The Tools to Minimize and Respond to and Cyber Threats
Thomson Reuters recently held their 17th Annual Law Firm CFO & COO Forum. One well-attended session, “A Swift and Measured Response: Organizational & Client-Focused Responses After a Cyber Incident,” featured a panel of experts including Lena Licata, a director in EisnerAmper’s Process, Risk, and Technology Solutions. Lena shared her unique insights gleaned from client experiences, as well as important steps to take before, during and after a breach.
The panel had a vital message: It is not if, but when, an incident will occur. The group described the 2017 NotPetya ransomware attack. Although NotPetya was centered in the Ukraine, the attack spread to multinational companies such as Merck and FedEx. Damages were estimated at more than $10 billion worldwide and the recovery periods were extensive. To help prepared for such an event, companies should perform a cyber-risk assessment in order to be able to put their resources to best use. Think about critical questions: Who are you? What do you do? What do you need to protect? An assessment should consider a company’s regulatory landscape, sensitive information and service providers. Companies need to weigh the impact of increasing regulations, such as the General Data Protection Regulation (GDPR), and the possible reputational impacts of a data breach. A risk assessment can provide a roadmap to help prioritize spending. The panel noted that from the public and regulators’ perspectives, certain services can be outsourced; however, you still own the risk.
Lena noted that companies should have proper preventative and detection tools in place to allow for a rapid response and minimize potential damages. Lena segmented these tools into three key buckets: (1) governance policy and procedures; (2) hardware and software; and (3) human security. A company’s cyber program should address each of these three buckets. Steps include training employees on dos and don’ts, keeping staff abreast of new technologies, patching existing systems in a timely manner, and reviewing policies to make sure they remain valid and current.
The panel stressed the importance of a having a robust response plan in place, part of which should include cyber insurance. Aon Risk Solutions’ Thomas Ricketts emphasized the need to review policies and address risks points. Coordinate cyber coverage with other policies, such as a professional liability insurance. The cyber plan should also identify an internal team along with key external professionals, including forensics consultants and outside counsel.
At the end of the day, nothing can substitute for being prepared and having a well-practiced plan in place.