Interest in cybersecurity is escalating across the insuranceprofession, reflecting the complex and potentially catastrophicthreats that clients, particularly financial services firms, nowface.

The combined power, speed and baked-in vulnerabilities ofinformation technology (IT) have given rise to previouslyunimaginable but now-endemic risks to organizations.

Related: 4 cyber readiness benchmarks for2018

Malicious actors can and do steal, lock or destroy confidentialdata, in bulk or in smaller but still-devastating caches, and thenexploit the information's resale, extortion or spite value.Moreover, even accidental errors can cause confidential informationto leak, with similarly costly regulatory, litigation and businessfallout.

Because these risks are deep and potentially disastrous,insurance agents and brokers are increasingly tasked withcounseling clients about how to contain them. Frequently, thisrequires dispelling clients' misconceptions about those risks andeffective countermeasures.

Below we explore each of six such misconceptions that oftenbeset organizations. Avoiding these errors is essential tofulfilling the core functions of a cybersecurity programs:

(1) identifying cyber-risks;

(2) protecting critical infrastructure using appropriatesafeguards;

(3) detecting incidents;

(4) responding; and

(5) recovering from them. See, National Institute of Standards,Framework for Improving Critical Infrastructure Cybersecurity (v.1.0) (2014) at 7-8 (NIST Framework).

1. “We don't face the same risks as [Name of Fortune 500 Victimof Massive Credit Card Hack].”

Got data? Then you have cyber risk. Yet, many organizationsremain in denial about cyber exposure.

For example, a broker-dealer that serves only institutionalclients may incorrectly infer from its minimal holding ofpersonally identifiable information (PII) that it has little toworry about. That business may not require the fortress-likeprotections eventually adopted by large, well-known victims ofidentity theft (e.g., card processors or big box stores).

Even a small leak of SSNs or other PII, however, can triggerbreach notification and/or remedial obligations under one or morestate laws. Moreover, organizations of any size are vulnerable toan expanding array of cybercrimes, any of which can interrupt ordestroy a business, including ransomware attacks, impersonationschemes to effect wire transfer frauds and theft of insideinformation.

Related: Meeting cybersecurity risk head-on: A guide tobreach preparedness

Leadership needs to appreciate the severity of this new anddangerous reality. Unless and until it does, an organization isill-prepared to develop and fulfill the core functions set forth inthe NIST Framework

2. “We can't afford new technology.”

Leadership may also recognize that an organization is atsubstantial risk, but mistakenly assume that lack of budget toreplace existing IT means that safety cannot be improved. Thisassumption perpetuates a fallacy that has fostered the prevailingunsafe state of things.

Over the last four decades, layers of IT were designed andrapidly rolled out to favor connection, volume and speed. From asecurity perspective, this makes IT fundamentally flawed. It alsomeans that new IT is unlikely to fix the underlying flaws becausethat new technology is retrofitted onto the existing, perilousstructure.

In these circumstances, there are lower-cost people and processimprovements, which management should emphasize. For example:

• Analyze sensitive data holdings — and cut access to them;

• Budget for security improvements, based on periodicpenetration testing (a limited application of tech that is nowaffordable to most organizations)

• Mandate yearly security awareness training of all managers andstaff.

3. “Our IT director handles our cybersecurity.”

Over the last 40 years, it has also become commonplace to cabinIT management in a separate department or to outsource it to avendor. As cyberattacks and accidents have surged, thesearrangements put companies at increased peril.

Cybersecurity is a multidisciplinary responsibility. As athreshold matter, technical expertise in IT and cybersecurity arenot the same. IT personnel know which protocols and configurationsare within expected parameters. By contrast, experts incybersecurity know how to spot hidden intrusions and otherabuse.

Related: Are most U.S. organizations as truly 'cyber-ready'as they think? (Video)

Controlling cyber-risk can also require other expert assistance,including privileged advice from legal counsel, and (as mostbreaches occur due to human error) advice on corporate controls.Effective cybersecurity depends as well on an internal incidentresponse team that complements IT professionals with across-section of troubleshooters from across the organization. Thatcross-section should include compliance, risk management and alsohave input from ordinary employees who understand (sometimes betterthan anyone else) the particular risky ways that users perform thatorganization's work.

