Companies are increasingly at risk of their data being breached through third-party providers, and upcoming regulations will soon make corporates liable not only for data breaches within their own servers but also for those that happen through third parties.
On 27 February, Travel Trade organisation ABTA suffered a cyber attack on its website, which is being managed by a third-party web developer and hosting company.
Around 43,000 individuals were affected, but the vast majority of data compromised are email addresses, encrypted passwords and basis contact details “which are types of data at a very low exposure risk to identity theft or online fraud”, the organisaton said.
Nonetheless, the breach was widely reported in the media, which named ABTA as the company suffering the breach, despite an unnamed third-party provider being the source of the attack.
As more companies are storing information on a server or through a third-party vendor, companies are at greater risk of experiencing a data loss or cyber incident on a large scale, says Sarah Stephens, head of cyber at JLT Specialty.
“The raft of additional expenses following a data breach, most notably for consumer or member notification, forensic investigation, public relations, and other crisis management expenses, highlight the need for cyber insurance. Traditional insurance products aren’t likely to respond to the potentially significant incident response costs in this case, which may extend far beyond ABTA itself,” she says.
“A critical element of cover in cyber policies is the policy responding to the insured’s costs and liability even if a vendor, such as a third party web developer and hosting company, is the source of the security breach or technology failure. Due to incidents like this, scrutiny of third party contractors’ cyber security systems have increased and many companies have tightened the level of required controls. In reality, these cyber-attacks will continue and we’re going to see more hacks in increasing volume and severity.”
Upcoming regulation will also increase the pressure on companies to ensure their cyber defences are in order.
The European General Data Protection Regulation (GDPR), which will apply from 25 May 2018, will make corporates liable not only for data breaches within their own servers, bu also for those that happen through third parties.
According to the Rightscale 2017 State of the Cloud Report, 95% of companies are now using the cloud, but Rui Biscaia, director of product management at Watchful Software, believes businesses underestimate their cyber exposure through cloud-based providers.
“Under GDPR, companies are liable if data that has personal identifiable information falls into the wrong hands. Businesses therefore need to have some sort of control and understanding on how their data is being shared. Even if that data is encrypted, you may not be fully protected, because those third-party cloud providers may be forced to surrender that data if a governmental agency asks for it, for example. So you need to understand who is accessing your data at any given time and have ways to revoke access to that data if and when you need to.”
In order to achieve this, Biscaia says companies first need to classify their data. Only 10-15% of data has sensitive information about customers, partners or intellectual property, so only this data needs to be encrypted.
“Once you encrypt that data, you need to make sure that that third-party cloud provider does not have access to something that is known as the master key for encryption, which is the key that is able to decrypt everything. You need to ensure that that master key of encryption is not hosted or owned by anyone that is not you as a company,” he says.
“If you do these three things and have a logging capability to understand who is touching your data at any given time, which the encryption allows you to do, than you are compliant with GDPR from an IT perspective.”
Article sponsored by FM Global
Strategic Risk April 2017 www.strategic-risk-global.com