Loader icon
Introduction

Introduction

Business leaders are realizing that non-compliance with daily evolving international data protection requirements/laws, cyber-attacks, and security (hacking) incidents can paralyze an organization leading to significant financial losses, regulatory fines, and lasting reputational damage.

Cyberbloc is a risk management program developed by ARM Group and a bloc of leading global cyber security experts that help companies manage and mitigate today’s cyber and privacy liability threats. Our team includes some of the world’s most respected IT, legal and insurance experts who can identify and assess cyber & privacy liability risks, and subsequently implement appropriate risk treatment solutions specifically tailored to the organization in question.

 

How does it work?

Cyberbloc is a 3-stage approach to effectively manage privacy liability and cyber risks.
  • Risk Assessment

    Risk Assessment

  • Incident Response Strategy

    Incident Response Strategy

  • Insurance Solutions

    Insurance Solutions

Risk Assessment

Risk Assessment

The cyberbloc program begins with an in-depth risk analysis to identify and quantify the damages from a cyber-attack or privacy liability due to a data breach or security incident.
  • <p>Identify key risks associated with the organization&rsquo;s incident preparedness, private information management protocols, and 3rd party data security protocols (i.e. sub-contractors). Evaluate and test existing Incident Response Plan (IRP).</p>

    Assess

    Identify key risks associated with the organization’s incident preparedness, private information management protocols, and 3rd party data security protocols (i.e. sub-contractors). Evaluate and test existing Incident Response Plan (IRP).

  • <p>Uncover compliance vulnerabilities and provide assistance related to industry-specific compliance requirements with respect to information security. This includes USA, EU, and other global privacy-related laws and regulations regarding the collection, use and disclosure of data.</p>

    Compliance

    Uncover compliance vulnerabilities and provide assistance related to industry-specific compliance requirements with respect to information security. This includes USA, EU, and other global privacy-related laws and regulations regarding the collection, use and disclosure of data.

  • <p>Quantify the financial impact from identified key cyber risks and compliance vulnerabilities, and select best risk treatment strategy (contractual transfer, mitigation, reduction).</p>

    Quantify

    Quantify the financial impact from identified key cyber risks and compliance vulnerabilities, and select best risk treatment strategy (contractual transfer, mitigation, reduction).

  • <p>Provide a comprehensive Due Diligence and Evaluation report of optimal best practices implemented, including updated IRP allowing for immediate reaction in the event of a data breach or security incident.</p>

    Evaluation

    Provide a comprehensive Due Diligence and Evaluation report of optimal best practices implemented, including updated IRP allowing for immediate reaction in the event of a data breach or security incident.

Incident Response Strategy

Incident Response Strategy

Every business should have a written incident response plan as part of its information security policy.
  • <ul> <li>Triage internal and external incident response team</li> <li>Generate initial awareness and full team participation</li> <li>Direct legal, IT, forensics, communications, human resources, public relations</li> <li>Coordinate timing of internal and external communications</li> <li>Review protocols to be followed</li> <li>Assess priorities and risks</li> </ul>

    Response Team

    • Triage internal and external incident response team
    • Generate initial awareness and full team participation
    • Direct legal, IT, forensics, communications, human resources, public relations
    • Coordinate timing of internal and external communications
    • Review protocols to be followed
    • Assess priorities and risks
  • <ul> <li>Security Incident Containment &amp; Analysis.</li> <li>Stem the damage; secure the premises and network; preserve evidence; place litigation hold as warranted</li> <li>Identify the source of the attack and impacted information</li> <li>Conduct necessary interviews</li> <li>Document known information and analysis</li> </ul>

    Containment

    • Security Incident Containment & Analysis.
    • Stem the damage; secure the premises and network; preserve evidence; place litigation hold as warranted
    • Identify the source of the attack and impacted information
    • Conduct necessary interviews
    • Document known information and analysis
  • <ul> <li>Ensure the regulatory compliance is maintained</li> <li>Evaluate breach notification obligations, response options and determination of response</li> <li>Evaluate coordination and communicate with law enforcement</li> </ul>

    Compliance

    • Ensure the regulatory compliance is maintained
    • Evaluate breach notification obligations, response options and determination of response
    • Evaluate coordination and communicate with law enforcement
  • <ul> <li>Internal and external communication</li> <li>Implement <strong><em>internal</em></strong> communications strategy within breach team, executive team/board of directors and managers/employees</li> <li>Evaluate, coordinate and communicate <strong><em>externally</em></strong> with: <ul> <li>Impacted customers</li> <li>Impacted business partners</li> <li>Press</li> <li>Financial statements</li> </ul> </li> </ul>

