Situation: A US mining company faced challenges with digital risk that limited their ability to increase their cyber insurance coverage. The company had 500 active users on its network and their data had grown beyond 50 terabytes spread across 35 different locations. The company lacked visibility into the types of data they were responsible for including sensitive PII/PHI data, data subject to digital privacy laws, and unused data stored beyond retention requirements. To qualify for cyber coverage with higher limits, the company needed to identify digital risk, reduce its exposure, and apply the right risk controls on the digital assets that mattered most to the organization.
Complication: In 2018, the mining company was impacted by a ransom attack. Even though they paid the ransom, the company’s operations were shut down for almost two weeks while 90% of the workforce was unable to work. When they were ransomed again in 2021, the company was forced to manually rebuild all of its critical operational systems. The struggle to use paper invoices and POs during the recovery period impacted cash flow and disrupted the business for over 2+ months.
SecondSight Solution: The mining company knew the best way to reduce their risk exposure was to first identify all the data that existed across the company, including any hidden risk stored in file shares and emails. They had a limited budget, and instead of hiring more resources to attempt this manually as a one-time project, they chose SecondSight Risk Tracker to discover all of their data and classify the risk contained within the data – autonomously.
Risk Tracker identified sensitive data stored across the company’s 35 locations, including data related to data privacy regulations. Risk Tracker confirmed that only 40% of the operational data consisted of original documents – the remaining 60% were all duplicates! In some cases, documents with highly sensitive data had 3-4 duplicate copies spread across the network. Risk Tracker also identified unused data older than 7-year data retention requirements. By leveraging Risk Tracker’s Live Digital Content Ledger with an open-source archive/purge utility, the mining company reduced their data footprint from 50 terabytes down to the 11 terabytes they needed to run the business.
Return on Investment:
As an additional benefit, Risk Tracker simplified the company’s migration to Cloud and reduced their projected annual costs by 84%! The company had budgeted $190,000 per year for cloud, but after Risk Tracker classified all the mission-critical data, sensitive data, duplicates, and old data they no longer needed, the company realized they did not need to move all 50 terabytes to their new Cloud provider. By automating data purge and archive processes, they only had 11 remaining terabytes to migrate and manage. The reduction eliminated more than $158,000 of annual costs, saving the company almost $800,000 over its 5-year business plan. Budgets were tight, but when the VP of IT presented the hard dollar savings to the CEO, the CEO agreed to allocate 50%, almost $400,000, to fund new risk controls the company needed to both prevent another breach, and to grow cyber insurance coverage to $12m. According to the VP of IT: “It was a 10-minute conversation”!
Impact on Cyber Insurance: Risk Tracker’s holistic view of digital risk provided a foundation for both risk management and accountability. This powerful combination accelerated risk remediation and guided data retention, privacy compliance, and the application of critical risk controls.
Since Risk Tracker continually monitors digital risk, the mining company worked with their broker to communicate the impact of their risk mitigation and remediation strategies to the insurance carrier. By providing ‘evidence of good digital risk behavior’, the Underwriter justified the substantial increase in cyber insurance, growing the company’s limits from $1.5M to $12M in coverage.
The mining company’s VP of IT stated: “Risk Tracker found all the sensitive PII and PHI data hidden across all 35 sites. We couldn’t believe how much duplication we had, it was everywhere. It would have been an impossible task trying to do this manually. Once everyone knew exactly what data they were responsible for, what was high risk, and what needed to be purged or archived, we saw users change their behavior. Eliminating all that risk made things a lot easier. Since we knew what data was sensitive and what was most critical to running the business, we knew exactly where to apply the right risk controls. There’s no way this would have been anywhere close to possible without SecondSight”.