INVESTMENT INDUSTRY INSIGHTS |
Attendees of the cybersecurity discussion at RSM's Sixth Annual Investment Industry Summit in New York City learned about how to respond to breaches of computer security and prevention measures to avoid theft of data.
Alan Alzfan, a RSM partner, led a discussion that included examples from headline-grabbing incidents of data breaches at major retail chains and financial institutions. To avoid ending up in the newspaper, the panelists recommended that companies develop a data breach plan that includes technical, legal and risk management expertise.
"Too often, we see situations where there has been failure to plan," said Andy Obuchowski Jr., a director of security and privacy consulting at RSM. "Companies will call for help long after the breach has occurred, allowing evidence to get lost or compromised.
Cybersecurity is not only about preventing threats from outside an organization, but also from insiders who may be overlooked," he said.
"You'll often hear about hackers from Romania, Russia and other parts of Eastern Europe, but one of the biggest risks comes from employees," he said. "Companies need to establish procedures for limiting access to sensitive data and training employees on computer security procedures," Obuchowski added.
If a data breach does occur, Angelo A. Stio III, a partner at law firm Pepper Hamilton, recommended notifying key people about the incident to better understand potential legal and financial consequences. He noted that while many states require the reporting of data breaches to authorities, a company needs to reach out to its insurance provider early in the process of responding to a breach.
"Having the proper coverages in place will help you be prepared for many of the costs of potential litigation," Stio said. These costs can vary depending on the nature of a lawsuit. Courts have generally been favorable to data breachers in individual claims of damages, such as emotional distress. "We're seeing a lot of those cases getting dismissed," he said.
A bigger threat comes from class-action lawsuits, in which an aggrieved group of individuals accuse a breacher of committing consumer fraud by not maintaining proper data security standards, Stio said. The plaintiffs will also sue a company's board of directors for not ensuring that management implemented proper data security controls.
He recommended that companies use encryption methods to protect data, and if possible, to stay away from collecting information, such as Social Security numbers.
"We see many cases where collecting that kind of data really isn't necessary, it's just that the company is following a long-established practice," he said.
Getting a handle on the risks and potential costs of a data breach requires the expertise of an insurance company, said Dan McGrath, managing director of Maloy Risk Services.
"We recommended timely reporting of a data breach to the insurance carrier," McGrath said. The costs of dealing with a data breach can quickly add up, not only in legal costs, but also in loss of business reputation. Public relations and crisis management expertise may be needed in that case.
RSM's Obuchowski recommended notifying authorities of a breach as soon as possible, especially if a customer is aware of the incident.
"You don't want a situation where your client or customer is notifying the regulator before you do," he said. "And you also want to be careful about any public comments about how the data breach occurred. You don't want to draw a road map for others to follow."
For further information, please contact Andy Obuchowski, Jr., director, RSM US LLP, 617.241.1219.