Cyberinsurance, Breaches, Business Continuity, & Beyond! – BSW #207

On February 4, 2021, New York became the first state in the nation to issue a cybersecurity insurance risk framework (https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02) to all authorized property and casualty insurers. Noting that ransomware insurance claims jumped by 180% from 2018 to 2019 and doubled from 2019 to 2020, New York's Department of Financial Services (DFS) advised insurers to not make ransomware payments for three reasons: 1. The US Treasury Department's Office of Foreign Assets Control (OFAC) warns of the national security implications of paying a ransom, saying that insurers can be liable for ransom paid to sanctioned entities. 2. Even if insurers do pay a ransom it does not guarantee the victims will get their encrypted files or stolen data back. 3. Many insurers are not yet able to accurately measure cybersecurity risk. Without that gauge, “cyber insurance can therefore have the perverse effect of increasing cyber risk—risk that will be borne by the insurer." Major carrier-underwriters such as AIG and Zurich have mostly been following these recommendations already.

It’s natural for leaders to emphasize the importance of hitting financial targets, but making numbers the centerpiece of your leadership narrative is a costly mistake. Financial results are an outcome, they’re not a root driver for employee performance, and a growing body of evidence tells us that overemphasizing financial targets erodes morale and undermines long-term strategy. Leaders looking to motivate employees must instead use their time with their teams to build belief in the organizational purpose, the intrinsic value of the employees’ work, and the impact they have on customers, and each other. To do so, the authors recommend three tactics: 1) Reevaluate how you use your leadership airtime; 2) Discuss your customers with specificity and emotion; and 3) Resist the urge to widely share every measure of financial performance.

The NIST 800-61 special publication (SP), Computer Security Incident Handling Guide outlines a detailed, pragmatic approach to actions organizations should conduct before, during, and after security incidents. It is incumbent upon every organization to develop their own Computer Security Incident Response Plan tailor-fitted for their needs after the data breach. Additionally, beyond the data breach, the organization must focus its attention on developing a culture of security that is pervasive throughout the enterprise concentrating its efforts on the following areas: 1. Institutional Reputation Repair and Restoration 2. IT Enterprise Risk Management Program 3. Information Security Awareness and Training 4. Governance and Information Security Strategic Planning

Freezing conditions that caused Texas power outages affected businesses well beyond the state's borders, prompting a need for business continuity plans to be revisited.

Research reveals a glaring disconnect between the need for security training and its perceived value. But organizations that have made their awareness programs a strategic priority and adopted more modern approaches are finding success.

Enterprise cybersecurity begins with a trustworthy staff. Here's 6 steps to ensure that current and prospective team members aren't hiding any skeletons: 1. Reference check 2. Identity confirmation 3. Court record check 4. Address corroboration 5. Education verification 6. Database check