Let the Cyber Assessments Begin

Cyber security continues to dominate the news. On May 19th, President Obama made international headlines with his announcement that, according to a recent Washington Post article,

The Justice Department has indicted five members of the Chinese military on charges of hacking into computers and stealing valuable trade secrets from leading steel, nuclear plant and solar power firms, marking the first time that the United States has leveled such criminal charges against a foreign country.

Though it is highly unlikely that China will turn over the accused cyber spies, this action will most likely have serious implications for US-China relations--both commercially and politically.

On the domestic front, cyber security continues to be a major area of concern for the U.S. Government, and the DOJ isn’t the only government entity getting involved. In April, the SEC announced that it would begin conducting examinations of more than 50 registered investment advisors and broker dealers to assess their preparedness regarding cyber security. The sample 7-page questionnaire provided with the announcement included 28 questions on topics including risk assessment, security protocols followed, assessment of vendor relationships, threat detection capabilities, and details on previous cyber security incidents.

The SEC’s questionnaire is derived from the “Framework for Improving Critical Infrastructure Cybersecurity” released in February 2014 by the National Institute of Standards and Technology (NIST). The NIST framework was developed under an Executive Order issued by President Obama in February 2013 which identified cyber security as a critical national priority. The framework is now being deployed by various government agencies responsible for managing the 16 different sectors identified as part of United States critical infrastructure.

This means that the NIST framework is likely coming your way. As various key industries begin the process of responding to these reviews, they will in turn need to assess vendors that they rely on, and partners with whom their computer networks interact. This assessment goes far beyond the protection of credit card data and other consumer information, exposures which have dominated media headlines in recent months and years. As more and more devices, machines, and systems become accessible and/or controlled by computer networks, the possibility increases that these same devices, machines, and systems can be seized by parties with ill-intent.

As a country, we of course worry about this from a national security perspective. Much has been written on the possibility of a cyber terrorist attack impacting our electrical grid, transportation systems, or financial markets.

On a smaller scale, however, a cyber attack could result in significant financial losses to individual businesses. How long would it take to find the source of the cyber intrusion, stop it, and restore your systems? What happens if you can’t operate a manufacturing line, or track and fill customer orders, or answer client inquiries because your computer network was rendered inoperable for hours or days?   Many of these processes used to be manual – but how quickly can you go back to a paper and pen system? Do your employees even have the information to do so?

Much of the discussion around cyber insurance focuses on the coverage available for breaches of personal data, which is a significant exposure for all consumer-facing companies. A lesser-known component of cyber insurance, however, is the coverage for extra expense and loss of income arising out of a cyber security failure (referred to as “business interruption” or “BI” coverage). Some cyber policy forms will even offer BI coverage for a “system failure” – which is simply defined as an “unplanned outage” of your network (think about things like a system upgrade gone wrong, where the new software freezes up your network.) Not all cyber policies include a BI extension, and in many cases the coverage available is sub-limited.

The takeaway: Whether using the NIST framework or another methodology, your next review of cyber liability exposures should consider the immediate financial impact a cyber security failure could have on your business operations, and review the insurance options available to transfer that risk.