Cybersecurity for Leaders and Managers
Question
Research Report #1: Data Breach Incident Analysis and Report
Scenario
Padgett-Beale Inc.’s (PBI) insurance company, CyberOne Business and Casualty Insurance Ltd, sent an audit team to review the company’s security policies, processes, and plans. The auditors found that the majority of PBI’s operating units did not have specific plans in place to address data breaches and, in general, the company was deemed “not ready” to effectively prevent and/or respond to a major data breach. The insurance company has indicated that it will not renew PBI’s cyber insurance policy if PBI does not address this deficiency by putting an effective data breach response policy and plan in place. PBI’s executive leadership team has established an internal task force to address these problems and close the gaps because they know that the company cannot afford to have its cyber insurance policy cancelled.
Unfortunately, due to the sensitivity of the issues, no management interns will be allowed to shadow the task force members as they work on this high priority initiative. The Chief of Staff (CoS), however, is not one to let a good learning opportunity go to waste … especially for the management interns. Your assignment from the CoS is to review a set of news articles, legal opinions, and court documents for multiple data breaches that affected a competitor, Marriott International (Starwood Hotels division). After you have done so, the CoS has asked that you write a research report that can be shared with middle managers and senior staff to help them understand the problems and issues arising from legal actions taken against Marriott International in response to this data breach in one of its subsidiaries (Starwood Hotels).
Research
1. Read / Review the readings for Weeks 1, 2, 3, and 4.
2. Research the types of insurance coverage that apply to data breaches. Pay attention to the security measures required by the insurance companies before they will grant coverage (“underwriting requirements”) and provisions for technical support from the insurer in the event of a breach. Here are three resources to help you get started.
a. https://woodruffsawyer.com/wp-content/uploads/2019/06/40842_Woodruff-Sawyer-Cyber-Buying-Guide_Final.pdf
b. https://www.travelers.com/cyber-insurance
c. https://wsandco.com/cyber-liability/cyber-basics/
3. Read / Review at least 3 of the following documents about the Marriott International / Starwood Hotels data breach and liability lawsuits.
a. https://www.insurancejournal.com/news/national/2018/12/03/510811.htm
b. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/
c. https://www.bbc.com/news/technology-54748843
d. http://starwoodstag.wpengine.com/wp-content/uploads/2019/05/us-en_First-Response.pdf
e. https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach
f. https://news.marriott.com/2019/07/marriott-international-update-on-starwood-reservation-database-security-incident/
4. Find and review at least one additional resource on your own that provides information about data breaches and/or best practices for preventing and responding to such incidents.
5. Using all of your readings, identify at least 5 best practices that you can recommend to Padgett-Beale’s leadership team as it works to improve its data breach response policy and plans.
Write
Write a three to five (3-5) page report using your research. At a minimum, your report must include the following:
1. An introduction or overview of the problem (cyber insurance company’s audit findings regarding the company’s lack of readiness to respond to data breaches). This introduction should be suitable for an executive audience and should explain what cyber insurance is and why the company needs it.
2. An analysis section in which you discuss the following:
a. Specific types of data involved in the Starwood Hotels data breaches and the harm
b. Findings by government agencies / courts regarding actions Starwood Hotels / Marriott International should have taken
c. Findings by government agencies / courts regarding liability and penalties (fines) assessed against Marriott International.
3. A review of best practices which includes 5 or more specific recommendations that should be implemented as part of Padgett-Beale’s updated data breach response policy and plans. Your review should identify and discuss at least one best practice for each of the following areas: people, processes, policies and technologies. (This means that one of the four areas will have two recommendations for a total of 5.)
4. A closing section (summary) in which you summarize the issues and your recommendations for policies, processes, and/or technologies that Padgett-Beale, Inc. should implement.
Submit for Grading
Submit your research paper in MS Word format (.docx or .doc file) using the Research Report #1 Assignment in your assignment folder. (Attach your file to the assignment entry.)
Additional Information
1. To save you time, a set of appropriate resources / reference materials has been included as part of this assignment. You must incorporate at least five of these resources into your final deliverable. You must also include one resource that you found on your own.
2. Your research report should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use.
3. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
4. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
Solution
Cybersecurity for Leaders and Managers
Data Breach Incident Analysis and Report
The introduction provides an outline of the situation, which involves cyber insurance business audit results indicating that the firm lacks the preparedness to assist it in responding to data theft that it may meet. The introduction is then aimed at the top management, who elaborates on cyber insurance’s precise meaning and substance. Cyber insurance refers to hedging in insurance companies to assist businesses against risky actions and consequences. A form of the devastating effects of cybercrimes including ransomware, Malware, and other attacks (Kshetri, 2020). Cyber insurance also covers the various methods to compromise the various organizational networks and critical data. Cyber insurance, often known as cybersecurity insurance, provides particular solutions to manage cyber-related risks. The organization pays the insurance firm once a month or once a year to assist the organization in protecting itself against breaches and cybersecurity-related threats.
Cyber insurance plans have a specific or general scope on the cyber-related risks. The cyber insurance policy usually covers the costs of responding to data breaches through forensic audits, credit monitoring for those impacted, and legal fees. A company uninformed of the benefits of cyber security insurance is more likely to forego it, leaving them vulnerable to significant cybercrime-related calamities. If such businesses’ data is breached, they will face substantial financial losses and the loss of crucial data and financial records (Kshetri, 2020). According to cyber insurance research, it was observed that data breaches elicit an unexpected reaction from the company’s consumers, who are concerned about the protection of their data and other vital information.
