Building a Cyber Risk Management Program

building a cyber risk

BY NOW YOU have read and heard many horror stories of hacks, ransomware, cyber-warfare, and other cyber-related doomsday scenarios. Instead of listening to more scary stories, get proactive with a wholistic cyber risk management program. A good cyber risk management program includes identifying team roles and responsibilities, identifying risks, training for prevention and incident response, and buying cyber insurance intelligently.

Building any significant program can be daunting. It can seem like there is too much to cover, and it can seem beyond your expertise. Add the day-to-day business needs and building a good cyber risk program can easily begin lagging on the priority list. But you can do it; you can put together a good program for your business to try to prevent issues, and to respond effectively when issues do arise. Start with any little piece and build from there. If you are unsure of where to start, begin by identifying team roles and responsibilities. The team may include employees, outside consultants, insurance experts, and more. Some people may, and even likely will, have multiple roles, and that is OK.

Identify Team Roles & Responsibilities

Identify your technology leaders. Who on your team is responsible for building and maintaining strong technology defenses? Who on your team is responsible for recovering your systems if something does happen? If you utilize third-party systems and security, make sure you know your contact points at the vendor for building and maintaining your technology defenses, and who is responsible for recovering your systems. Who is your point person for all things technology should a cybersecurity event occur?

Next, identify your operations and communications leaders. If an event occurs, who is leading your customer service communications and responses? Who is leading your carrier communications and responses? Who is leading your internal communications?

Identify your key external risk contacts as well. Get your cyber insurance carrier involved early. Getting them engaged early is good for coverage purposes, but do not underestimate their ability to help you respond effectively. Your cyber insurance carrier likely has experts on the technology side to help with recovery and forensics to find the culprits. They also likely have experts in how to navigate any dealings with the hackers.

Find out if your cyber insurance carrier will engage outside counsel to help you navigate any legal issues. If they will not, identify your own counsel to navigate those legal issues. Identify the law enforcement agency that may be able to help with your response as well. Unfortunately, most law enforcement agencies do not have the resources to respond to every event, so you cannot assume your local police will have the resources to help. Reach out to your contacts in the law enforcement community. Depending on your location, you may have resources in your local police department, the county sheriff’s department, your local FBI office, or the Department of Treasury. Research it ahead of time, so when an event does happen you already have the right number to call.

As you identify these key team members, do not miss one critical point: an electronic contact list may not do you much good in the event of a cyber event. Write your contact list down on paper and make sure multiple members of your team have that list and keep it up to date.

Identify Risks

Once you have team roles identified, spend time considering the possible risks to your systems. What attacks are hitting your systems today? What attacks are hitting others today? Attacks and strategies are constantly evolving. Know the possible risks and know how you will keep up to date on the latest types of attacks, so you can strengthen your defenses and prepare your responses. Know your weak points. Know how these weak points might be exploited or exposed not just to build system defenses, but perhaps more importantly, so you can train your people to be a part of your strong defense. Technology cannot be the only line of defense in your cyber risk management program. Nor can your IT department be solely responsible for cyber risk management. Every person in your organization must be a part of the program, and they must understand how they protect— or expose—the business.

building a cyber risk management

Train for Prevention

Many cyber security events arise out of phishing emails to all corners of your business. These emails mimic real emails, and attract your people to open them, click on links, or take other actions. One common kind of phishing email looks like it is from the owner or CFO asking the employee to wire funds, provide credit card info, or provide data in response to an urgent need. The attack may not manifest itself immediately. Rather the phishing email or other infiltration may burrow and nest in your system for a while before being detected. Educate them about the basics of cyber security and their role in being vigilant. Train your people on how to spot suspicious emails. Test your people with mock breach attempts. Educate, train, and test new employees, and existing employees. Refresh your education, training and testing periodically. This is not a Set it and forget it! operation.

Train for Response

We all wish good prevention strategies would be all you need, but in today’s cybersecurity world, it is more than prudent to prepare for a possible event as well. Educate your people on their role in your response plan (not everyone needs to know every detail of your plan). Who is responsible for communicating to customers, carriers, employees and any outside inquiries? If systems are compromised, how will you continue servicing loads? How will you pay carriers and get paid? Who will take on restoring the systems? Who will take on doing the forensic work to find causes and culprits? Who will manage any legal issues? Educate your people on your response plan. Train your people on what to do if a cybersecurity event occurs. Test the plans as realistically as you can and learn from your test performance.

Buy Cyber Insurance Intelligently

Any good cybersecurity risk management program includes good insurance, from good insurers and insurance agents. In many ways cybersecurity insurance is evolving quickly and significantly. It may take multiple policies to ensure appropriate coverage for your business. Make sure you understand whether your insurance covers the costs and damages incurred to recover from an attack. Make sure you understand whether your insurance covers any claims you face as a result of a security event. Some policies cover all of it, some cover only parts. Make sure you understand the extent of your coverage.

It can seem daunting, but it is manageable. One step at a time you can build an effective cybersecurity risk management program. Identify roles and responsibilities, assess your risks, educate, train, and test your people and your plans, and make sure your insurance coverage is complete.

Doug Grawe is Dad, Business Counselor, and Transportation Industry Leader and CEO at The Grawe Group, LLC.