DECEMBER 2018CIOAPPLICATIONS.COM9The final area to assess is the management team's ability to respond to an emerging risk to the environment. How quickly can it remediate once any vulnerability is known?We primarily manage response with internal resources. I think third party vendors are a valid resource when you buy a company -- you need help quickly understanding the risk of a potential acquisition. Otherwise, you have to be careful that you don't over-rely on outsiders because you think you're better protected than you actually are. Nasdaq has a 24/7, co-located security operations center with global network operations center.I think the act of buying cyber insurance is a worthwhile exercise for management to engage in and report back to the board. It is proactive and opens a healthy dialogue about the potential costs of a breach and forces a company to understand their specific types of risks from a breach. As with any type of insurance, the level of the deductible and the limitations on coverage can illuminate better uses of the funds, such as improved cyber security tools and staff. Whether the answer is more insurable or more investable in the information security function, assessing the level of insurance protection should be recurring annual process.There isn't a perfect solution, but better solutions. They may be expensive, but most companies have underinvested and they are playing catch up. We all know what we're supposed to be doing. Unmanaged assets, inventory....we were supposed to be doing this the whole time.We are unique because we're regulated and considered critical infrastructure, so Nasdaq coordinates very closely with government partners like the Department of Homeland Security, FBI and other government agencies. We also subscribe to the leading commercial threat vulnerability notification services to round out our intelligence. The long-term brand or reputation costs from a breach seem to be the most difficult to quantify and model
< Page 8 | Page 10 >