AsTech Consulting Warns Companies That Lacking Adequate Cyber Insurance Coverage Poses Major Threat

San Francisco Based Security Firm Recommends Full Cyber Risk Assessment to Prevent Losses that Can Cost Millions.

AsTech Consulting Logo

San Francisco, CA, USA — Losses from cyberattacks and security breaches continue to plague companies of all sizes, and while more organizations are investing in basic cyber insurance, most are woefully underinsured. According to Greg Reber, CEO of AsTech Consulting — independent cyber security experts specializing in software and IT infrastructure security — to protect themselves, companies need a comprehensive risk assessment and to work with underwriters to make sure they both agree and understand the terms of cyber insurance policies.

The history of financial losses from a cyber-attack are well documented. Target reported $252 million in expenses related to its data breach in 2013, however the company only had $90 million in cyber risk insurance. Similarly, Anthem Inc. suffered a data breach in February 2015, and the company is now providing credit monitoring and identity protection services to patients who were affected. In both cases, insurance coverage was inadequate to cover costs and additional losses from litigation and class-action suits.

According to a recent study by the Ponemon Institute, companies are four times more likely to insure physical assets than information assets, even though the Probable Maximum Loss (PML) from loss of intellectual property can exceed $200 million. Of those surveyed by Ponemon, 52 percent see cyber risk exposure increasing but only 19 percent have cyber insurance coverage with an average limit of $13 million, and 54 percent have no plans to purchase cyber insurance.

“Executives underestimate the potential losses from a cyber-attack and are unclear how to best insure their operation against potential losses,” said Reber. “They buy cyber risk insurance, but too often the coverage is inadequate since many insurance companies rely on self-reporting when assessing areas of coverage. By being better educated about cyber risk and cyber risk insurance and taking simple preventative steps to isolate potential areas of cyber risk, companies will be in a much better position to protect themselves when they do have a security breach.”

Cyber risk insurance policy coverage is often based solely on information provided by the company and insurance questionnaires are generic and leave companies under insured. Another common issue is undervaluing the potential losses from a cyber breach, resulting in substantial losses not covered by insurance.

To ensure proper cyber risk insurance coverage, Reber recommends companies take a number of steps:

1. Assess their cyber risk to understand the specific possibilities for a cyber-attack and what data could potentially be exposed or lost. The best approach is to assume that you can’t cover all possible contingencies, so it’s a matter of when a breach will occur, not if.
2. Develop a cyber breach response strategy, including remediation and notification, to minimize potential losses.
3. Work with an experienced cyber risk underwriter that understands the potential losses from a cyber-attack or data breach and is willing to develop a policy with adequate coverage.
4. Review potential cyber risk annually, since the degree of cyber risk changes over time.

About AsTech Consulting
AsTech Consulting has been helping Fortune 1000 companies manage risk and protect vital information assets since 1997. AsTech’s technical team are true Internet security experts, providing a full suite of services focused on risk management and mitigation including Vulnerability Discovery and Remediation, Secure Development Training, Secure Software Development Lifecycle Consulting and Security Architectural Design. For more information, visit http://www.astechconsulting.com.

Contact:
Tom Woolf
Public Relations Director, Gumas Advertising
415-259-5638
twoolf@gumas.com

AsTech Consulting Identifies Security Assessment as the Missing Piece in Merger & Acquisition Due Diligence

San Francisco Security Firm Working with Investment Advisors to Uncover Critical Security Flaws that Present Added Risk for Corporate Acquisitions.

AsTech Consulting Logo

San Francisco, CA, USA — Hidden security flaws in software and network infrastructure pose great risks to successful mergers and acquisitions, and yet assessing the security of target companies is commonly omitted from the M&A due diligence process. According to the team at AsTech Consulting-independent cyber security experts specializing in software and IT infrastructure security-unidentified vulnerabilities can heavily influence the value of an acquisition, and more investment advisors and corporations are working with AsTech to uncover hidden security issues to guide valuation and deal negotiations.

“A few years ago security audits were just for ‘tech’ companies but today almost every business is dependent on increasingly vulnerable, interconnected technology. Buyers no longer see this as an isolated ‘IT’ issue, it’s become a boardroom issue,” said David Fox, Managing Director, Strategic Value Advisors.

Assessing security issues and overall cyber risk is seldom considered as part of due diligence in merger and acquisition discussions, but this is changing. Negotiating parties examine revenue, assets, inventory, channels, and partnerships, but fail to recognize that a security weakness in the network infrastructure or source code may compel remediation costs that annihilate a significant percentage of the subject valuation. Security breach remediation and customer notification routinely cost companies hundreds of thousands of dollars, if not millions. For example, there are 47 states with “breach notification” laws and, according to the National Conference of State Legislatures, the average cost of a security breach customer notification alone in 2014 was $500,000.

“Hidden security issues can have a profound impact on any merger. In one recent case, the acquisition target discovered a breach during negotiations that affected their customers as well as the company itself. The acquiring company simply walked away from the table,” said Greg Reber, founder and CEO of AsTech Consulting. “To meet the market’s need, AsTech has launched an M&A Security Due Diligence Practice. Developed with M&A advisors, venture capital investors and security practitioners, this service focuses on getting useful information to the right players quickly, before it’s too late to have an effect on negotiations.”