With insights honed in realistic drills, that multidisciplinaryteam can develop the shared knowledge and collaborative processwith which to navigate:

• The spectrum of regulatory and litigationconcerns that arise in an actual or suspected breach,

• The identification and retention of outside legalcounsel and other experts,

• Cyberliability insurance, includingnegotiation of coverage and issuing timely claims notice,

• Internal crisis communications, includingbriefing board and senior management and obtaining their approval,and

• External communications, including addressingpublic or stakeholder concerns before and once a breachdetermination is made.

4. “We already have a detailed manual.”

In response to frequent headlines about data breaches, somefinancial service companies and other similarly-situated businessestranspose earlier solutions to longstanding compliance regulations(e.g., the FCPA, AML laws, SEC and FINRA rules): they adoptcybersecurity manuals. While something is usually better thannothing, manuals can foster a false sense of security if they comedirectly and untailored from stock templates, whether supplied bylegal counsel, a company's outside IT provider or worse still,pulled straight off the internet.

Related: Cybersecurity best practices

Unless the organization thereafter applies findings about itsspecific risks to customize the manual, it is ill-suited to containthose risks. Moreover, in the midst of a suspected and actualbreach, any manual (even a truly risk-based one) is, for reasonsdiscussed above, cold comfort, unless complemented with rigorousdrills to test and refine the company's incident response plan.

5. “We'll need to change our approach if the SECtightens cybersecurity rules.”

Such a change is already an imperative. The SEC has for severalyears been tightening requirements and appears likely to tighten upstill more.

Most recently, on February 21, 2018, the SEC issued its(unanimous) “Commission Statement and Guidance On Public CompanyCybersecurity Disclosures.” Though cast as “reinforcing andexpanding” a 2011 staff advisory, the new Guidance marks a new anddemanding era, aimed at avoiding a recurrence of recent debacles atYahoo, Equifax and elsewhere.

Henceforth, public companies will need to file much moredetailed public disclosures before, during and after actual andsuspected security breaches and concomitantly, to devote moreresources to efforts to such risks from ever unfolding. Forexample, the new Guidance emphasizes that companies must inperiodic filings “provide timely and ongoing information” about“material cybersecurity risks and incidents,” may need revise priordisclosures in light of new findings and need continually toevaluate whether their controls suffice timely to warnleadership.

Related: Top cyber risks businesses should prepare for in2018

Moreover, even before the Commission's recent raising ofstandards for public companies, the SEC staff increased itsoversight of registered broker/dealers and investment advisers (BDs& IAs). Increasingly since 2014, the staff has leveraged thebusiness continuity provisions of Regulation S-P (adopted 2004),the 'red-flag” identity theft requirements of Regulation S-ID(adopted 2013) and the agency's plenary examination powers toimport the criteria of the NIST Framework as prod cybersecurityupgrades at BDs & IAs.

As stated and applied by the Office of Compliance Inspections andExaminations (OCIE) in Risk Alerts, “sweep” testing and indocument requests and deficiency letters, the criteria used by thestaff are often lifted verbatim from that Framework. As such, theSEC now contemplates that regulated entities will engage inperiodic and detailed risk assessments, document existing controlsand incidents, and prepare written plans for improvement.

For larger BDs & IAs, these requirements are alreadystandard and therefore no surprise. For small and mid-sized firms,however, the increased requirements are sometimes a slow-movingshock, revealed when OCIE makes its next examination visit.

6. “We're not regulated by NYDFS, so its cyber regulationsdon't matter.”

Last year, the New York State Department of Financial Services(NYDFS) promulgated the most sweeping cybersecurity regulations ever issuedin the United States. Over a two-year phase-in ending March 2019,entities licensed by NYDFS are required to conduct an intensiverisk assessment, implement a cybersecurity program and policies andspecified mandatory security approaches, such as vulnerability andpenetration testing and encryption.

Moreover, NYDFS set an unprecedented 72-hour deadline fornotifying the agency of cybersecurity events (currently, no otherstate specifies fewer than 30 days' notice). While it is possiblethat other jurisdictions will refrain from reaching as far as NewYork has, future restraint should not be assumed.

Related: 4 lessons companies can (and should) learn from2017's data breaches

Dismay over the Equifax data breach recently prompted NYDFS topropose to expand its cybersecurity regulations to govern the majorcredit bureaus. The public's continuing deep concern over databreaches nationally could well result in other states mandatingcompliance with the NIST Framework, if not necessarily in as muchgranular detail as NYDFS has in New York.

Jed Davis ([email protected]) is apartner in the New York Office of Day Pitney and the co-head of itscybersecurity practice. He is a formerly federal cybercrimesprosecutor and also previously worked as a managing director at aglobal investigations firm.