Loader icon
Introduction

Introduction

Business leaders are realizing that non-compliance with daily evolving international data protection requirements/laws, cyber-attacks, and security (hacking) incidents can paralyze an organization leading to significant financial losses, regulatory fines, and lasting reputational damage.

Cyberbloc is a risk management program developed by ARM Group and a bloc of leading global cyber security experts that help companies manage and mitigate today’s cyber and privacy liability threats. Our team includes some of the world’s most respected IT, legal and insurance experts who can identify and assess cyber & privacy liability risks, and subsequently implement appropriate risk treatment solutions specifically tailored to the organization in question.

 

How does it work?

Cyberbloc is a 3-stage approach to effectively manage privacy liability and cyber risks.
  • Risk Assessment

    Risk Assessment

  • Incident Response Strategy

    Incident Response Strategy

  • Insurance Solutions

    Insurance Solutions

Risk Assessment

Risk Assessment

The cyberbloc program begins with an in-depth risk analysis to identify and quantify the damages from a cyber-attack or privacy liability due to a data breach or security incident.
  • <p>Identify key risks associated with the organization’s incident preparedness, private information management protocols, and 3rd party data security protocols (i.e. sub-contractors). Evaluate and test existing Incident Response Plan (IRP).</p>

    Assess

    Identify key risks associated with the organization’s incident preparedness, private information management protocols, and 3rd party data security protocols (i.e. sub-contractors). Evaluate and test existing Incident Response Plan (IRP).

  • <p>Uncover compliance vulnerabilities and provide assistance related to industry-specific compliance requirements with respect to information security. This includes USA, EU, and other global privacy-related laws and regulations regarding the collection, use and disclosure of data.</p>

    Compliance

    Uncover compliance vulnerabilities and provide assistance related to industry-specific compliance requirements with respect to information security. This includes USA, EU, and other global privacy-related laws and regulations regarding the collection, use and disclosure of data.

  • <p>Quantify the financial impact from identified key cyber risks and compliance vulnerabilities, and select best risk treatment strategy (contractual transfer, mitigation, reduction).</p>

    Quantify

    Quantify the financial impact from identified key cyber risks and compliance vulnerabilities, and select best risk treatment strategy (contractual transfer, mitigation, reduction).

  • <p>Provide a comprehensive Due Diligence and Evaluation report of optimal best practices implemented, including updated IRP allowing for immediate reaction in the event of a data breach or security incident.</p>

    Evaluation

    Provide a comprehensive Due Diligence and Evaluation report of optimal best practices implemented, including updated IRP allowing for immediate reaction in the event of a data breach or security incident.

Incident Response Strategy

Incident Response Strategy

Every business should have a written incident response plan as part of its information security policy.
  • <ul>
	<li>Triage internal and external incident response team</li>
	<li>Generate initial awareness and full team participation</li>
	<li>Direct legal, IT, forensics, communications, human resources, public relations</li>
	<li>Coordinate timing of internal and external communications</li>
	<li>Review protocols to be followed</li>
	<li>Assess priorities and risks</li>
</ul>

    Response Team

    • Triage internal and external incident response team
    • Generate initial awareness and full team participation
    • Direct legal, IT, forensics, communications, human resources, public relations
    • Coordinate timing of internal and external communications
    • Review protocols to be followed
    • Assess priorities and risks
  • <ul>
	<li>Security Incident Containment & Analysis.</li>
	<li>Stem the damage; secure the premises and network; preserve evidence; place litigation hold as warranted</li>
	<li>Identify the source of the attack and impacted information</li>
	<li>Conduct necessary interviews</li>
	<li>Document known information and analysis</li>
</ul>

    Containment

    • Security Incident Containment & Analysis.
    • Stem the damage; secure the premises and network; preserve evidence; place litigation hold as warranted
    • Identify the source of the attack and impacted information
    • Conduct necessary interviews
    • Document known information and analysis
  • <ul>
	<li>Ensure the regulatory compliance is maintained</li>
	<li>Evaluate breach notification obligations, response options and determination of response</li>
	<li>Evaluate coordination and communicate with law enforcement</li>
</ul>

    Compliance

    • Ensure the regulatory compliance is maintained
    • Evaluate breach notification obligations, response options and determination of response
    • Evaluate coordination and communicate with law enforcement
  • <ul>
	<li>Internal and external communication</li>
	<li>Implement <strong><em>internal</em></strong> communications strategy within breach team, executive team/board of directors and managers/employees</li>
	<li>Evaluate, coordinate and communicate <strong><em>externally</em></strong> with:
	<ul>
		<li>Impacted customers</li>
		<li>Impacted business partners</li>
		<li>Press</li>
		<li>Financial statements</li>
	</ul>
	</li>
</ul>

    Communication

    • Internal and external communication
    • Implement internal communications strategy within breach team, executive team/board of directors and managers/employees
    • Evaluate, coordinate and communicate externally with:
      • Impacted customers
      • Impacted business partners
      • Press
      • Financial statements
  • <ul>
	<li>Evaluate breach notification obligations, response options and determination of response</li>
	<li>Evaluate coordination and communicate with law enforcement</li>
	<li>Evaluate insurance notification protocols</li>
</ul>

