Cybercrime is a fast-growing threat to U.S. companies, with data breaches, phishing scams, ransomware and malware all now part of the corporate security vernacular. The COVID-19 pandemic has only made matters worse, causing more security threats now that more people are working from home on less secure networks. Security is not just an IT concern; it is an organization-wide risk with far reaching implications that also affects the operational and financial aspects of companies as a whole.
The latest FBI data tells a disturbing story. According to The Hill, the FBI logged about 1,000 daily cybersecurity complaints before the pandemic hit. During COVID-19, however, that number has spiked to 4,000 complaints per day. The cost of these threats to companies is substantial. The damage of cybercrime is expected to total $6 trillion in 2021, with related global cybersecurity spending projected to have reached $124 billion by the end of 2020. All of this has fueled demand for cyber insurance, a market expected to reach $8 billion in gross written premiums in 2020.
Where does a company begin in the face of this formidable and frustrating threat? Experts recommend undergoing a technology assessment to understand the nature and extent of potential IT security threats. Such assessments include a multi-dimensional review of an organization’s IT environment and security practices. Once completed, it helps determine the overall effectiveness of the security of a company’s technology environment by identifying potential gaps in specific IT security practices and providing actionable recommendations to enhance a company’s security posture.
A company will know it needs a technology assessment if it has:
- A lack of visibility into its IT organization and practices (e.g., IT is a “black box”);
- Specific concerns related to IT security or internal controls;
- An under-resourced IT department; and/or
- A lack of organizational policies and procedures related to IT considerations, including incident response and disaster recovery.
If you spot one or more of these indicators, it’s time to start planning a technology assessment. While using internal IT resources may be an option, leveraging the expertise of a third-party is often most effective, as a critical success factor for assessments is that they are conducted by experienced individuals who are free from organizational bias and knowledgeable in diverse technologies and IT security risks. Depending on the specific circumstances of the company and assessment, it may also be appropriate to consider performing the assessment under protections afforded by legal privilege. The benefits of an assessment include:
- A baselined understanding of multiple facets of IT practices compared against an established IT security framework;
- Enhanced visibility into technology risks across the IT landscape;
- Identification of potential gaps in IT practices and internal controls, particularly those related to security;
- Increased awareness of potential shortcomings in IT practices that may pose excess or unnecessary risk to the organization;
- Recommendations related to identified potential gaps; and
- Identification of actionable activities to enhance IT security posture; governance and internal control; and operations.
The assessment, however, is only a starting point to proactively head off potential security threats. A risk-mitigation strategy that has multiple components and dimensions is often needed – particularly to directly address financial exposures that could result from an occurrence of an actual security incident. Accordingly, companies should also review and evaluate their insurance policies to understand what is – and isn’t – covered under their policies when cyber criminals wreak havoc.
Companies should examine their coverage and policy limits especially with regards to ransom payments; first-party vs. third-party damages; future profits; and potential expenses, such as legal advice and regulatory fines. It is important to note how common it is for companies to incur these additional expenses when dealing with cyber incidents. To effectively manage them, companies should:
- Have coverage or limits that include adequate coverage for these and other related costs; and
- Maintain proper documentation supporting the quantification of these expenses for claim submission purposes.
With the average cost of a data breach currently at $8.6 million, and breaches of all kinds significantly impacting corporate America, it is prudent for companies to start preparing for and preventing attacks by taking inventory of their IT policies and practices; partnering with knowledgeable internal or third-party resources to complete a technology assessment; and implementing leading practices, IT security measures and other processes based on the assessment’s results. To supplement these preventative measures, it is also important to ensure that adequate insurance coverages are in place in case of an unfortunate event where an actual security event occurs.
We’re Here to Help
Bennett Thrasher offers a comprehensive approach to preventing and managing cybercrime instances for our clients. To learn more about our cyber-related service offerings, contact Chris Frederick, Mike Hostinsky or Jim Dougherty by calling 770.396.2200.