According to Richard Clarke, the former national coordinator for security, infrastructure protection and counterterrorism for the United States, there are two types of companies — those that have been breached and are aware of it, and those that have been breached and just don't know.

Related: How industrial companies can manage cyber threats

Once a breach has been discovered, the tangible and intangible costs associated can be significant and affect a business' long-term ability to survive. According to the 2015 NetDiligence Cyber Claims Study, the average cyber-related insurance claim amounted to $673,767 ($4.8 million for a large company and $1.3 million per claim in the healthcare sector). The study also reported the average cost per breached record amounted to about $964.

(Image: Thinkstock)

Cyber exposures

In the current marketplace, many businesses can amass a great deal of information about customers and employees and then store the information indefinitely.

The primary cyber-related exposure a company often faces is a data breach that results in unauthorized access or release of an individual's personally identifiable information (PII) or protected health information (PHI). PII includes such information as name, address, birth date, Social Security number, driver's license number, and credit card or financial account information. PHI includes an individual's healthcare policy number, biometric information, medical condition, test results, prescriptions, and so forth.

As technology continues to advance, the cyber exposures that companies face are expected to increase exponentially. To that end, a company's management team needs to consider cyber-related exposures from different perspectives:

• Cyber as a peril: Businesses are becoming more automated and depend increasingly on computers, software and the Internet to manage their industrial control systems. Managers of these critical infrastructure operations — including energy, utilities, communications, transportation and manufacturing — need to consider and evaluate the potential impact that catastrophic events such as cyber terrorism and cyber war can have. What would the implications be for the business if control systems were to fail or be destroyed? What would the potential impact be on the company's main business operations and those of its contributors in the supply chain?

• Corporate financial perspective: When evaluating cyber exposures, a company must assess its financial health and ability to survive a threat. In conducting audits and assessments, rating agencies may ask the company how it would react to a cyber threat. If the company is publicly traded, its stock price might be affected. A company could face lawsuits from shareholders and customers for failing to take adequate cybersecurity measures. Additionally, a company experiencing a cyber incident might experience reputational harm and loss of business, even if only for a short period of time. Lastly, a company has to decide whether to secure cyber insurance.

• Information Technology perspective: Excellent cybersecurity measures and dedicated IT resources are critical to helping protect a company's assets. Many businesses continually wrestle with whether to invest more in IT operations to prevent cyber breaches and better protect their data or to purchase cyber insurance in the event of a breach. Many IT experts now believe that 100 percent prevention is impossible and that working to mitigate the losses during a cyber incident may be a prudent course of action.

• Insurance perspective: Depending on the extent of its business operations, a company may have to comply with multiple federal and state privacy laws if a data breach is discovered. Currently, 47 states and the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have enacted laws requiring private or government entities to notify potentially affected individuals of a data breach. Has the company secured the services of a data breach coach or remediation firm to help address those requirements? Is there adequate insurance coverage to help pay for breach-related expenses?

Related: Cyber attacks drive insurance purchases in early 2015

Preparing for the worst

It's clear that many companies stand to benefit when they prepare a cyber strategy before a claim occurs. Here are some of the steps in developing such a strategy:

• Identify assets. What constitutes a critical asset will often vary from company to company. For example, retail operations, health care facilities and higher education institutions might consider their customer data to be a critical asset. Manufacturing, energy and telecommunications companies might consider their critical asset to be industrial control systems. Financial institutions, on the other hand, might take a different view and identify the trading platform to be a critical asset. Regardless, identifying what assets need to be protected is a crucial first step.

• Outline a plan of action. Companies need to establish a plan of action and identify measures to help protect their assets. Vetting upstream and downstream supply chain vendors to inquire whether they employ cybersecurity best practices should be included in any strategy.

• Develop partnerships. Leveraging the services of a skilled service provider — professionals who have handled prior data breaches — may make dealing with a cyber incident an easier process. This might include a breach coach, typically an external legal counselor skilled in handling data breaches, or a data breach resolution service that offers pre-breach assessment and education and post-breach remediation services.

• Train employees: Employees often pose the greatest internal threat to a company. While malicious employees play a part, studies have shown that more often than not, it's an honest employee who causes cyber incidents, either through human error or by mistakenly doing what the employee believes is right. Developing and distributing a cyber emergency response plan can be the first step, but the company should also train all employees and turn the response plan into a protocol — that is, make it almost second nature as opposed to an afterthought. It's important for everyone — from C-suite down to entry level — to be onboard and know how the plan unfolds.

Related: Cyber insurance coverage, its value, limitations and exclusions

(Image: Thinkstock)

Consider Cyber insurance

To survive, a company needs to do all it can to prepare for a cyber incident. Being prepared oftentimes goes beyond developing a cyber strategy — it should also include consideration of a Cyber insurance policy as a risk management transfer mechanism.

While most business leaders don't think twice about purchasing a Commercial Property or General Liability insurance policy, when it comes to cyber, far fewer companies have secured this specialized coverage. A robust Cyber insurance policy generally provides first- and third-party type coverages designed to address data breach exposures, including coverages for the following:

• Security breach expenses incurred to establish whether a breach has occurred, investigate the cause and scope of the intrusion, and notify victims

• Actual loss of business income and extra expenses that a firm incurs as a result of ceasing its web activities due to a virus or extortion threat

• Extortion threats and threats to introduce a virus, malicious code, or a denial-of-service attack into the insured's computer system; divulge the firm's proprietary information contained in the system; inflict "ransomware"; or publish the PII or PHI of the firm's clients

• Public relations expenses associated with restoring a firm's reputation following a data breach

• The cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code, or denial-of-service attack

• Security breach liability arising from the unauthorized disclosure of a third party's PII or PHI from within the computer system or if the firm's computer system spreads a virus to a third party

• Liability arising from programming errors or omissions that ultimately disclose clients' confidential information held within the computer system

• Website publishing liability and media liability for errors, misstatements, or misleading statements posted on a website that infringe on another party's copyright, trademark, trade dress, or service mark; defame a person or organization; or violate a person's right of privacy

Advance planning is often the best defense in combating cyber risk. Companies that develop and implement a well-prepared cybersecurity strategy before a cyber incident occurs are generally in a better position to respond and survive.

Related: 4 big mistakes insureds make when choosing a Cyber claims provider

Are you following us on Facebook?

________________

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.