ERM | Risk Assessment Phase One: Risk Identification
Risk Identification is the first of three phases that make up a Risk Assessment.
The ALS Group
February 10, 2017
We manage more than a quarter billion dollars of premiums for a diverse range of clients around the globe.
Risk Identification is the first of three phases that make up a Risk Assessment.
Most companies today opt to distribute their employees’ W-2 tax forms electronically; either through email or some type of download service. Because these forms contain a good deal of Personally Identifiable Information (“PII”), such as name, address, social security number and salary information – cyber thieves are using several simple, yet, tried-and-true methods to fraudulently obtain them.
In our previous posts in this series, we introduced Enterprise Risk Management (ERM) as a “portfolio view” of risk and discussed various aspects of implementing ERM: roles, culture, a framework and preparing your organization. Now, we’ll begin looking at the “big picture” viewpoint of risk, starting with identifying and prioritizing risks. In the ERM process, management (1) determines acceptable levels of risk, (2) identifies and measures risks throughout the entire organization and aggregates the results, and (3) determines if the aggregated results exceed the acceptable levels. Risk Appetite and Risk Tolerance are the expressions of the “acceptable levels” of risk.
Organizations today must regard cyber breaches not as a possibility, but as an inevitable fact of life. In this environment, it’s crucial to have a cyber liability insurance policy that adequately covers the potential loss and offers payment or reimbursement for response costs. Understanding what’s covered by the policy well before a breach occurs and building that knowledge into your company’s incident response plan is critical.
When the front lines of IT security fail and a cyber breach occurs, businesses often rely on insurance to reduce the often extreme financial impact associated with the breach. Policies are usually written to ensure that the insured recovers extra expenses incurred and are covered for fines and penalties placed on the company by regulatory agencies.
Traditionally, a cyber breach occurs and otherwise private information is stolen or made public resulting in costs such as notification expenses, IT forensics, data recovery, public relations/crisis management, legal defense, business interruption, brand/reputation damage and regulatory fines and penalties; just to name a few. However, the breadth of cyber-attacks has proven to be ever expanding. Now, breaches resulting in physical property damage are being reported more regularly which leads to the immediate question, “am I covered for such an event?
The year 2016 is turning out to be a record one for data breaches, and cybercrime won’t be slowing down any time soon. According to global digital security firm Gemalto, nearly five billion private records have been exposed globally since 2013. Data breaches were up 15% in the first half of 2016 compared to the prior six months.
