Cybersecurity requirements and best practices have been increasing, as I'm sure are your concerns regarding their enforcement.
If you’re wanting to keep yourself and your company off cybersecurity enforcers' radars and stay ahead of the game if or when cybersecurity best practices becomes law for your industry, this article is for you.
- What industries currently require and enforce cybersecurity best practices
- What changes are being made to these regulations and enforcements
- Best practice guidelines from industry regulators
- Next steps you should take to successfully protect your business
The hidden consequences if your business falls prey to a cybersecurity event
1. Increased cost to raise debt
Perception becomes reality when an organization has suffered a cyberattack. A company's credit rating can be lowered in the aftermath of a data breach, and that can affect a company's ability to raise debt or renegotiate its existing debt, Deloitte said.
The corporate credit rating of U.S. retailer Target was downgraded from "A+" to "A" in March 2014 by ratings agency Standard & Poor's months after a cyberattack.
While Standard & Poor's has kept a stable outlook for the company and says it believes the data security issues are largely behind Target, it has not bumped Target's credit rating back to "A+."
Deloitte's analysis said that credit ratings agencies typically downgrade by one level companies that have experienced a cyber incident.
2. Impact of operational disruption or destruction
Any disruption of normal business operations will have financial repercussions.
Resources from one part of a company could be diverted to other parts in the wake of a data breach.
If a company's e-commerce site has to be shut down temporarily, for example, the company will lose out on current and potentially future business when customers go to a competitor.
3. Lost value of customer relationships
If those customers like what they see from the competitor, they might not return to the business that suffered a breach. Deloitte's hypothetical analysis showed that customer attrition rate increases 30% in the wake of a cyber incident and doesn't return to normal until three years later.
In the case of Target, S&P said in March 2014: "We expect the data breach to have a somewhat lingering effect on customer traffic at least through the first half of fiscal 2014."
4. Value of lost contract revenue
Similar to the effect on a company's ability to raise debt, contract negotiation with other entities is more difficult after a data breach. And that's in addition to contracts that might be terminated as a direct result of a cyberattack.
A company may have built cost increases for services into its financial models, Mossburg said, so those models must be recalculated in the event of a data breach.
The IBM and Ponemon Institute report said the "biggest financial consequence to organizations that experienced a data breach is lost business."
5. Devaluation of trade name
If a company's business is offering services to other companies, the company on the receiving end of the services is less likely to seek additional services from a company that has suffered a data breach.
And a company such as a retailer obviously must rebuild brand loyalty after a data breach.
"Now that this has happened, that relationship has been damaged, and companies have to start over in that investment process," Mossburg said.
6. Loss of intellectual property
This can be the most crippling effect for a company that suffers a data breach.
The effects could be long-lasting or potentially fatal to the company's survival, depending on what type of intellectual property is lost.
"If you lose plans, if you lose designs, or lose [research and development] that you've been working on for months or years, and that then is brought to market by another organization faster and cheaper than you can do it, that impact can be reverberating for decades," Mossburg said.
7. Insurance premium increases
A company might need to buy or renew its cybersecurity insurance after a cyber incident. But that doesn't mean it's renewing or buying for the same cost as its previous policies.
Deloitte said it was not uncommon for companies to face premium increases of 200% for the same coverage, or to be denied coverage until demonstrating to the insurer that is had strengthened cyber defenses.
Insurers could cite any number of issues with a company in the aftermath of a data breach, Mossburg said, citing weak access controls, an insufficient incident response plan, or insufficient monitoring as among the possible factors.
Basically, insurers are in position to tell a company what it needs to fix before coverage will be continued.
Discover where cybersecurity law is heading, starting with the state of New York
Now that we know the consequences of a cybersecurity breach and the damage it can cause your business, the next logical step is to find out what’s being done about it.
2016 was a busy year for lawmakers for notification rules.
The National Conference of State Legislature Security Breach Statutes tells us 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information (PII).
Only three states - Alabama, New Mexico and South Dakota - have no law requiring consumer notification of security breaches involving PII.
A total of 26 states introduced or considered security breach notification bills or resolutions. Most of these bills tweaked existing security breach laws that apply to business, government or educational institutions.
Some of the changes, if ultimately enacted, will:
Expand the definition of "personal information" (e.g., to include medical, insurance or biometric data) in cases of a security breach.
Add to or change requirements as to who must comply with notification requirements
Require businesses or government entities to implement security measures
Require educational institutions to notify parents or government entities if a breach occurs.
Most states are leaning toward The National Institute of Standards and Technology (NIST) plan for a model infrastructure which promotes the functions of identify, protect, detect, respond and recover.
In that regard, New York is poised to be the first state to pass minimum Cyber Security Standards applicable to larger (>$75MM) banking, insurance or financial services businesses.