According to the audit, the firms’ clients also lacked a well-prepared incident response strategy, realistic and functioning cybersecurity protection measures, and sufficient knowledge of the likelihood of a cyber-attack resulting in the theft of critical data kept on the network. Cyber insurance help prevents companies from getting victimized by cybercrimes through proper management of the risks and guarantees recovery when cyberattacks occur. The audits show the cyber insurance’s most significant contribution to the firm. Customers lose trust, firms suffer negative reputations, and some enterprises fail due to data breaches. Cyber insurance protects the company against such risks, which helps to reduce such accidents.
Analysis
The section goes through the precise types of data implicated in the Starwood Hotels data breaches and the consequences for the firm. The part also includes the findings of government authorities on the main actions that Starwood Hotels should take to safeguard the organization against a hack (Cybersecurity and GDPR: Two Record fines in the United Kingdom, 2020). In addition, the section covers the authorities’ conclusions on Marriott International’s culpability and sanctions.
Clients’ names, addresses, passport identifications, and credit card information belonging to Starwood Hotels customers were among the data taken in the Starwood Hotels data breach (Cybersecurity and GDPR: Two Record fines in the United Kingdom, 2020). As a result of data theft, some hazards exist, such as identity theft, data fraud, and related financial threats.
According to federal authorities and the court, Marriott International should have put several protections to guarantee the client’s data security, which would have averted the cyberattack. As a result, the government and the court hold Marriott liable for the consequences of a data breach (HTTPS://www.insurancejournal.com/news/national/2018/12/03/510811.htm, n.d.). In addition, the company must be held responsible for the risks and other harms the breach may cause to customers. Following the investigation, government officials and the court assessed the penalty based on the company’s failure to adopt safeguards, and a $123 million charge against the Marriott International Hotel was appropriate.
Review of the best practices.
Padgett-Beale can use the ideas in this section to develop a data breach response strategy and plan. Based on the privacy breaching occurrence analysis, the primary recommendations for Padgett-data Beale’s breach response approach are the following. The first area where guidance is given is to the people. In the event of an incident, a response team is required. The incident response team (IRT) is made up of people who are the first to notice and respond to a cyber-related occurrence, and they are in charge of directing a comprehensive response and ensuring that the problem is resolved appropriately. In addition, the incident response team can use it to plan the response, keep acceptable communication mechanisms in place, and engage with software and hardware makers (Mu & Zheng, 2019). As a result, forming a team of five individuals to handle threat detection is an excellent idea. The incident response team should represent law, compliance and standards, sales and marketing, and management.
Processes recommendations to discover the primary source of the cyber problem, incident investigations must be done. This method is utilized to determine what created the situation in the first place. Risk control and hedging solutions are also discovered throughout this procedure. The incident response team is leading the investigation. Several response procedures to control the situation are implemented following rigorous studies.
Cybersecurity policies that aid in observing and detecting data breaches are advantageous. As a result of the method, all participants in the firm receive prompt information about the violating incident. Furthermore, a worker who encounters a data breach should alert senior management or IT professionals for corrective action or subsequent action.
Summary
In the next part, Padgett-Beale International presents an insight into the issues and implements recommendations. But, first, the organization’s norms, policies, and technology must all be altered.
Implementing a CRM system to aid in creating and tracking the managers’ and sales executives’ various operations is advantageous to the firm. Padgett-a large number of Beale’s clients and potential customers demand an efficient and effective system, such as CRM (Suoniemi et al., 2021). It allows them to keep track of the most profitable deals and focus their efforts on areas where clients are more satisfied.
A VMS system for tracking the performance of Padgett-Beales’ vendors and future vendors interested in the company is beneficial for easy management. This will be extremely important to control as they keep track of the company’s new vendors. Furthermore, this serves as a foundation for assessing vendors’ capabilities within the organization. Management can predict the likelihood of a supply issue by examining the vendor’s capabilities and performance, which helps them avoid negative consequences.
To better handle the diversity of Padgett products Beale’s and potential products introduced to the line of business, the company needs to implement an ERP system. ERP will give the organization a better understanding of the entire production process and how the product goes to market. To better understand each production stage, the company has to plan new product releases with more precision. Additionally, as the workflow becomes more transparent, any potential hazards are immediately identified and avoided.
References
Cybersecurity and GDPR: Two record fines in the United Kingdom. (2020, March 12). Lexing Network Réseau international des avocats spécialisés en droit des technologies avancées / Global network of attorneys specialized in emerging technology law. https://lexing.network/cybersecurity-and-gdpr-two-record-fines-in-the-united-kingdom/
HTTPS://www.insurancejournal.com/news/national/2018/12/03/510811.htm - Search. (n.d.). Bing. https://www.bing.com/search?
Kshetri, N. (2020). The evolution of cyber-insurance industry and market: An institutional analysis. Telecommunications policy, 44(8), 102007.
Mu, B., & Zheng, J. (2019, June). Study on Incident Response System of Automotive Cybersecurity. In Security and Privacy in New Computing Environments: Second EAI International Conference, SPNCE 2019, Tianjin, China, April 13–14, 2019, Proceedings (Vol. 284, p. 198). Springer.
Suoniemi, S., Terho, H., Zablah, A., Olkkonen, R., & Straub, D. W. (2021). The impact of firm-level and project-level capabilities on CRM system quality and organizational productivity. Journal of Business Research, 127, 108-122.
About Author
Tough Essay Due? Hire Tough Essay Writers!
We have subject matter experts ready 24/7 to tackle your specific tasks and deliver them ON TIME, ready to hand in. Our writers have advanced degrees, and they know exactly what’s required to get you the best possible grade.
Find the right expert among 500+
We hire Gradewriters writers from different fields, thoroughly check their credentials, and put them through trials.
View all writers