Cyber Security Responsibilities – CTO, CFO, or the Entire Board?
Equifax recently had a security breach affecting 143 million people. Every day there are victims of cyber ransom and breaches all over the world. If you are leading a business, are you counting on your luck? Are you going to deal with cyber security prevention issues only after damages are done? Who bares the responsibilities for safeguarding your company’s vital data? Is it the responsibility for the Chief Technology Officer, or the Chief Financial Officer, or for the entire Board of Directors?
The short answer is: The Entire Board of Directors, CEOs, and business owners must command from the very top, to proactively come up with strategic and specific plans to avoid the devastations resulting from cyber security breach. Failing to plan is planning to fail. Those who do not evolve timely will suffer huge losses to their revenues and reputations.
Leadership must implement an effective risk management program, and invest in risk reduction activities, such as finding security vulnerability by doing a compromise assessment to discover any suspicious activity within their current network systems. After cleaning up the systems, develop a risk management plan with specific steps for safeguarding their critical data assets.
First determine what are the most critical assets that would cause the most damage if compromised. These can include the data itself, technical architecture or systems used by their customers to transact business. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.
Then develop a security routine and a systemic plan for delivering products and services without risking vital data.
Thirdly, come up with a prioritized risk reduction plan, tracked by the company’s leadership.
Fourth, prepare for a nightmare scenario, in case a serious breach occurs, what are the steps a company needs to take, without pulling the plug and losing all the data, and Worse, it may even erase key information a computer forensics company may need to assist the investigation. Identify those individuals or groups that should be contacted in the event of a potential breach, such as representatives from the executive group, legal (either internal or an outside consultant), privacy or information security, risk management, information technology, human resources and public relations.
Given the growing reliance on external partners — cloud providers, payroll processors and the like — firms should also consider where vendor touch points exist and how or when those third parties will contribute to the breach response process. They may need to be included on the contact list or they may even be responsible for raising the initial alarm if a breach occurs. It’s also important to ensure vendor contracts clearly spell out the company responsible when a breach occurs and who is liable for notifying those impacted. Other vendors are also commonly part of the response team, such as media relations consultants experienced in crisis management and notification firms with the resources necessary to quickly inform breach victims about the situation.
Last but not the least, get insurance protection against the risks of any kind of cyber security. If the business has Cyber Liability coverage, the insurance company should also be part of the breach response plan. There are support services included in many policies that will be helpful in the event of an exposure, ranging from forensic investigation teams to data recovery specialists.
To maximize the value of any applicable coverage, firms must be ready to access available features quickly and through the most efficient channels.
Call Rick Callaway Team at the Pacific Diversified for an in-depth discussion about the most appropriate insurance policies for your business. Rick is proud of his experience in years of protecting businesses, extra miles.
Abbreviated from “http://www.riskmanagementmonitor.com/companies-must-evolve-to-keep-up-with-hackers/”, by Jerry Dixon, July 28, 2017, chief information security officer at CrowdStrike, and from What’s your data breach response plan? JUL 18, 2016 | BY RICH BLUMBERG, http://www.propertycasualty360.com/2016/07/18/whats-your-data-breach-response-plan?t=loss-control&page_all=1&slreturn=1505233911