By Erin Ayers, Advisen
Ransom payments receive a lot of attention, but failure to identify, understand, and classify data remains one of the key errors made by organizations and a chief driver of cyber insurance claim costs and delays, according to experts speaking during Advisen’s Cyber Risk Insights Conference, held virtually on Oct. 19-21.
Asked by panel moderator Meredith Schnur, cyber brokerage leader for Marsh, for their top advice for reducing claims costs, the group zeroed in on data classification issues. It’s a task that is “easily said, but not easily done,” Schnur noted.
“The costs certainly tend to rise, not just with the number of documents that have been exfiltrated, but with the content of the information that goes out the door,” said Jamie Berry, executive vice president, Integreon. “That’s where you see the price tag rise with these types of events.”
Did you miss Advisen’s Cyber Risk Insights Conference @ Home Virtual Series? Check it out now!
Identifying where “hidden sensitive information” is located should be a priority of any organization, he said. Frequently, the data lost during cyber events surprises even company executives.
“Folks just don’t understand how much sensitive data they have living in those datasets,” Berry added.
Data classification problems “really spike the costs,” said Danielle Roth, head of claims for AXA XL. She cited two recent events that “should have been six-figure incidents that turned into seven-figure incidents because they had masses of uncategorized data.”
“You’re over-notifying in those cases because you’re not able to ascertain what you have in real time,” Roth added.
Social engineering has been worsened by the COVID-19 pandemic, according to Roth, but is “something that’s so preventable” with education and internal procedures.
Some 40% of cyber events handled by the law firm of Lewis Brisbois include ransomware, but 30% involve some element of business email compromise, Donna Maddux, partner with Lewis Brisbois, said. These attacks can give cybercriminals unfettered access to email accounts with potentially decades of data.
“There’s no reason for a CFO to be sitting on 20 years of data when clearly the company’s retention policy says they shouldn’t,” said Berry. “All of that contains a treasure trove of personally identifiable information.”
Older organizations definitely have a disadvantage, with 20, 30, or 40 years of data, according to Vincent D’Agostino, head of cyber forensics and incident response at BlueVoyant. It falls on companies to evaluate all the data they’ve collected. It’s an “unforced error” for companies that can result in a significant breach event, he said. Even if the threat actor has no reason or intention to use or advertise the day, regulatory requirements still apply.
“You’re going to spend a fortune notifying people whose data probably isn’t truly at risk,” said D’Agostino. He added that the organizations without good data retention policies often also fail to implement multifactor authentication.
“It has a compounding effect … This is the perfect storm of a lot of money this is going to cost you,” he said.
Other factors that drive costs during breach events include disorganization at the breached firm, failure to prepare ahead of time, and having the right decision-makers involved.
“A breach event is a traumatic event … If you haven’t gone through the mental cycles of talking through what a breach might look like or how it might manifest, you’re trying to make important critical, decisions while still trying to emotionally process what happened. That’s a recipe for bad decisions and indecision and creating impediments,” said D’Agostino.
Maddux agreed that having the appropriate people at an organization involved in a breach response can help “push through the roadblocks” that crop up during events.
“There has to be that decision-maker who has the authority to make tough calls in terms of changes they’re going to make and evidence they’re going to provide,” she said.
Editor Erin Ayers can be reached at [email protected]