    Communication

    • Internal and external communication
    • Implement internal communications strategy within breach team, executive team/board of directors and managers/employees
    • Evaluate, coordinate and communicate externally with:
      • Impacted customers
      • Impacted business partners
      • Press
      • Financial statements
  • <ul> <li>Evaluate breach notification obligations, response options and determination of response</li> <li>Evaluate coordination and communicate with law enforcement</li> <li>Evaluate insurance notification protocols</li> </ul>

    Remediation

    • Evaluate breach notification obligations, response options and determination of response
    • Evaluate coordination and communicate with law enforcement
    • Evaluate insurance notification protocols
Insurance Solutions

Insurance Solutions

The Cyberbloc insurance program addresses all impacts that can result from a data breach or cyber security incident, whether malicious or accidental. The coverage can be tailored to specific exposure elements of the risk.
  • <p>Includes any expenses resulting from a lawsuit filed by a third party, including claims arising from security failure, failure to protect data, privacy breach, the failure to disclose a security failure or privacy breach.</p>

    Third Party Claims

    Includes any expenses resulting from a lawsuit filed by a third party, including claims arising from security failure, failure to protect data, privacy breach, the failure to disclose a security failure or privacy breach.

  • <p>Includes any expenses resulting from a security incident but not requiring a lawsuit such as;</p> <ul> <li>costs associated with responding to a breach</li> <li>forensic costs to confirm and identify the breach</li> <li>costs to notify affected individuals</li> <li>regulatory fines</li> <li>credit protection services including costs to staff a call center for redemption of monitoring offers</li> <li>crisis management and public relations costs related to managing and mitigating a security breach incident</li> </ul>

    Direct First Party Claims

    Includes any expenses resulting from a security incident but not requiring a lawsuit such as;

    • costs associated with responding to a breach
    • forensic costs to confirm and identify the breach
    • costs to notify affected individuals
    • regulatory fines
    • credit protection services including costs to staff a call center for redemption of monitoring offers
    • crisis management and public relations costs related to managing and mitigating a security breach incident
  • <p>Covers financial loss, such as business income when a company has its network-dependent revenue interrupted. Traditionally, this has been for fire, flood, etc. but technology growth has created new BI perils (viruses, tech failures, programming errors and computer hacking).</p>

    Business Interruption

    Covers financial loss, such as business income when a company has its network-dependent revenue interrupted. Traditionally, this has been for fire, flood, etc. but technology growth has created new BI perils (viruses, tech failures, programming errors and computer hacking).

  • <p>Covers the response costs and financial payments associated with network-based ransom demands. With the proliferation of ransomware such as Cryptolocker and anonymous currencies such as Bitcoin, network extortion demands are on the rise. In the digital world, intangible assets are &lsquo;kidnapped&rsquo; and extorted with threats to shut down a system or divulge sensitive or proprietary information.</p>

    Extortion Threats

    Covers the response costs and financial payments associated with network-based ransom demands. With the proliferation of ransomware such as Cryptolocker and anonymous currencies such as Bitcoin, network extortion demands are on the rise. In the digital world, intangible assets are ‘kidnapped’ and extorted with threats to shut down a system or divulge sensitive or proprietary information.

  • <p>Costs to defend and resolve liability claims related to copyright infringement, trademark infringement, defection, plagiarism and invasion of privacy.</p>

    Intellectual Property Infringement

    Costs to defend and resolve liability claims related to copyright infringement, trademark infringement, defection, plagiarism and invasion of privacy.

Apply now next section next section

Compliance

The past few years have seen significant developments in data protection, including more aggressive enforcement by regulators affecting both small and large businesses around the world.

New Regulations and Fines

Enforced on 25 May 2018, the EU General Data Protection Regulations (GDPR) is the biggest shake up ever to data protection laws. It places major emphasis on enforcement with increased penalties for breaches and fines of up to 20 million euros or 4% of an organization’s global annual revenue.

Global Reach

The GDPR applies to all businesses who process or monitor personal data of EU residents or are offering goods and services to EU residents. All data must be processed in line with the GDPR, regardless if the processing takes place in the EU or not. 

For example, a Caribbean based company that handles the data of EU citizens can be investigated, fined and even prosecuted by an EU regulator. The GDPR rules will soon also be copied by regulators around the world.

Reporting Data Breaches

The biggest change to the data protection landscape is the mandatory data breach reporting deadline of 72 hours from detection of the breach. This puts huge pressure on organizations and increases the likelihood an organization faces regulatory action. Failure to notify regulators could result in hefty fines.

