Irrespective of a company’s size, a successful cyber attack can have significant financial and reputational consequences. Organizations are waking up to the realities of a data breach and are attempting to better understand their vulnerabilities and how they can mitigate their risks, and thus are investing additional resources into their cyber defenses. Part of this process is arranging cyber insurance coverage and coordinating data breach response plans, which can help companies recover in the event of a breach. It is important to note, however, that such arrangements should complement, not replace, a company’s cyber security provisions. Financier Worldwide's Annual Cyber Security and Risk Management Review interviewed Joseph Campbell for insights related to cyber security and risk management as it pertains in the U.S.
In your opinion, what are the major cyber threats to which today’s companies are vulnerable? Could you comment on any recent high-profile cyber attacks in your region?
Campbell: Information security breaches have significant consequences for businesses. Major cyber threats include ransomware, spear-phishing, business email compromise, malware, and insider malfeasance. While no business is immune to cyber threats, often affected industries include public works and infrastructure, energy, healthcare, and financial services. In 2015, the U.S. Office of Personnel Management experienced a cyber penetration that impacted over 21 million people and exposed serious counterintelligence vulnerability for the U.S. government. Other noteworthy data breaches affecting hundreds of millions of consumers have hit Marriott Starwood Hotels, where sensitive passport information was compromised, as well as Quora, Google, Anthem, and T-Mobile.
To what extent have cyber security and data privacy regulations changed in your region? How is this affecting the way companies manage and maintain compliance?
Campbell: The Financial Crimes Enforcement Network provided guidance concerning cyber security relative to "Suspicious Activity Report" requirements under the Bank Secrecy Act, and the New York State Department of Financial Services issued cyber security regulations for covered entities. With increased regulation and reporting requirements, companies are developing a culture of data compliance with policies and procedures, and company-wide training for compliance with new laws, such as the breach notification laws that now exist in all 50 states. At least 35 states have also enacted data disposal laws, and California is the first state to pass a specific consumer privacy law. Others are considering similar legislation.
What are your predictions for cyber crime and data security in your region over the coming years?
Campbell: Maintaining the privacy and security of data continues to be a challenge for companies balancing the use of personal information for productive business processes with protecting customers and complying with privacy-related laws. To avoid problems down the road, companies should educate themselves on applicable data security and privacy laws, and develop underlying data and cyber security governance and strategy. This should be a company-wide effort, and organizations should be sure they have the right team in place, assign clear roles and responsibilities, conduct training, and move quickly in the implementation of their data security and privacy plans.