These two topics fit together like peanut butter and jelly. You are probably wondering what cyber liability and the Daytona 500 crash have in common… Well nothing really, except each risk can be managed. If we review the Daytona | Nationwide crash, we can see how they manage risk. You will identify many principles already in place and based on post-crash interviews, it appears they will continue to review for future improvements. We will then review the risk of Cyber Liability and see how we could manage this risk more effectively.
Daytona | Nationwide Crash:
- Prevention Strategy: The catch fencing was around the track and prevented much of the debris from entering the stands.
- Mitigation Techniques: Emergency responders were onsite and able to assist injured parties as fast as possible.
- Transfer Mechanism: A couple of potential ways to transfer risk could include, “fans come at your own risk” or NASCAR requiring the Daytona track to protect NASCAR in the event of a crash like this.
- Assumption of Risk: Step one is to identify a risk – i.e. what if fans were injured at a crash. Step two is choosing how to manage that risk and in this case, they could choose to assume(self-insure) this risk. They key is that the business has identified the risk and is aware they are doing so.
- Finance: The businesses could purchase an insurance policy to cover the risk of injury to their fans, any damage to the property, crisis management resources for PR, etc…
Now that we have worked through the Daytona | Nationwide Crash risk, let’s consider a risk more specific to your business. For the sake of this exercise, assume your business is a 5 physician medical practice.
Cyber Liability – hard copy records and electronic risks
- Prevention Strategies: Working with your IT vendor or in house staff to make sure that anti-virus and anti-malware controls are installed and regularly updated. Develop internal policies for employees regarding what information can be shared on social media sites [business and personal] about your organization.
- Mitigation Techniques: Identify a Chief Privacy Officer in your company and have a breach response plan practiced by staff and ready to go.
- Transfer Mechanisms: In this case, medical staff could use their local hospital’s servers to host their electronic medical record system. This would alleviate this system from being onsite and remove this responsibility from the practice.
- Assumption of Risk: Quantify the cost of a total breach. In this case, let’s assume there are 5 physicians x 2,000 unique records each x $214 per record [Ponemon – 2010 ave. cost]. This means your organization has a total risk of $2,140,000. You can now choose whether to assume [self-insure] or manage the risk another way.
- Finance the Risk: Purchase an insurance policy to manage some of this risk. A Cyber Liability Policy for a private medical practice would typically provide coverage for:
- Network Security Liability
- Privacy Liability Coverage
- Privacy Breach Expenses: Forensic, Credit Monitoring, etc…
- Regulatory Proceeding Defense
- Internet Media Liability
- Digital Asset Expenses
- Business Interruption + Income Loss
- Network Extortion Threat
- Reward Payments
Overall, start with an assessment of your Strategic, Business, + Hazard risks. At VAST, this is the first step when we meet with every new client. Take a 360 degree view of risk. Too often the only risks discussed are those that insurance can be purchased for. Once a risk is identified, we can utilize strategies to Prevent, Mitigate, Transfer, Assume, and Finance the risk.