a rarity. I’ve been doing this since I was 18. I’m not just another IT guy who took an online class in forensics.”
Obuchowski said insurance carriers and brokers see having a relationship with him or someone like him as a benefit they can offer clients. When someone’s reputation is on the line, he said, their insurance broker, their lawyers (or the lawyers brought in by the insurer) and he all “become one big family.”
He says health care information is among the most at risk and that even companies that don’t think they deal in health care information probably have such information, related to employer sponsored health plans, workers compensation etc.
A problem he finds with many clients is that they keep information longer than they need to. “Businesses should not keep information any longer than they need to. A lot of companies keep information ‘just in case’ but doing that simply exposes more data in the event of an incident,” he said.
One of the things he said he is seeing more of these days is ransom situations, where a hacker threatens to use or release information unless they are paid substantial sums of money not to. “I got two calls today (March 1) from clients saying they had been threatened by people demanding ransom payments. Some companies think they are too small to worry about this, but they aren’t.”
