Cybersecurity Breaches Pose Significant Risk to Reputation: A Simple Solution to Ensure Client Trust
Insurer Hiscox Ltd. is listed on the London Stock Exchange and is a constituent of the FTSE 100 Index. Despite being considered an insurance expert in the field of cybersecurity, it recently experienced a data breach. Could Hiscox and the law firm that enabled the breach have prevented this damaging blow to their reputations?
Reputation damage from a cyberattack poses significant risk to any entity that runs on trust-based relationships. Clients share intimate details with insurers and law firms, and they expect their information to be protected at all costs. When a large cyber breach occurs, it calls into question whether to continue the relationship and whether the client will ever trust them again.
Hiscox Ltd. is a well-regarded insurer. It specializes in niche P&C areas and offers cyber risk coverage for companies and high-net-worth individuals. While the breach in question had been caused by an unnamed law firm, it endangered Hiscox’ reputation—a reputation that Hiscox had taken years and years to build.
Details of the Breach
News of the breach unfolded over several months:
- April 2018: Hiscox acknowledged that it had suffered data theft and that the hacked server “may have included information relating to up to 1,500 of Hiscox’s US-based commercial insurance policyholders.”
- December 31, 2018, the insurance company admitted in an official statement that among the stolen documents was information related to the tragic events of September 11.
- SC Magazine reported that the law firm at the source of the breach paid an initial ransom, but then violated terms of agreement by reporting the incident to law enforcement. The hackers then demanded that a second ransom be paid, and said they will also sell information obtained in the breach to interested third parties on the dark web.
- Dark Overlord, the hacker, then offered the stolen documents for sale online because Hiscox went to authorities.
Dealing with Reputation Risk
Reputational damage insurance might be considered. However, according to a recent article in Risk and Insurance, “the biggest criticism of standalone reputational damage insurance is that there simply is not enough capacity to offer meaningful indemnity against lost revenues or a stock crash. ‘The truth is, insurance can’t do much to solve a company’s reputational crisis — even if you took all the capacity in the market and applied it to a bad loss, it would barely make a dent.”
Given that a law firm’s most precious asset is its reputation, this breach raises major questions about the firm in question:
- Did it do at least the minimum to protect its reputation and the reputations of the individual lawyers involved?
- What if all of the confidential corporate documents showing sensitive records had been exposed?
- What if details of questionable actions that should have been protected by the law firm were revealed?
- What if intellectual property from patent filings and disclosures got into the hands of the Chinese?
- What simple processes or procedures could the firm implement to protect its reputation?
- How will they prevent this from happening again in the future?
A Simple Solution
Over the past few years, the U.S. government has led in creating a clear definition of the minimum action needed to protect sensitive data:
- In 2012, President Obama directed the National Institute of Standards and Technology (NIST) to create a framework enabling corporate and government organizations to understand how to protect critical assets. NIST responded by engaging 3,000 cyber experts in business, government, and academia to collaborate in the production of the NIST Cybersecurity Framework (“NIST CSF”) that was released February 2014.
- In 2015, President Trump signed an executive order mandating that Federal agencies employ NIST CSF to evaluate and report their cyber status regularly to the Office of Management and Budget.
- Since its introduction, NIST CSF has amassed broad acceptance in the U.S. and abroad as a way to assess the overall cyber resilience of an organization in a comprehensive way.
- In 2017, the Department of Homeland Security extended SAFETY Act liability coverage to organizations that automate NIST CSF to manage cyber risk.
After a breach, clients with trust-based relationships only want to know one thing – what did you do to guard the information I gave you in confidence—the information you promised to protect? What are your ongoing policies and practices to prevent cyber risk?
Building an automated cyber risk management system on the foundation of NIST CSF provides a strong response to clients, and for anyone diligently using NIST CSF, it provides reputational damage control for media inquiries and any third-party lawsuits alleging negligence:
“We review our cyber resilience against a comprehensive framework developed by 3000 experts at least quarterly and at every board meeting.”
Users of Cybernance software can offer a far stronger response:
“We use the only NIST CSF system that has been vetted and approved by DHS for a SAFETY Act designation as a Qualified Anti-Terrorism Technology. In the event of breach designated by DHS as a terrorist act, we have the maximum liability protection available.”
Company leaders must have a clear explanation of how seriously the organization has taken cyber risk in order to weather the aftermath of a cyberattack and reduce or prevent reputational damage. Taking the appropriate steps and processes will help enable a trust-based business to maintain its good standing with clients as a respected name in the market.