Developing a Risk Management Plan, Part I: Resources

Drafting a risk management plan on cybersecurity can feel like a daunting task, but with resources like those provided in this article from Federated Insurance®, legal insights from Benesch Law, and personal implementation strategies from AMBA member Westminster Tool (which will be published in Part II) – business owners can help protect themselves from the ever-increasing security risks posed to their businesses.  

Step 1: Identify Your Business’ Cyber Risks

Breaches to computer networks and unauthorized access to sensitive data are key elements of cyber risk. These risks include personal injury, intellectual property infringement, and financial injury from allegations of negligence as well as fines, costs, and obligations associated with Consumer Protection and Data Privacy Regulations. When the security of the network is compromised, information that should be private could be made public. This is the essence of a data breach event.

Step 2: Assess Your Risk

To assess your risk, it can be helpful to start by asking yourself “What are you trying to protect?” about your products, services, customers, vendors, communication, and information networks. 

• Third-Party Risk: Ensure you know what your third parties are doing to protect and secure your company and customer information. This is even more critical in situations where you’re sharing data with these third parties, or allowing them access to your internal network.
• Regulatory Requirements: Ensure you’re up to date on any new cyber security regulations and how these requirements may impact how you conduct business, and what controls you need to have in place to protect sensitive data.

Step 3: Identify Mitigating Methods 

A Data and Security Plan can help protect your company not only from regulatory scrutiny, but can also help prevent breaches and mitigate the fallout if a breach occurs. Once your risk analysis is complete, identify one or more methods for mitigating each risk. Revisit this risk assessment regularly to re-rank the risks as your company’s organizational controls and systems evolve and improve.

Create a Custom Cyber Security Planner Here

Step 4: Create Your Company Policies

Company policies and procedures establish the rules of conduct within an organization, outlining the responsibilities of both employees and employers. Company policies and procedures are in place to protect the rights of workers as well as the business interests of employers.

Step 5: Communicate Your Program and Expectations

Communicate your Data and Privacy Security Plan and company expectations to every employee. Through effective communication, your employees can learn what behavior or performance changes are necessary. Review the program with your employees and make a reference copy accessible to them when they are at work.

Step 6: Train Your Employees

The best security technology in the world can’t help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. Training employees is a critical element of security. They need to understand the value of protecting customer and company information and their role in keeping it safe.

Step 7: Monitor Results and Take Necessary Action

Regularly measure the effectiveness of your Data and Privacy Security Plan by revisiting and reevaluating all of the factors that went into developing them. Regular audits should evaluate your information-security practices and whether your company is effectively following those practices, including conducting tests to ensure that employees are properly and consistently implementing the solutions.

The information provided in this article is intended to be general in nature. It may include recommendations, suggestions, or ideas that are not applicable to the unique conditions and operations of your business. Obtain the advice of an independent legal or business advisor in developing forms and procedures tailored to your specific business. This publication may also provide information on services and resources offered by companies wholly independent from Federated Mutual Insurance Company, Federated Service Insurance Company*, and Federated Reserve Insurance Company* (*Not licensed in all states). Federated provides its clients with access to these services with the understanding that neither Federated nor its employees provide legal or employment advice. Some services may be subject to regulations or restrictions in your state. The recommendations provided may help reduce the risk of loss, but should not be construed as eliminating any or all risk of loss nor is it an exhaustive list of all risk exposures. Qualified counsel should be sought regarding questions specific to your circumstances.

Additional Resources

Keeping Email Secure 

• Guidelines for Google
• Guidelines for Outlook

Multifactor Authentication (MFA)

• Setting up MFA: Microsoft 365

Employee Training

Recommended Company: KnowBe4
*Please note: Note: Federated clients are eligible for discounted rates. Log-on to mySHIELD for details or contact the Client Contact Center for assistance @ 1-888-333-4949.

This blog post was provided by Federated Insurance. Federated is proud to partner with AMBA as the association’s exclusive endorsed insurance provider. Since 1904, Federated has protected businesses through valuable insurance and risk management services. Policyholders have access to a wealth of risk management resources focused on employee training, estate planning, business continuation, workplace safety, human resources, and many other loss prevention topics. Rated A+ (Superior) by A.M. Best Company® and recommended by hundreds of national and state associations, Federated Insurance believes its value is measured by your success.

For more information about Federated Insurance and the cost-reduction offer available to AMBA members, please contact Jon Medo at jwmedo@fedins.com.