The breach must also be communicated within 72 hours of discovery to the person (data subject) whose data has been breached.

If an employee loses a laptop with customer records on it, the organization must inform every customer that their data has been compromised within 72 hours. The legal consequences, brand damage, litigation and media reporting could be significant.

How We Can Help

Getting ready for the GDPR boils down to three steps:

1. Discovery
Understand and identify your compliance gaps by reviewing existing processes.

2. Plan
Plan your remedial activities in the event of a data breach. With just 72 hours to report a breach, you should have clear processes in place.

3. Execute
Implement the changes needed to ensure compliance. Good governance and transparency should be built into every process. The majority of data breaches come from employee error. Educating all employees by raising their awareness is paramount.

The Cyberbloc team can guide you through this process by providing a manageable outline of GDPR compliance tasks and assist you in the revision and updates to policies and processes impacted by GDPR compliance.

 

Contact us next section next section

Why Cyberbloc?

  • IT Specialist
    Knowledge

  • Legal &
    Compliance
    Expertise

  • Insurance
    Coverage
    Expertise

  • 24 /7 Security Response Hotline

    24 /7

    Security
    Response
    Hotline

    24 /7 Security Response Hotline

Apply now next section next section

FAQ

These are the types of risk related to Personally Identifiable Information (PII) under an organization’s custody being accessed and/or exposed without authorization of the information’s owner(s), which can then have various devastating consequences for both the information’s owner(s) and the organization in question.

In simple terms, PII is any type of information that can be used to identify an individual or an entity, and which falls under some form of regulatory protection (i.e. European Union’s GDPR, USA’s PCI Compliance). Examples of PII can be driver’s license numbers, bank account information, online account user names and passwords, employee’s information, medical and health information, etc.

Access to personal and confidential information can be easily monetized, whether it’s stealing confidential information to sell on the black market, or using the breached/stolen information to blackmail the targets into releasing large ransom payments.

Regardless of size or geographical location, all organizations are susceptible to both internal and external threats if you either:

  • use mobile technology (smartphones, tablets, laptops, PC)
  • Have employees (internal employees are responsible for 43% of data loss)
  • Engage external partners, contractors, or vendors
  • Accept credit cards or other online forms of payment
  • Store confidential customer, partner, employee, or other digital information.

To protect PII, an ever-increasing amount of complex, international legal requirements are being placed on businesses to both adequately secure the PII under their control, and to also pay the costs associated with responding to a data security incident (breach). The overwhelming costs and confusing various international legislative requirements can make it difficult for organizations to overcome the fallout of a data breach without specialized assistance.

1. Because the exposure is truly global without geographical boundaries. Both private citizens and organizations are protected by the regulations applicable to the country of citizenship and/or incorporation. If an organization has clients from USA and EU, in case of a data security incident its clients will be subject to the applicable data protection regulations from both continents.

2. Some of the regulations, unlike a directive, do not require national governments to pass any enabling legislation, and are thus directly binding and applicable (i.e. European Union’s GDPR).

3. Failure to comply with the GDPR, enforced on 25 May 2018, could result in a penalty of up to 20 million euros or 4% of the organization’s global revenue.

  • First party: Costs associated with responding to an incident, such as forensic costs to confirm and identify the breach, costs to notify affected individuals, crisis management and public relations costs, lost business income, costs to recreate or repair damaged/destroyed data, systems or programs, extortion (ransomware)
  • Third Party: Costs to defend and resolve regulatory imposed 3rd party claim obligations with regard to the handling of PII, including alleged negligence, violation of privacy or consumer protection laws, breach of contract and regulatory investigations/fines.

Trusted Partners

Dykema

Dykema is distinguished by their cost-effective and collaborative partnerships with their clients. Focused on delivering outstanding results they strive, at every level, to develop relationships with their clients built on trust and mutual respect. Unparalleled client service is at the heart of their approach to the practice of law. That focus has been a cornerstone of their success for the past 85 years. They serve clients around the world from their 13 strategically situated offices throughout the United States, and through their membership in the World Services Group.

Dykema’s Privacy and Data Security Practice provides a full suite of services to manage the entire life cycle of a company’s data from its creation to ultimate deletion. Dykema recognizes that privacy and data security concerns will vary greatly by industry due to industry-specific regulation and activity. To address these concerns, Dykema’s Privacy and Data Security Practice is organized by industry group specialty, including world class attorneys with deep experience in those areas.

www.dykema.com

Liberty Mutual

LIU is a division of Liberty Mutual Insurance, a diversified insurer with operations in 30 countries around the world. In business since 1912, and headquartered in Boston, Mass., Liberty Mutual is a Fortune 100 company and the fifth largest property and casualty insurer in the U.S.A.

