The majority of businesses do not have adequate cyber-liability risk management procedures in place. Moreover, many do not understand the four fundamental elements of risk management as they apply to cyber-liability exposures.
Avoiding the activities that could cause risk will, of course, help businesses avoid risk overall. There are extreme measures like not accepting credit card payments and not using the Internet within the facility. More reasonable measures can include the following:
- Do not write down or copy confidential information.
- Use the Internet only for business transactions.
- Prohibit employees from using the Internet for personal reasons.
- Store sensitive documents in a locked, fire-resistant file cabinet.
- Dispose of sensitive documents by shredding.
- Use security cameras and lighting.
- Connect the facility to a central security company.
Businesses can reduce the likelihood or severity of loss through the proper policies and procedures. The following are risk-reduction strategies:
- Implement written policies and procedures regarding the handling of sensitive personal information.
- Train employees on policies and procedures. Review and update these regularly.
- Screen employees using criminal background checks.
- Utilize third-party, PCI-DSS-certified vendors who comply with the major objectives of the certification standards.
Sharing the burden of risk with another party is a form of risk management. This can include both insurance and contracts.
A variety of coverages and policies are available to address cyber-liability exposures at various price ranges. Companies should work with their independent insurance agents to analyze risk and identify appropriate coverage and limits.
Basic liability coverage can include privacy notification and identity protection expense, public relations expense, electronic-data restoration expense, and more.
It’s crucial to understand any contracts with customers and vendors. Businesses need to know what risks they are assuming, and they should always seek legal counsel to review contracts. Insurance requirements should always be discussed with an independent insurance agent.
Finally, risk retention is the acceptance of risk, which includes both a lack of coverage, and the purchasing of a policy with specific coverage as it relates to a particular exposure inclusive of the policy’s limits, sublimits, and deductibles.