In 2020 alone, industries across the board experienced a total of 1001 reported cases of data breaches. It’s no secret that businesses need to comply with security and privacy regulations defined by the states and countries they operate in, by their industry or by the type of audience and customers they work with.
These include well-known regulations and standards such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act and many others. The National Institute of Standards and Technology (NIST) framework is also listed as it has become a widely used framework to guide cybersecurity initiatives.
The Importance Of A Cyber Incident Response Plan
In order to achieve compliance, regulations demand a documented and tested cyber incident response plan. This is an acknowledgment that not only will cyber incidents happen but that businesses also need to be prepared to respond.
Across regulations, the core requirement is a plan for incident response and recovery, as well as the notification of impacted entities and individuals. Such a plan must be documented and ready to be enacted during a time of crisis. This comes with an additional budget line on the security financial plan with what-if scenarios, staffing with trained professionals and experts, and frequent testing to ensure that the required procedures are indeed in place.
Many organizations might be misled to believe that their regular, full-time security team will be able to handle the task. While being absolutely critical in the recovery process, here are questions to help define how many resources a business might have to pull in, beyond regular staffing, to handle the demand of a compelling response and recovery process:
• In the case of ransomware, do you have staff with experience negotiating with cybercriminals?
• Is your security staff ready to work overtime until the crisis is resolved?
• Is your legal team prepared to handle lawsuits resulting from sensitive data being compromised?
• Do you have the means to notify customers and partners of potentially compromised data?
• Do you have the means to subscribe impacted entities to identity theft protection?
The Reality Of Post-Breach Activities
To show the reality of post-breach activities, we have documented a sample of 2019 attacks and what businesses had to go through to respond. The post-breach responses are equally as costly and painful for small businesses as they are for large corporations, sometimes leading to bankruptcy. The American Medical Collection Agency (AMCA) breach became public around May 2019 when it was revealed that several impacted diagnostic and healthcare providers compromised the financial, medical and personal information of millions of patients. Unable to pay the millions of dollars of expenses related to notifying patients and addressing lawsuits from its customers, AMCA’s parent company had to file for bankruptcy.
By going one step further with cyber insurance requirements, regulations would not only ensure that a common level of protection is enforced across all businesses of the same category, but it would also elevate the capabilities that businesses have to respond. An obvious starting point is with business sectors that process sensitive information. They have been obvious targets for cybercriminals in the past and their response and recovery process grows more costly as the volume of processed sensitive records increases.
Cyber Insurance Guidelines In Action
We are already seeing a surge in efforts to put forth guidelines and frameworks as it relates to cyber insurance from government-level entities. In California, assembly bill No. 2320, introduced by Assembly Member Ed Chau, proposes that “in the course of doing business with a state agency, a contractor will receive or have access to records containing personal information protected under the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code), the contract shall require the contractor to carry cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information, in an amount determined by the contracting agency.”
In U.S. Congress, the published Cyberspace Solarium Commission report led by Senator Angus King and Congressman Mike Gallagher proposes to implement the Commission’s recommendation to “resource and direct the Department of Homeland Security to fund a federally-funded research and development center (FFRDC) to work with state-level regulators in developing certifications for cybersecurity insurance products.” These voluntary certifications will include underwriter training, claims adjuster training, and cyber insurance product certifications.
The rapid rise in cyber incidents — particularly during the pandemic — has put significant pressure on insurers to update how they are underwriting cyber risk. In February 2021, the New York State Department of Financial Services (DFS) introduced the Cyber Insurance Risk Framework, overall guidance for insurers providing cyber insurance in the state. A statement from the New York DFS notes that the Framework — the first guidance by a U.S. regulator on cyber insurance — “outlines industry best practices for New York-regulated property/casualty insurers that write cyber insurance to effectively manage their cyber insurance risk.” While not directly a statement about making cyber insurance mandatory, it is a step in the right direction of acknowledging that there is a correct way to apply cyber insurance writing in order to best protect a state’s businesses.
At the federal level, while lawmakers have not standardized specific cybersecurity requirements across industries, one way to raise the floor on minimum security practices would be to require a mandatory cyber insurance policy for every business with certain minimum limits of coverage. This would not only further help protect both businesses and consumers, but it would also set the bar higher for cybersecurity standards.