The recent cyber security breach to Sony Studios should make companies think more carefully about areas of susceptibility in the company. The focus here is “employee data” – now while this has reverberated in the motion picture industry it should make the average company a bit more cautious with employee data systems.
Sony Pictures Entertainment continues to deal with the repercussions of a data breach which affected major brands including the New York Times, The Wall Street Journal, CNBC, ABC News and Washington Post. Information about this cyber-attack continues to develop, but as a whole, we must begin to consider what this means across all industries. Unlike other recent data breaches, ie: Target, Home Depot; the personal identifiable information (PII) hacked was not of consumers, but rather, employees. When most consider cyber risk and the associated perils, consideration of how employee data is maintained is often overlooked. This cyber event should serve as a clear indication that we must think about cyber-related risks more thoughtfully as hackers obtained and publicly released thousands of employee PII including social security numbers, birth dates, emails and salaries onto the internet for everyone to see.
It’s important to recognize that with all the information companies store in databases, somebody will inevitably have the responsibility to protect the personal information of employees and other stakeholders. Senior Leadership ultimately assumes a role of corporate and social responsibility and as such, various stakeholder groups will likely want these people held accountable. Some, including the employees whose personal information has recently become public to all, might say Sony is to blame. Potential liability from a breach, not to mention some pretty disgruntled workers, may arise both against the company, but also against the senior leadership charged with the fiduciary duty to safeguard the data. Has the company taken sufficient steps to protect against a breach and its consequences, including keeping confidential information confidential?
There are civil regulations companies must comply with, but when cyber-crimes shift from consumer credit card and other Personal Identifiable Information (PII) to employee and other internal PII data, companies face additional challenges. The added burden of compliance with HIPAA, ERISA and other regulations quickly add into the equation of how a company might be impacted. As cyber criminals loom, so does the threat to any small or large business and with the sophisticated methods being used and vast potential effects on victims, there is even more to consider than perhaps anticipated by even those who think themselves cybersecurity savvy.
Imagine this happens to your big, or small business. Would you know how to respond? Would the company and its senior leaders be protected? The possibility that a cyber-attack or cybersecurity breach could lead to the ultimate demise of the company is not so farfetched especially when you think of reputational damage, penalties and fines, and subsequent litigation.
While insurance is a good way to protect yourself against the financial impact of a breach, insurers today have made their policies very complex and placed sublimits on key areas such as “notification expenses”. A recent article in the November edition of CFO Magazine advocates for a strong risk management approach, going through the efforts to develop a strong defense against data breaches. We also advocate for this approach. A well rounded risk management strategy will include both a very thoughtful review of both the internal systems as well as vendors who could potentially have a portal into your network. After you have determined what that landscape is, you are ready to make an underwriting presentation to your broker or an insurer. Negotiating terms and cost of cyber liability from a position of strength is the ONLY way to approach this complex and volatile area of risk.
About the Author
Nick Sica is a Senior Analyst with The ALS Group. You can read more about Nick or contact him here. Click here to request more information about The ALS Group or managing your project risk and compliance.
