April 30th, 2014
Annualized Cyber Crime costs in the U.S. are up 26% in 2013 increasing to $11.6 Million per year per organization from $8.9 Million in 2012. While Malicious Code and Denial of Service attacks are leading the charge when it comes to the TYPE of attack; viruses, worms, trojans, phishing, stolen devices, malware and botnets have a bigger impact on small to mid-size organizations. The Financial Services sector was third behind Defense (1) and Energy & Utilities (2) as respects average annualized cost per industry. The preceding 4-year average was $16.8 million but in 2013 average annualized cost for the Financial Services sector was up to $23.6 million.1
On April 15th, The SEC issued a Risk Alert, citing that their Office of Compliance Inspections and Examinations (OCIE) examination priorities for 2014 will include a focus on technology, including cybersecurity preparedness. Moreover, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable whereby Chairman Mary Jo White underscored the importance of this area to the integrity of our market system and customer data protection.
The SEC has issued guidance on what the OCIE may ask for as part of its new focus on Cyber Prepardeness:
- Whether or not the organization has a written IT Security Policy;
- Whether the firm conducts periodic risk assessments & if so, who does them;
- Who in the firm is specifically responsible for such oversight;
- Whether the firm's business continuity planning addresses cyber security incidents;
- Whether or not the firm maintains insurance to address cyber incidents and if so, please provide details.2
A bulk of the SEC's guidance is coming from a February 2014 Study from the National Institute of Standards and Technology entitled "Framework for Improving Critical Infrastructure Cybersecurity"
The study identifies five Framework Core Functions which are to be performed in order to create an operational culture that addresses cyber risk:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data & capabilities;
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
- Detect:Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event;
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event;
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event; 3
While the above referenced functions are critical to addressing operational cybersecurity risk, the company should also seek the proper insurance protection in order to mitigate any potential damages and impact arising out of a cyber breach. To learn more about what is covered under a Cybersecurity Insurance Policy, download our recent coverage overview.
[button link="http://ironcoveins.com/wp-content/uploads/2014/04/Cyber-Presentation-Hedge-Funds-4.30.14.pdf" target="_blank" title="Download" size="normal" color="blue"]
Footnotes
1. 2013 Ponemon Cost of Cyber Crime Study: United States
2. National Exam Program Risk Alert
3. National Institute of Standards & Technology
Comments