June 24, 2014

Security experts are moving from using the word "if" in the context of cyber breaches to "when." At the same time, a recently released study by RSA (the security division of EMC, a provider of data storage, information security, and cloud computing products and services) notes that security leaders today speak in terms of resiliency against cyber threats rather than prevention. Furthermore, based on recommendations from RSA's Security for Business Innovation Council, a group of top security leaders from Global 1000 enterprises, big data analytics is "considered fundamental" to developing cyber-threat resilience.

Isn't it interesting that the very same big data that can sometimes be a cause of concern when moving to cloud computing is also cited as a significant part of the solution?

With the ability to access anything from almost anywhere, a business's data can be more vulnerable to attacks. Cybercriminals are hard at work attempting to access data that now exists online, which previously only existed on a network that was accessible exclusively from firm offices. The logic mirrors the urban legend about 20th century bank robber Willie Sutton having said he robs banks because "that's where the money is." Similarly, cloud providers store data for many companies (and individual consumers), making them a richer target.

Shawn Dougherty, Verisk
Shawn Dougherty, Verisk

The threat of disgruntled employees breaching corporate data is potentially even more worrisome. For example, freely available cloud storage tools make it possible for employees to remove data from secured corporate networks that they may have access to and store it for retrieval on their personal devices.

Nearly three in four respondents in an IDC IT Cloud Services User Survey cited security as a concern for cloud adoption, making it the top concern among respondents. That said, while the consequences of a network or online data breach may keep executives up at night, the likelihood of a breach with information stored at a cloud provider may, in fact, be a greater cause of concern.

[Previously from Verisk: Are Insurers Dressed for Digital Success?]

And whether data is stored on a corporate network or the cloud, the impact a breach can have on a company extends from reputation issues to lost revenue and even legal action. Depending on the size and extent of a data breach, the data breach notification and network forensics costs alone can quickly escalate into hundreds of thousands of dollars or more.

If a business uses cloud service providers for data storage, it needs to recognize that doing so may, in fact, increase its potential for loss. For example, a business may currently have its data stored in multiple locations on one or more servers. Centralization of that data into one location may increase the overall risk. Likewise, a business may face a greater potential loss of control of sensitive data -- personally identifiable information (PII) and/or protected health information (PHI) or its own corporate intellectual property or trade secrets -- if it chooses to store the data in the cloud.

In becoming cyber resilient, insurers can help protect their financial and reputational interests through a cyber insurance policy. The policies generally provide first- and third-party coverages for data breach-related exposures. The exposures can include expenses incurred to notify affected parties of the breach and the cost to restore a business's reputation in addition to addressing potential liability for a data breach. Coverage for forensic investigation, notification costs, and expenses incurred to hire public relations firms, establish call centers, and implement credit monitoring services commonly falls under cyber insurance policies. When unauthorized access to PII and/or PHI engenders regulatory fines and penalties, cyber insurance policies generally cover defense costs for regulatory proceedings. Some policies extend coverage to assessed fines and penalties as well.

In helping shoe up their defenses with respect to both policy coverage and technology tactics, insurers may align their security strategy with their business strategy -- and big data can help in that effort. As the RSA study affirms, "big data analytics can benefit a wide variety of business processes ranging from IT support to optimizing the manufacturing supply chain. . . . Big data adoption offers significant competitive advantage, not only through better threat detection, but by way of deeper market insight, tailored customer service, and valuable operational intelligence."

Michael Jordan once said, "My attitude is that if you push me towards something that you think is a weakness, then I will turn that perceived weakness into a strength." The same holds true for cyber and the cloud. The cloud is a growing technology that evolves every day. While it can deliver significant bottom line benefits for many companies, growing cyber theft concerns require commensurate action. Businesses should implement appropriate tools and processes to be further prepared for security and privacy breaches and choose a cyber insurance policy to better protect themselves should a breach still occur.

About the author: Shawn Dougherty is assistant vice president, Specialty Commercial Lines at ISO, a member of the Verisk Insurance Solutions group at Verisk Analytics