    Remediation

    • Evaluate breach notification obligations, response options and determination of response
    • Evaluate coordination and communicate with law enforcement
    • Evaluate insurance notification protocols
Insurance Solutions

Insurance Solutions

The Cyberbloc insurance program addresses all impacts that can result from a data breach or cyber security incident, whether malicious or accidental. The coverage can be tailored to specific exposure elements of the risk.
  • <p>Includes any expenses resulting from a lawsuit filed by a third party, including claims arising from security failure, failure to protect data, privacy breach, the failure to disclose a security failure or privacy breach.</p>

    Third Party Claims

    Includes any expenses resulting from a lawsuit filed by a third party, including claims arising from security failure, failure to protect data, privacy breach, the failure to disclose a security failure or privacy breach.

  • <p>Includes any expenses resulting from a security incident but not requiring a lawsuit such as;</p>

<ul>
	<li>costs associated with responding to a breach</li>
	<li>forensic costs to confirm and identify the breach</li>
	<li>costs to notify affected individuals</li>
	<li>regulatory fines</li>
	<li>credit protection services including costs to staff a call center for redemption of monitoring offers</li>
	<li>crisis management and public relations costs related to managing and mitigating a security breach incident</li>
</ul>

    Direct First Party Claims

    Includes any expenses resulting from a security incident but not requiring a lawsuit such as;

    • costs associated with responding to a breach
    • forensic costs to confirm and identify the breach
    • costs to notify affected individuals
    • regulatory fines
    • credit protection services including costs to staff a call center for redemption of monitoring offers
    • crisis management and public relations costs related to managing and mitigating a security breach incident
  • <p>Covers financial loss, such as business income when a company has its network-dependent revenue interrupted. Traditionally, this has been for fire, flood, etc. but technology growth has created new BI perils (viruses, tech failures, programming errors and computer hacking).</p>

    Business Interruption

    Covers financial loss, such as business income when a company has its network-dependent revenue interrupted. Traditionally, this has been for fire, flood, etc. but technology growth has created new BI perils (viruses, tech failures, programming errors and computer hacking).

  • <p>Covers the response costs and financial payments associated with network-based ransom demands. With the proliferation of ransomware such as Cryptolocker and anonymous currencies such as Bitcoin, network extortion demands are on the rise. In the digital world, intangible assets are ‘kidnapped’ and extorted with threats to shut down a system or divulge sensitive or proprietary information.</p>

    Extortion Threats

    Covers the response costs and financial payments associated with network-based ransom demands. With the proliferation of ransomware such as Cryptolocker and anonymous currencies such as Bitcoin, network extortion demands are on the rise. In the digital world, intangible assets are ‘kidnapped’ and extorted with threats to shut down a system or divulge sensitive or proprietary information.

  • <p>Costs to defend and resolve liability claims related to copyright infringement, trademark infringement, defection, plagiarism and invasion of privacy.</p>

    Intellectual Property Infringement

    Costs to defend and resolve liability claims related to copyright infringement, trademark infringement, defection, plagiarism and invasion of privacy.

Compliance

The past few years have seen significant developments in data protection, including more aggressive enforcement by regulators affecting both small and large businesses around the world.

New Regulations and Fines

Enforced on 25 May 2018, the EU General Data Protection Regulations (GDPR) is the biggest shake up ever to data protection laws. It places major emphasis on enforcement with increased penalties for breaches and fines of up to 20 million euros or 4% of an organization’s global annual revenue.

Global Reach

The GDPR applies to all businesses who process or monitor personal data of EU residents or are offering goods and services to EU residents. All data must be processed in line with the GDPR, regardless if the processing takes place in the EU or not. 

For example, a Caribbean based company that handles the data of EU citizens can be investigated, fined and even prosecuted by an EU regulator. The GDPR rules will soon also be copied by regulators around the world.

Reporting Data Breaches

The biggest change to the data protection landscape is the mandatory data breach reporting deadline of 72 hours from detection of the breach. This puts huge pressure on organizations and increases the likelihood an organization faces regulatory action. Failure to notify regulators could result in hefty fines.

The breach must also be communicated within 72 hours of discovery to the person (data subject) whose data has been breached.

If an employee loses a laptop with customer records on it, the organization must inform every customer that their data has been compromised within 72 hours. The legal consequences, brand damage, litigation and media reporting could be significant.

How We Can Help

Getting ready for the GDPR boils down to three steps:

1. Discovery
Understand and identify your compliance gaps by reviewing existing processes.

2. Plan
Plan your remedial activities in the event of a data breach. With just 72 hours to report a breach, you should have clear processes in place.

3. Execute
Implement the changes needed to ensure compliance. Good governance and transparency should be built into every process. The majority of data breaches come from employee error. Educating all employees by raising their awareness is paramount.

The Cyberbloc team can guide you through this process by providing a manageable outline of GDPR compliance tasks and assist you in the revision and updates to policies and processes impacted by GDPR compliance.

 

Why Cyberbloc?

