INSURANCE NERDS
BLOG
What to do to Minimize Cyber Risk
Wakeup! That’s the urgent cry from four local experts, who suggest measures all businesses can take immediately to minimize their cyber risks.
Every business person has gotten the message that technology changes all the time. Hardware, software, networks and systems have become moving targets you must follow and invest in continually, every year throughout the year, in order to remain competitive.
But few business people seem to realize that the same principle applies to the cyber risks posed by that very same technology. “This is never static,” said Emilio Fuentes, CEO of Knowlity, a local IT consulting firm. “The threats faced by a business are dynamic. There is always a risk that must be managed, including threats we’re not even aware of right now. Since we can’t control when risks arise, their degree of complexity, and much less eliminate every incidence, we must manage the risk.”
“As soon as you connect a cable for network and Internet connectivity, you’re at risk,” warned Luis Valencia, president of STTC, another local consultancy.
What can you do about cyber risk?
1. Education and Vision
Businesses in Puerto Rico have been very slow to catch on and make the changes necessary. The place to begin, therefore, is education. Executives must learn what’s at stake and what they have to do. A big mistake would be to assume
you know. Get help instead. Education and coaching begin with a vision. “How do you view
cyber risks?” For most business people, cyber risk is a cost.
Technology is an investment, but protecting against its risks is seen as a cost. The question they ask is, ‘What equipment and insurance coverage do I need to buy to be protected?’ But this cannot be seen as a cost, as something you can simply install or a policy you can just buy and you’re done. Cyber and network security have become commoditized. People buy protection off
the shelf, like anti-virus programs, thinking that will get it done, but this is not the way to go.
2. An integrated team approach
Instead, all experts agree that a business must take an integrated approach to cyber risk, a seamless combination of people, process and Technology.
It’s all right for the IT manager and department to take the lead, but the CEO has to be on board to create the culture and sense of priority. The Human Resources Department must be integrated to ensure proper training of everyone involved and create awareness among all employees.
The COO must also work hand-in-hand with IT to implement the right processes and make sure the company is aligned in every possible way. In other words: technology, people and processes working in sync and constantly updating.
3. Beyond regulation
Federal and local regulations provide a starting point, forcing companies to implement a minimum standard of cyber risk protection, mainly to protect consumers against privacy
breaches.
But cyber risks have become so complex and varied per industry that lawmakers and regulators have been unable to keep up. If you’re just complying with regulations, you’re exposed to significant additional risks. Thus, we recommend that all companies go beyond regulatory requirements and set up the protection they actually need.
4. Wise use of money
Given unlimited time and money, a business would be able to buy lots of protection. But no one has unlimited time and money, and that requires that
you be more practical. We suggest that every business have your cyber risk team engage in a constant evaluation of your risk position and needs, invest in the technology and insurance
protection you can afford, start with the low-hanging fruits that are easier and less expensive to implement, and plan to increase your protection over time.
The important thing is to have the most protection possible at the price you can afford at any given time.
5. Vendors and applications
Every vendor you subcontract and software application you buy for your business comes with a potential cyber risk.
The Solution: design a cyber risk review for each one. Your suppliers should answer a set of questions about their risk position and exposure, particularly if they are exposed to your data or connected to your network.
6. Insurance coverage
Cyber risk has become an emerging field in the insurance industry. A well-designed policy can cover a business for damages and liability that technology fails to prevent, such as loss of data, lawsuits for privacy breaches, network breakdowns, business interruption, and more.
But before writing a policy, insurance companies want to be sure that the business is taking every step possible to minimize the risk by taking other steps.
“We need to be content that the client is taking cyber risk seriously and is doing what needs to be done; that the company is not negligent. Then we design an insurance policy that fills the gaps that arise inevitably from a company’s risk avoidance measures, since we know they are unable to prevent all risks and potential damages.” – Ramón Pérez, partner in charge of commercial risks, claims & information technology at Fulcro Insurance.
Insurance coverage also contemplates a rapid response in case of a hit. “In cyber risk, the insured’s reaction time has to be immediate,” he added. “This isn’t like a hurricane that we can see coming. It’s more like a fire that happens with no warning and creates damages that have to be recovered immediately.”
To find out more about the cyber risks you may be exposed to contact one of our insurance specialists at get@fulcroinsurance.com or call our offices at 787.725.5880 (Puerto Rico), 404.873.2536 (Georgia), 407.384.2201 (Florida), or 809.620.0000 (Dominican Republic), and we can help you design the best insurance program for your business.