RISK ANALYSIS MANAGEMENT HOPE IS NOT A PLAN

There was a time, not so long ago, if you were in business, you worried about things like theft, fires and increased regulations. In the world of 2021, the list of things to worry about is much longer. Cyber-attacks/ malware, electronic data breaches, espionage, ransomware, identity theft. And then there are active shooters, workplace violence, new employment practices, supply chain disruption, and, of course, more regulations.

To understand what we are all experiencing, what we can and should be doing about it all and what the future holds, I sat down recently with two local business leaders who are recognized for their expertise — Devi Momot,president/CEO of TwinState Technologies and Deena Giltz McCullough,*president/CEO of Northern Insuring Agency.

Our conversation began as Momot described her recent trip to the DC region. “The state of cybersecurity today is severe and it is projected to get worse,” she said. “When the federal government is on high alert, that is a clear sign we should all be on high alert. We are used to the government protecting us in kinetic wars with tanks, ships and the military, but some of the threats we are experiencing now are an invasion that renders those defenses useless. All of us must be part of the defense of cyber if we are to prevail.”

Recent high-profile attacks on large companies may allow some businesses to heave a sigh of relief. After all, small and mid-sized business are not on the radar of cyber criminals. Right? Wrong! There is money and power to be gained by attacking companies that are likely to have less sophisticated security and controls in place. Those are, often, small businesses.

NEW YORK SHIELD ACT
Provisions of New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) took effect in October 2019. Additional data security requirements became effective on in March of 2020, with limited notice and amid the global pandemic. The SHIELD Act’s jurisdiction is broad, as it applies to all companies holding New York resident data. This means it is not just addressed to New York companies, but to any person or business which owns or licenses computerized data which includes private information of a resident of New York. The previous version of the saw was limited to those companies that conduct business in New York. The impact of the act is twofold. First, companies must disclose data breaches— as defined under the SHIELD Act to include unauthorized access as well as acquisition—and report to the New York regulators if a breach occurs. Second, companies must have a data security program that safeguards the security, confidentiality and integrity of private information. While the act does not establish specific requirements, it lists various practices that are considered reasonable administrative, technical and physical safeguards. For each safeguard, the act lists actions or procedures a company should consider implementing. More information is available at www.termsfeed.com/blog/ny-shield-act/

To survive in this environment, companies need to educate themselves. “Successful businesses have a thorough understanding of their financials and what is truly critical for their business success,” Momot observed. “It is equally important that they are diligent about their cybersecurity protections. It is critical that an organization identify its most important assets and do what is necessary to protect them. If everything is important, then nothing is important. If you don’t understand your risks, you can’t defend against them.”

Giltz McCullough joined the conversation by explaining, “There are four ways to respond to risk: Avoid it, accept it, mitigate it, or transfer it. Insurance is a way to transfer risk.” Having said that, she acknowledged there is no way to cover every contingency regardless of price. “Rules and regulations have tightened about the transfer of risk for cyber insurance. Most insurance companies now require, at a minimum, two factor authentication and encryption before they will even offer a comprehensive proposal with $1,000,000 limits. Many companies will offer sub-limits of $20,000 to $50,000 and, while this is better than nothing, it is a small portion of the cost of a serious breach.”

She continued, “My advice is to take an active role in risk management to avoid a claim while protecting yourself from the unforeseen with an insurance policy you understand and have made conscientious decisions on what to purchase—or not. Our philosophy is to simplify the complicated by educating people about the need for risk management and insurance options in terms they can understand. You can hope to avoid being a victim, but hope isn’t a plan. It isn’t real until it is!”

Asked about their thoughts on what the future holds for risk analysis and management, McCullough emphasized, “In ten years cyber insurance will be as common as general liability insurance is today. As for the problems we will face in the future, they are probably ones we do not even see today.”

“While the New York Shield Act, as well as the state’s HERO Act, are designed to protect companies, employees and clients, real protection will come when businesses are fully informed about their rights and responsibilities and are ready to act,” Momot concluded.

Cyberattacks are common now. Recent reports show that hackers attack a computer in the U.S. every 39 seconds! While life is full of risks, what is important is how well prepared we are to overcome them. A well-managed business is also a well prepared one and therefore able to confront challenges. Prevention and a plan for responding to an incident are key.

*Devi Momot, Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC), Geographic Information Systems Professional (GISP) and president/CEO of TwinState Technologies

**Deena Giltz McCullough, Certified Insurance Counselor (CIC), Certified Risk Manager (CRM) and president/CEO of Northern Insuring Agency.