Cyber Liability & Prevention
In April 2011, Sony’s online gaming network was hacked, compromising the personal and credit card information of 77 million users. The network outage lasted 23 days and cost Sony $171 million. A class action suit has charged Sony with negligent data security, unauthorized storage and retention of data, and failure to properly encrypt data.
News stories of company data breaches are common these days, although perhaps inflated. The Economist[1indicated the survey and statistical extrapolations for determining the frequency and amount of cyber liability is flawed. The magazine article indicates many studies and surveys are undertaken by those who stand to gain from preventing, mitigating or transferring the risk of cyber liability.
Even if cyber liability is exaggerated, the maxim better safe than sorry may apply. Cyber liability is when an unwanted third party breaches or hacks into a corporate or other entity’s system and steals data, monies or property. The data is often from the entity’s customers, clients or taxpayers. The hackers can use the personal, private information for nefarious purposes. Because of an entity’s responsibility to hold personal information of customers and clients, the entities become liable for the untoward harm to their clients, customers and employees. The entity experiences damage to its reputation, harming the company’s cash flow, stock valuation and branding. Companies can undertake steps to prevent, mitigate and transfer risk.
In October 2011, Advisen presented an in depth program to Risk Managers and Brokers on this topic. In summary, the risk comes from:
- Spearphishing (using an email spoof attempt),
- Phishing (posing as a trustworthy identity), and
- Man-in-the-middle schemes (using a false website resembling a legitimate site)
Often the result is the downloading of software that scans and obtains the desired data and information from a corporation or individual network or computer.
Education of employees is key in order to prevent the accidental downloading of tracking software and viruses. Many participants in the Advisen program believe this to be the most important preventative and mitigative step for avoiding phishing and spearfishing. To prevent man-in-the-middle schemes, companies and individuals can use providers and websites that offer dual and opposing confirmation security. For example, after logging in to a website, the website or provider displays an agreed-upon visual or security code to verify the user is an authentic website and not a man-in-the-middle website.<
Finally, there is an inexpensive alternative for small and middle size companies to avoid spyware and viruses: utilize a separate computer for paying payroll taxes, accessing bank accounts and accessing other private information. The separate computer should not be signed up or set up to accept emails. However, the inexpensive separate computer fix is only as good as long as the users are consistent in not allowing any information to be loaded, and physical access is restricted. These simple steps of prevention will assist in avoiding incidents of data breaches, but are not a substitute for proper risk mitigation and risk management utilizing cyber liability policies and crisis management planning.
 The Economist.
October 15-21, 2011, p. 69.
“Measuring the Black Web.”