Category Archives: Risk Management

  • 0

What You Can Do to Reduce the Cost of a Data Breach

As we note in our Cyber Security services, according to the 2017 Poneman Institute Study, the average cost of a data breach in the U.S. was $7.3M, or $225.00 per compromised record in 2016.  The chart below, cited as Figure 7 in the Ponemon Study, illustrates the impact of 20 factors on the per capita cost of a data breach.


Ponemon U.S. Data Breach Cost Factors

Clearly, there are many steps organizations can take to reduce the average cost of a data breach.  For example, creating an incident response team could reduce the per capita cost from $225 to $199.  The extensive use of encryption, employee training, and business continuity management involvement also significantly reduce breach costs.  With respect to insurance protection, it will be interesting to see how the current cost reduction of $9.90 per compromised record will change as the cyber insurance market continues to evolve.  According to A.M. Best, the cyber insurance market topped $1 billion in 2016, with more insurers moving to standalone policies.  By separating cyber risk from commercial, business interruption, and D&O coverage, carriers will be able to better target and implement exclusionary language.  We believe that this will increase insureds’ demand for forensic accounting services to clearly categorize, quantify and validate cyber losses that meet coverage criteria.

On the other end of the spectrum, third-party involvement (customers, suppliers, and other stakeholders in the value chain) represent the highest increase.  This is a perennial problem, as organizations struggle with how to most effectively deal with the inherent risk posed by smaller and less sophisticated partners.  The Target breach is a good example of this issue.  There is only so much organizations can do to inoculate themselves from risks posed by smaller members of their value chain.  While they can issue directives and impose stricter security requirements on smaller partners, organizations are not in the business of being cyber security consultants.  On the vendor side, supplier diversity programs – as they apply to small business – may take a back seat to security considerations – even at the expense of moving to larger vendors who charge more for their products and services.

Compliance failures, too, continue to be a major thorn in the side of organizations, and data breach costs are just one more manifestation.  Compliance systems only work when we humans obey the rules of engagement with those systems.  Did you know that six months before its mega breach, Target installed a $1.6 million malware detection system that worked exactly as planned when intruders began stealing PII?   However, the company’s security staff ignored the automatic warnings from the system (Fraud Magazine, November/December 2015).

  • 0

To Fraudsters, Your LinkedIn Profile IS a Consumer Report

An inter­est­ing post in Cor­po­rate describes a dis­missed law­suit plain­tiffs brought against LinkedIn.  Plain­tiffs claimed LinkedIn’s search func­tion allowed poten­tial employ­ers to see past jobs and ref­er­ences, and in plain­tiffs’ case, dis­cover infor­ma­tion that reflected neg­a­tively on them.  The suit was thrown out, as the judge ruled that LinkedIn serves only as an infor­ma­tion gath­er­ing ser­vice, and not akin to a con­sumer report under the Fair Credit Report­ing Act, as claimed by the plaintiffs.

I’ll leave it to the attor­neys to com­ment on this rul­ing, one way or the other.  What inter­ests me is that while the courts (at least so far), don’t deem LinkedIn to be a “con­sumer report”, iden­tity thieves cer­tainly do, and will con­tinue to do so, as long as LinkedIn mem­bers con­tinue to post cer­tain per­sonal infor­ma­tion.  Birth­days, for exam­ple pro­vide fraud­sters with one more piece of per­sonally identifiable (PII) infor­ma­tion that, in com­bi­na­tion with oth­ers, can be used to steal one’s iden­tity.  Post­ing a birth­date — even if only the month and the day — might seem innocu­ous enough.  After all, it does pro­vide your net­work to engage you in another way.  But if your pro­file lists your dates of employ­ment (if not when you grad­u­ated), iden­tity thieves will do the math and find the year you were born.

Fraud­sters have sev­eral options once they have all of the infor­ma­tion they need:  They could sell your infor­ma­tion to other iden­tity thieves; open credit cards in your name or access your bank accounts; or socially engi­neer their way into your com­pany or orga­ni­za­tion for a mother lode of sen­si­tive cor­po­rate and con­sumer infor­ma­tion (e.g. IP, trade secrets, cus­tomer account infor­ma­tion, etc.).

So far, we’re only talk­ing about per­sonal infor­ma­tion on LinkedIn, one of the most pro­fes­sional social net­work­ing sites out there.  What infor­ma­tion are you divulging on Face­book?  Insta­gram?  Twit­ter?  Snapchat?  We all have infor­ma­tion out there on the web.  My hope is that this will pro­vide an impe­tus to review your LinkedIn pro­file and your other social net­work accounts to help reduce your risk of iden­tity theft.

  • 0

A Successful Response to FCPA Violations

This is an excel­lent exam­ple of how the com­bi­na­tion of an anony­mous tip line and proac­tive man­age­ment min­i­mized the finan­cial impact of FCPA vio­la­tions. How­ever, one has to won­der whether these FCPA violations could have been uncov­ered dur­ing due dili­gence pro­ce­dures, even if these subs were merely part of a larger tar­get that was acquired. Iden­ti­fy­ing and test­ing accounts with inher­ent FCPA risk (freight and other high-volume accounts and pro­mo­tional prod­uct and other sales and mar­ket­ing accounts) might have caught this sooner.

LinkedIn Auto Publish Powered By :