LIU’s Cyber division insurance solutions can help provide responsive guidance during your most critical times. LIU brings together some of the world’s top cybersecurity, law, and technology firms to help prevent and protect against sensitive data breaches, computer hacking, employee error, and much more. From industry leading loss prevention tools to data-breach resolution, they are there with you when it matters most.

www.libertymutual.com

 

EY

In today’s world, every organization is digital by default. And, as many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, it’s a matter of when. Every asset in your organization is at risk. Attackers can hack indiscriminately or target specific assets, preying on both large and small organizations in the public and private sectors. Exposing the attackers requires defenses that identify each threat, even when it adopts the colors of its target environment.

We can help you protect your business by building a cybersecurity foundation, detecting the cyber threats you are facing and responding to a cybersecurity breach. Together, we can help you deliver better outcomes and long-lasting results, from strategy to execution.

EY Cyber Security

KPMG

In today’s digital world, decision-makers can’t afford to be held back by cyber risks. They need to make bold decisions and feel confident that their cyber strategy, defenses and recovery capabilities will protect their business and support their growth strategies.

Across all sectors and in every geography, business executives are asking themselves the same questions:

  • Can I balance information protection and accessibility?
  • What does a ‘good’ cyber security strategy look like in my sector?
  • Can I prioritize cyber risks based on my company’s strategy?
  • How do I determine the right level of investment?
  • Where should I put my investments?
  • How can I prevent or mitigate the disruption of a cyber event?
  • How do I ensure that our business returns to normal as quickly as possible?

KPMG / Cyber Security Services

Atlas Risk Solutions

Atlas Risk Solutions (ARS) is a boutique provider of risk management and insurance advisory services exclusively focused on mid- and large commercial risks. ARS specializes in the innovation, creation and management of risk transfer and insurance solutions designed to produce a balanced and cost-effective approach to risk that delivers sustainable advantages. Founded in 1991 the company has a local presence in Curaçao, Aruba, Bonaire, and St. Maarten, with nearly 12 experienced and talented professionals that help their clients stabilize and reduce the cost of risk over time.

www.atlasrisksolutions.com

BBV Legal

BBV Legal is a leading law firm in the Dutch Caribbean, with its main office in Curaçao. It provides legal services to local as well as international corporate entities, governments, private clients and non-profit institutions. Its attorneys advise and litigate in matters within all areas of civil and administrative law, and are known for their expertise and personal approach in handling cases.

www.bbvlegal.com

Arete Advisors

Arete Advisors has assembled an elite global team of incident response experts to create unparalleled capability to assist clients in preparing for and defending themselves against a cyber-attack, from incident response readiness assessments to post-incident remediation and ongoing hunt services. Our core skills include triage, digital forensics, malware reverse engineering, remediation, managed detection response, hunt and testifying expertise. Arete works with organization of all size to provide highly customized advice specific to your industry. Arete’s advisory services provide legally defensible, compliant cyber strategies that assist the C-Suite and Boards of Directors to continuously improve the organizations’ cyber posture, by aligning cyber risk management strategy with corporate risk.

Arete Advisors partners with clients to reduce the burden of preparing for, detecting, and responding to cyber-attacks. Data breaches are a matter of when, not if in today’s world. Engaging Arete’s team of experts gives your organization the confidence to respond to a data breach with access to the world’s leading cybersecurity professionals – anywhere in the world – within hours not days.

www.areteadvisorsinc.com

The Crypsis Group

The Crypsis Group is a leading national cyber security advisory firm offering a full spectrum of services including incident response, digital forensic investigations, and cyber risk and resilience management. Through its growing team of nearly 100 professionals that includes the country’s most accomplished cyber security experts and investigators, Crypsis provides companies and other organizations with immediate help in responding to network intrusions and identifying, containing, and eradicating threats to their sensitive data.  Leveraging their own extensive knowledge of how cyber criminals operate, Crypsis consultants partner with clients to harden their network defenses and, going forward, lower the risk of security breaches to their business operations and reputations.  In addition to its McLean, Virginia headquarters, the firm has offices in Los Angeles, Chicago, Austin, and New York City.

www.crypsisgroup.com

Contact us

If you're interested in further information on our products and services or if you have general enquiries please fill in the form below. All fields are required.

Design & development by Profound