Dr. Martin Carmichael, former CISO of TD Ameritrade and McAfee, agrees, stating: “As CISO of TD Ameritrade, I engaged AsTech to perform a security evaluation after an acquisition deal was done. They discovered critical security flaws, which required significant remediation costs. This information would have affected the valuation, and negotiations.”

Guy Henshaw, board member of payroll company Evolution HCM notes: “AsTech has helped our company assess the cyber risk of potential acquisitions on three occasions. They are adept at quickly assessing and analyzing risks: distilling results into very succinct reporting with recommendations. We will not go into a deal without the AsTech Due Diligence Cyber Risk Assessment.”

Depending on ‘deal-specific variables,’ there is a range of scrutiny that may be applied to this type of due diligence. A software company being acquired for the software itself doesn’t need an IT infrastructure assessment, but rather a software security analysis which in most cases could produce key results within a few business days.

“The business climate is changing and chief executives and board members are being held accountable by shareholders, employees, and others for costly security breaches,” Reber said. “Legal disclaimers no longer excuse liability. Smart executives are scrutinizing security in advance, rather than waiting for hidden problems to emerge that can create costly remediation. Assessing security vulnerabilities in advance strengthens your negotiating position, regardless of which side of the table you’re on.”

About AsTech Consulting
AsTech Consulting has been helping Fortune 1000 companies manage risk and protect vital information assets since 1997. AsTech’s technical team are true Internet security experts, providing a full suite of services focused on risk management and mitigation including Vulnerability Discovery and Remediation, Secure Development Training, Secure Software Development Lifecycle Consulting and Security Architectural Design.

For more information, visit http://www.astechconsulting.com.

Contact:
Tom Woolf
Public Relations Director, Gumas Advertising
415-259-5638
twoolf@gumas.com

AsTech Consulting Security Expert Sees 2016 as “The Year of Board Accountability”

New Cyber Security Assessment Framework from FFIEC and High-Profile Security Breaches Will Lead to Shareholders Demanding Answers.

AsTech Consulting Logo

San Francisco, CA, USA (January 19, 2016) — The year 2016 promises to be the Year of Accountability as corporate boards have to address serious questions about their companies’ defenses against security breaches and cybercrime. That’s the prediction of Greg Reber, CEO of AsTech Consulting, an 18-year-old cyber security consulting firm. Reber warns that board members as well as chief executives are going to be held more accountable by shareholders and regulatory agencies for inattention to cyber security weaknesses.

Last year the Federal Financial Institution Examination Council (FFIEC) released a new cyber-security assessment tool to help financial institutions move from a simple, “check-the-box” approach to security assessment to a more risk-based methodology, including specific milestones that boards have to meet at different maturity levels. This marks a new era in financial institution security oversight due to the specificity of the compliance framework. This move by the FFIEC puts corporate boards on notice as well as chief executives that cyber security is their responsibility.

“Data security breaches will continue to be more spectacular and more costly to business,” said Reber. “What is changing is the demand for more accountability. In addition to requiring that high level executives step down (such as the CEO of Target), we are going to see more boards of directors held responsible for security failures. Cyber security is a problem that will continue to escalate, resulting from emerging technologies being applied to cybercrime coupled with a lack of due diligence by senior management.”

Reber notes that there are multiple reasons that 2016 will become a year of increasing cyber security attacks:

1. Aging Internet applications – The World Wide Web is 23 years old in 2016 and many of today’s Web applications are built using source code that was developed before security risks were understood. These applications propagate security weaknesses unless they are specifically addressed in the source code, or by other means.

2. The rush to introduce new technology – Emerging technologies are creating new cyber security risks that are not well understood. The Internet of Things (IoT), for example, is driving a rush to market and many times cyber security is an afterthought. Adding security to new technology later rather than making it part of the initial development will leave ‘seams’ for security flaws.

3. Malicious ecommerce – Social media sites such as Facebook, Twitter, and Pinterest have announced that they will be adding “buy” buttons to their sites. While this may attract more users and promote customer retention, it also will create new opportunities for cyber-fraud and identify theft.

Conversely, the good news for the coming year is that better analytics with more accurate predictive capabilities are coming to market every quarter. It is becoming easier to identify where hackers are likely to strike next, supplementing traditional enterprise security safeguards with predictive analytics and analytics-driven security methods.

“We have better analytics and predictive capability to head off more security problems, but companies still need to make cyber security a priority before they have to pay for the consequences of a cyber breach,” added Reber. “It’s more than a matter of adding more security detection tools; companies have to scrub their infrastructure to uncover legacy vulnerabilities. In the current regulatory climate, vulnerability discovery and remediation is much less expensive than paying the fines and legal fees, not to mention equity losses, that follow a systems hack.”

About AsTech Consulting
AsTech Consulting has been helping Fortune 1000 companies manage risk and protect vital information assets since 1997. AsTech’s technical team are true security experts, providing a full suite of services focused on risks to information including Vulnerability Discovery and Remediation, Secure Development Training, Secure Development Lifecycle Consulting, and Security Architectural Design.

For more information, visit http://www.astechconsulting.com.

Contact:
Tom Woolf
Public Relations Director, Gumas Advertising
415-259-5638
twoolf@gumas.com