Cyber Security, Why Should You Care?

By Liying Gu
The ACI-NA Risk Management Committee kicked off the New Year with its 14th annual Risk Management Conference held in the warm and sunny Las Vegas with close to 140 attendees, very close to setting another new record.

The first day of the conference covered multiple risks airports are facing, from safety risk, wild life risk, environmental risk, cyber risk, event risk, construction risk, to enterprise risk and offered suggestions of risk identification and mitigation in a systematic manner.

Of all the risks covered, cyber security and the liability associated with the risk exposure is gaining more and more attention as the impact of mismanaging this risk can lead to significant consequences that includes regulatory actions, lawsuits and defense costs, and reputational damage.

According to the findings from the CyLab 2010 report by the Carnegie Mellon Governance of Enterprise Security, $214 per record is the average cost of a data breach, with an average total per-incident cost of $7.2 million in 2011; negligence is the leading cause of a data breach, at 41 percent of all reported cases; and 96 percent of breaches could have been avoided if reasonable data security controls had been in place at the time of incident. Data breach could lead to leakage of important information such as personal identification, financial account, patient healthcare, and corporate confidential information.

The two speakers Pam Townley, AVP of professional liability division of Chartis, and Jennifer Bolling, of Arthur J. Gallagher, recommended risk mitigation at the enterprise level. There needs to be commitment from senior level management. The company should use the most recent technologies and limit access to sensitive data. The company should understand the changing regulatory environment and implement plans to respond to a breach in a timely and compliant manner. There needs to be proper vetting of third party vendors and contract management. The company human resources should deploy proper hiring and termination techniques and provide employee training on how to classify and handle data. There needs to be safe and secure methods of disposing of data. The company should use a combination of physical security, written security policies and risk transfer to a third party such as insurance solutions to control the risks.