"You can't go a day looking online or in newspapers without hearing about some mind-blowing Cyber Security event."  With this Brian Sheehan of DelCor Technologies opened the October luncheon program on Cyber Security.  Brian presented his concerns and advice from the perspective of IT concerns.  Realizing that the source of cyber threats has shifted from the accidental to intentional, an organization needs  to elevate the discussion of assessment and response to the C-Suite if it hasn't done so already. Executives, pressured  by their boards or by their customers are responsible for assuring on-going reviews of data asset inventories and areas of vulnerable risk. That information guides budget decisions, response plans and staff training in taking the necessary and appropriate actions in the event of a threat or breach. 

Bobby Turnage, Jr, from Venable looked at the issue from the legal perspective.  The first step in assessing legal responsibility is to know the law.  While Federal law has sector specific requirements, as with HIPPA, understanding state law is essential.  State law varies in how it defines "breach" and assigns obligations for notifying those whose data may be compromised.  The next step is to be clear in your contractual obligations.  Examples of issues here are privacy policies and sharing arrangements.  When asked about potential costs of responding to a breach, Bobby references PR firms, data breach outfits, and - to the point - legal expenses.  These may take on several functions: advising on risk, advising on potential litigation and securing an outside forensic investigator.  Doing this through a law firm and not on your own protects the organization through the application of client/lawyer privilege.

Recognizing what you fear in the area of cyber threat is a good way to get some answers.  And so Lou Novick of the Novick Group opened his presentation on insurance with the question, "What are you afraid of?"  Audience members submitted concerns on loss of reputation and trust, on the use of rogue devices and on the costs of a satisfactory response to a breach.   For some of these questions there were specific suggestions, but for all of these Lou's perspective was clear:  the coverage available today has not caught up with the elevation of risk.  "In the last 6 months, the needle has swung," with higher and more wide-reaching incidence of breach.   Recognize that your insurance company likely does not have a comprehensive policy on data breach and be prepared to have specific and frequent discussions based on your assessment of risk.

To see the slides from this presentation, click here.

More questions?  Many of FAR's Resource Members work in the Cyber Security area.  Check out their contact information on the FAR website.