The Ponemon 2016 Cost of Breach Study underscores the need for companies to take all necessary measures to combat the scourge of data breaches.
These include the establishment of a chief information security officer, appropriate data loss prevention controls, encryption where necessary and a robust cyber insurance program. The study found that “Incident response plans and teams in place, extensive use of encryption, employee training, Business Continuity Management involvement or extensive use of Data Loss Prevention reduced the cost of data breach.”
The study confirms the resiliency of the hacking plague, and offers no hope that it will cease, or even diminish, in the foreseeable future. In the 11 years that Ponemon has conducted its study, the cost of a data breach has not fluctuated significantly. In 2016, the overall cost of a data breach was about $7 million, and the cost of each single lost record was $221, which are both slight increases from the previous year. The Ponemon Study only included “average” breaches; breaches in excess of 100,000 records were not used in the study. (The average number of breached records in incidents used in the Ponemon Study was 29,611.)
The threat of data breach and other computer crimes is constantly evolving. “Phishing,” by which an outsider passes itself off as a customer or financial institution and causes the transfer of funds to a false account, is rife. Ransomware and cyber extortion, in which the attacker freezes a company’s data until it’s paid off, have become major threats. No one knows what tomorrow may bring.
Impact of the Internet of Things
This may be the year in which the Internet of Things will create major vulnerabilities in our networks. These connected devices are created to share information that’s not necessarily secure, and they’re not designed to protect the data they collect. Gartner Research expects there to be more than 20 billion such devices by 2020.
The conclusion of 2016 saw two developments that underscored the growing importance of the Internet of Things. One of the employees at a Vermont utility checked his Yahoo account on his work laptop, which was connected to the utility’s network, raising a red flag that suggested the computer was connected to an IP address associated with the hack on the Democratic Party. The good news is thus far there’s no sign that the hackers were able to access the nation’s power grid. Nonetheless, top political figures as well as businesses fear in 2017 that malware will be used to affect critical infrastructure, such as the power grid, water supply, energy, nuclear reactors and the communication sector.
The U.S. Food and Drug Administration (FDA) issued a formal advisory warning that medical devices such as pacemakers, defibrillators and insulin pumps are easily hackable. Pacemakers first came under scrutiny in August 2016 when a batch ran out of battery three months earlier than they were expected to. “If exploited, the vulnerability could result in permanent impairment, a life-threatening injury, or death,” according to the FDA.
Not sure where your business stands on cyber coverage? Let DDM help. Request a complimentary evaluation of your cyber risk today.
Robert D. Chesler, a shareholder in Anderson Kill’s Newark office, represents policyholders in a broad variety of coverage claims against their insurers and advises companies with respect to their insurance programs. Chesler is also a member of Anderson Kill's Cyber Insurance Recovery group. He can be reached at 973-642-5864.
Marc D. Schein, CIC, CLCS, a risk management consultant for Marsh & McLennan Agency, assists clients by customizing comprehensive commercial insurance programs that minimize or eliminate the burden of financial loss through cost-effective transfer of risk. He can be reached at 516-395-8504.