The proposed laws are due to roll out in March 2017 and would require such businesses to implement a defensive infrastructure to identify internal and external risks; detect, act and contain Cybersecurity Events; restore normal operations; and meet all reporting obligations.
Stay on top of your industry’s cybersecurity best practice guidelines to avoid enforcement by regulators
Certain professionals such as Lawyers, Accountants, Securities Broker/Dealers, and Investment Advisors are already subject to self regulation.
In addition to the federal and state mandates on privacy regulation, there are self-regulatory guidelines developed by governmental agencies and industry groups that do not enforce the law, but set out best practice guidelines for numerous professionals.
These self-regulatory guidelines are premised upon accountability with enforcement components that are increasingly being used as a tool for enforcement by regulators
Generally Accepted Privacy Principles (GAPP) have been developed from a business perspective, referencing some significant local, national and international privacy regulations.
GAPP organizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles.
Each principle is supported by objective, measurable criteria that form the basis for effective management of privacy risk and compliance in an organization
Title 26: Internal Revenue Code - This provision imposes criminal and monetary penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses of information furnished to them in connection with the preparation of an income tax return.
Internal Revenue Procedure 2007-40 requires Authorized IRS e-file Providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties.
It states that violations of the GLB Act and the rules and regulations by the FTC, as well as violations of the non-disclosure rules contained in certain IRC sections are considered violations of Revenue Procedure 2007-40, and are subject to penalties or sanctions.
If you handle taxpayer information, you may be subject to the Gramm-Leach Bliley Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. Financial institutions as defined by FTC include professional tax preparers, data processors, their affiliates and service providers who are significantly engaged in providing financial products or services.
Regulation S-P which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
Regulation S-ID which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
The Securities Exchange Act of 1934 which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
ABA Model Rule 1.6(c) provides that lawyers are required to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Comment 18 to the rule considers what constitutes an attorney’s “reasonable efforts” and explains that the attorney’s ethical obligation is not violated if “the lawyer has made reasonable efforts to prevent the access or disclosure.”
Nicole Black, writing for Above the Law in her article Cybersecurity For Lawyers: The Nitty Gritty says “using even basic technology such as email without understanding and implementing necessary security procedures and tools is unethical at best — and at worst can even amount to malpractice”.
Nicole reports that twenty-six states now require that lawyers stay abreast of changes in legal technology and Florida now requires that lawyers accumulate 3 CLE technology credits per biennial cycle.
So, how is it we don’t read much in our local news reports about privacy breaches involving law firms?
The Cyber Liability Insurance industry shares plenty of examples of Law Firm Privacy breaches both offline and online.
The general consensus of experts on the extent of legal cyber security events is that breaches occur all the time yet go unreported except for the mega law firm stories such as the with the recent Panama Papers.
Security experts conclude that without effective laws for breach notification and cyber information sharing, it may remain difficult to truly gauge the threats facing law firms for some time to come.
While they may not be suffering the public embarrassment that accompanies the disclosures required of HIPAA or PCI-DSS regulated industries, law firms will undoubtedly start losing clients as the unregulated “business grapevine” starts spreading the word about sensitive data lost as a result of lax data protection practices.
5 cybersecurity steps to protect your clients and your business that you can implement this week
Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data
Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary
Back up data regularly and verify the integrity of those backups regularly
Click best practices and other measures to prevent cyber attacks and/or regulatory failures to view the full list.
Implement the #1 defense against cyber attacks
A responsible Cyber Insurance provider, will do much more than just pay out in the event of a real cyber event, they will partner with you to give you the tools and advice on how to mitigate the cyber threat before it becomes a reality.
However, if you do suffer a cybersecurity breach, you’ll want the amenities stand-alone Cyber Liability Insurance offers:
Stand-Alone Cyber Insurance Policy Features
Covers loss and defense costs including regulatory fines and penalties when confidential information is maliciously or accidentally disclosed or destroyed at the law firm or company vendor
Breach Response Experts
Receive a network of technical and legal experts available 24/7 with immediate response to complicated breaches as well as routine compromises of confidential data security
Broad Coverage Features*
Covers loss of business income and the cost to rebuild or re-engineer electronic data including forensics after a computer hack, virus, denial of service attack or cyber terrorism event
Not Covered Elsewhere
While Lawyer's Malpractice Insurance policies may provide coverage for cyber liability in connection with a legal rep, they do not provide first party coverage or remedial services
*Refer to the actual policy for all terms and conditions of coverage.
Cyber Insurance Sample Premiums
$100,000 / Year Revenue
$850 Annual Premium
$700,000 / Year Revenue
$1,100 Annual Premium
$3,000,000 / Year Revenue
$1,000,000 in Coverage
$2,200 Annual Premium
*Premiums subject to underwriting acceptability and individual risk considerations.