“This attack on Yahoo highlights the pervasive nature of cyber-attacks in the complex world of data protection, and particularly the issue of latency in discovering that an attack has occurred. Presumably, a sophisticated and well established internet leader like Yahoo would have best in class intrusion detection and escalation capabilities, and the fact that two years have passed between this attack and their discovery should alert companies with fewer resources that they may also be missing detection of significant events.
“The exposure of security questions (such as "in what city did your parents meet?") is potentially significant in this incident as well, as it means the security implications could cascade to many other websites with similar protocols. This highlights the systemic nature of incidents on this scale.
“The raft of additional expenses following a data breach, most notably for consumer notification, forensic investigation, public relations, and other crisis management expenses, highlight the need for cyber insurance. This incident has widely been reported as the latest data breach ever, so litigation and regulatory interest are sure to be a factor for Yahoo. It will be interesting to see how the financial and reputational impacts of this incident affect the pending Verizon transaction. It's also likely to underscore the importance of cyber security and incident readiness in the transactional due diligence process.
“Traditional insurance products aren't likely to respond to the potentially significant incident response costs in this case, which may extend far beyond Yahoo itself. Companies can no longer view cyber insurance as merely optional, but rather a critical weapon in their cyber risk management arsenal.”
|
