The one thing that most businesses don’t want to experience
is that of a security breach, and especially a large. But there is no doubting the fact that we are
all prone to becoming a victim of it, the key is just learning how to mitigate
that risk from actually happening.
But it’s not just recovering from one that you need to be worried
about. Given today’s litigious society,
there are a whole host of legal issues that you need to be aware of, and even
comply with.
Here are the top four you need to know about:
1)
Your Cyber insurance carrier:
You may have Cyber insurance
through an established carrier, so you think financially that you are all protected,
right? WRONG. After you have been breached, one of the
first things that you will want to do is file a claim, and expect an immediate
payout, just like car insurance. But
unfortunately, it does not quite work that way.
Even before you get your insurance policy, most likely, you will have filled
out some kind of questionnaire, assessing the fact that you have all of the
needed controls in place. But after your
claim is filed, it is highly likely that your insurance company will revisit
that same questionnaire again, and may even want to audit to some degree or another
your IT/Network Infrastructure to make sure that those same controls are still
in place and working. If this scenario
does happen, answer all questions truthfully.
Any misrepresentation on your part, even by accident, could lead in
payout, and even termination of your Cyber insurance policy. More information on this can be seen at the link
below:
https://www.darkreading.com/risk/10-key-controls-to-show-your-organization-is-worthy-of-cyber-insurance
2)
The auditors will come out:
If your company is a large enough
one, and is publicly traded, the chances are high that you will face an even
harsher audit, and this time with some serious financial penalties. For example, with the GDPR, you could face
fines up to 4% of your total gross revenue, and with the CCPA, the fines can be
as much as $7,500.00 for each PII dataset that was compromised. Once again, you will want to be truthful
about everything, but since this is much more serious than an audit by an
insurance company, you will probably want to have your lawyer next to you.
3)
Wire transfers not going through:
In the case of a Ransomware attack,
if you do decide to make a ransom payment (it is highly advised that you do not
do this), you will most likely try to send it via transfer. But it is not as easy as that. Given the tighter financial regulations today,
many financial institutions will not wire that money to a foreign organization,
unless it is an established one. Further,
to make things worse, the US Treasury Department's Office of Foreign Asset
Control even made it an act of treason if you make a ransom payment to
nation state threat actor. Also keep in
mind that if you do make a Ransomware payment, your insurance company will not
reimburse you for it!!! More information
about this can be seen at the link below:
4)
Notifying impacted parties:
Remember, it is not just your company that is
impacted, but your customers as well. Therefore,
you have a legal obligation to inform them if they have any of their confidential
information or data stolen. The laws
have become strict now, and in some situations, you must provide written notification
(USPS mail or email) of what has happened.
Then, you need to provide a proper course of action, such as offering
free credit reporting and monitoring services.
But even if you take all of these precautionary steps, you could still face
a barrage of lawsuits, so be ready for that as well.
My Thoughts On This:
The best advice that I can give you here is to first conduct
a comprehensive Risk Assessment Analysis, then from there, make sure that you
have all of the needed controls deployed, and that they are optimized and
updated at all times.
Then if anything happens, and your business does indeed
become the victim of a security breach, at least you will have everything done
in your power. That is all anybody can
ask for.
Also, try to find a good lawyer that has a solid Cyber
experience, especially when it comes to compliance and the data privacy
laws. They will truly become your best
friend and advocate if you are hit.
No comments:
Post a Comment