  • IT Specialist
    Knowledge

  • Legal &
    Compliance
    Expertise

  • Insurance
    Coverage
    Expertise

  • 24 /7 Security Response Hotline

    24 /7

    Security
    Response
    Hotline

    24 /7 Security Response Hotline

FAQ

These are the types of risk related to Personally Identifiable Information (PII) under an organization’s custody being accessed and/or exposed without authorization of the information’s owner(s), which can then have various devastating consequences for both the information’s owner(s) and the organization in question.

In simple terms, PII is any type of information that can be used to identify an individual or an entity, and which falls under some form of regulatory protection (i.e. European Union’s GDPR, USA’s PCI Compliance). Examples of PII can be driver’s license numbers, bank account information, online account user names and passwords, employee’s information, medical and health information, etc.

Access to personal and confidential information can be easily monetized, whether it’s stealing confidential information to sell on the black market, or using the breached/stolen information to blackmail the targets into releasing large ransom payments.

Regardless of size or geographical location, all organizations are susceptible to both internal and external threats if you either:

  • use mobile technology (smartphones, tablets, laptops, PC)
  • Have employees (internal employees are responsible for 43% of data loss)
  • Engage external partners, contractors, or vendors
  • Accept credit cards or other online forms of payment
  • Store confidential customer, partner, employee, or other digital information.

To protect PII, an ever-increasing amount of complex, international legal requirements are being placed on businesses to both adequately secure the PII under their control, and to also pay the costs associated with responding to a data security incident (breach). The overwhelming costs and confusing various international legislative requirements can make it difficult for organizations to overcome the fallout of a data breach without specialized assistance.

1. Because the exposure is truly global without geographical boundaries. Both private citizens and organizations are protected by the regulations applicable to the country of citizenship and/or incorporation. If an organization has clients from USA and EU, in case of a data security incident its clients will be subject to the applicable data protection regulations from both continents.

2. Some of the regulations, unlike a directive, do not require national governments to pass any enabling legislation, and are thus directly binding and applicable (i.e. European Union’s GDPR).

3. Failure to comply with the GDPR, enforced on 25 May 2018, could result in a penalty of up to 20 million euros or 4% of the organization’s global revenue.

  • First party: Costs associated with responding to an incident, such as forensic costs to confirm and identify the breach, costs to notify affected individuals, crisis management and public relations costs, lost business income, costs to recreate or repair damaged/destroyed data, systems or programs, extortion (ransomware)
  • Third Party: Costs to defend and resolve regulatory imposed 3rd party claim obligations with regard to the handling of PII, including alleged negligence, violation of privacy or consumer protection laws, breach of contract and regulatory investigations/fines.

Trusted Partners

Dykema is distinguished by their cost-effective and collaborative partnerships with their clients. Focused on delivering outstanding results they strive, at every level, to develop relationships with their clients built on trust and mutual respect. Unparalleled client service is at the heart of their approach to the practice of law. That focus has been a cornerstone of their success for the past 85 years. They serve clients around the world from their 13 strategically situated offices throughout the United States, and through their membership in the World Services Group.

Dykema’s Privacy and Data Security Practice provides a full suite of services to manage the entire life cycle of a company’s data from its creation to ultimate deletion. Dykema recognizes that privacy and data security concerns will vary greatly by industry due to industry-specific regulation and activity. To address these concerns, Dykema’s Privacy and Data Security Practice is organized by industry group specialty, including world class attorneys with deep experience in those areas.

www.dykema.com

KPMG Dutch Caribbean and Surinam is one the region’s leading cyber security specialist firms. Through its global network of business-savvy cyber security member firm professionals, it understands that businesses cannot be held back by cyber risk. KPMG professionals recognize that cyber security is about risk management – not risk elimination.

Working shoulder-to- shoulder with their clients, KPMG member firm professionals help them work through strategy and governance, organizational transformation, cyber defense and cyber response. From penetration testing and privacy strategy to access management and cultural change, KPMG member firms help their clients every step of the way.

www.kpmg.com/dutchcaribbean

 

LIU is a division of Liberty Mutual Insurance, a diversified insurer with operations in 30 countries around the world. In business since 1912, and headquartered in Boston, Mass., Liberty Mutual is a Fortune 100 company and the fifth largest property and casualty insurer in the U.S.A.

LIU’s Cyber division insurance solutions can help provide responsive guidance during your most critical times. LIU brings together some of the world’s top cybersecurity, law, and technology firms to help prevent and protect against sensitive data breaches, computer hacking, employee error, and much more. From industry leading loss prevention tools to data-breach resolution, they are there with you when it matters most.

www.libertymutual.com

 

Atlas Risk Solutions (ARS) is a boutique provider of risk management and insurance advisory services exclusively focused on mid- and large commercial risks. ARS specializes in the innovation, creation and management of risk transfer and insurance solutions designed to produce a balanced and cost-effective approach to risk that delivers sustainable advantages. Founded in 1991 the company has a local presence in Curaçao, Aruba, Bonaire, and St. Maarten, with nearly 12 experienced and talented professionals that help their clients stabilize and reduce the cost of risk over time.

www.atlasrisksolutions.com

Contact us

If you're interested in further information on our products and services or if you have general enquiries please fill in the form below. All fields are required.