Small & Medium Size Businesses are Targets
With today’s technology capabilities, all businesses are at risk for having their data breached and their intellectual property stolen. As a result, cyber insurance has become a necessity.
Ponemon Institute’s 2018 Cost of a Data Breach Study, sponsored by IBM, tracks the cost of a data breach and primary causes. They interviewed 477 companies (2,200 IT, data and compliance employees at these companies) in 15 countries. They found that the average total cost of a data breach has risen to $3.86 million (but $2.88 million for those organizations that fully deploy security automation).
Notification costs in the U.S. are higher than any other country due to regulations and average $740,000. Additionally, U.S. companies had higher costs associated with losing customers after a data breach because customers have a greater awareness of them and higher expectations regarding the help they should be provided after a breach occurs. https://securityintelligence.com/ponemon-cost-of-a-data-breach-2018/
The most popular attacks small-to-medium size business are facing according to Business News Daily, are APT (Advanced Persistent Threats), Phishing Campaigns, DDoS (Distributed Denial of Service), Inside Attacks, Malware, Password Attacks and Ransomware.
Mobile malware continues to surge.
According to the 2018 Symantec Internet Security Threat Report, mobile malware attacks have increased 54% as compared with 2016. Symantec reports that while threats are on the increase, the problem is exacerbated by the continued use of older operating systems. In particular, only 20% of Android devices are running the newest major version and only 2.3% are on the latest minor release. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
The Alabama Data Breach Notification Act
On June 1, 2018, Alabama became the last state to put into force a data breach law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) was enacted to require most entities, as well as their third-party agents, to notify affected individuals of a breach of their sensitive personally identifiable information, which includes their first name or first initial and last name in combination with at least one of the following identifications for that individual:
- Non-truncated social security number or tax ID number
- A non-truncated driver’s license number, state issued ID card number, passport number, military ID number or other unique ID number issued on a government document used to verify the identity of a specific individual
- A financial account number, including a bank account number, credit card number or debit card number, in combination with any security code, access code, password, expiration date or PIN that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account
- Any information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual
- A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information
Cyber Insurance is Now Widely Available
The good news is that more insurers have entered this space and they continue to do so, which helps keep premiums in check and improves coverage as each carrier tries to differentiate themselves from their competitors.
According to the 2017 U.S. Cyber Insurance Profits and Performance report, the U.S. cyber market has a total of 170 U.S. insurers writing cyber insurance – compared to 140 in 2016 and 119 in 2015. According to Pricewaterhouse Coopers (PricewaterhouseCoopers, Insurance 2020 & beyond), the U.S. cyber market is the fastest-growing line in the insurance industry and will grow nearly 300% over the next two years.
Cyber insurance is excluded from standard business insurance policies, making it necessary to procure an endorsement to an existing policy to provide the coverage or obtain a stand-alone (monoline) cyber policy.
The forms in a cyber insurance policy can be complex and vary widely across carriers. An experienced insurance agent can help a business navigate through the numerous cyber options and choose the most appropriate fit for them.
Coverages to Look for in a Cyber Insurance Policy:
- Legal defense & liability expenses – A demand, arbitration, civil proceeding or investigation brought against the business for an actual or alleged violation of HIPAA, HITECH Act, Gramm-Leach Bliley Act and any other state, federal or foreign identity theft and privacy protection statute rule & regulation.
- Website Media Liability & Defense –Claims alleging libel, slander, defamation of character, reputational harm, violation of privacy, copyright infringement, misrepresentation or misstatement.
- The Recovering of Compromised Data – Hiring a forensic IT specialist to determine who was affected and to recover the data.
- Business Interruption Expenses – After a breach, one’s business could very likely lose a significant amount of business due to the loss of trust of impacted customers. This coverage would reimburse them for that loss.
- Crisis Management Expense Coverage – Costs to notify impacted individuals and a call center service to answer questions from those individuals that have received the notifications. The establishment of a website is also often included so that individuals can access it to verify the breach.
- Fraud Response Expense– Offering Credit and Identity Monitoring Services for a year to those impacted by the breach is a way to mitigate the loss and try to restore the customer’s confidence.
- Extortion Threat – A threat to disseminate protected data for the purpose of extorting funds.
- Social Engineering Fraud – Fraudulent transferring of funds by an employee acting in good faith on instructions received by someone of apparent authority.
- Telecommunications Theft – A third party fraudulently using the insured’s telephone services and incurring charges associated with it.
- Ransomware Attack– Due to the insertion of malware by a third- party perpetrator, businesses are unable to access data without paying a ransom.
- Payment Card Industry Data Security Standards (PCI-DSS) – Covers the fines that one would owe a credit card company, if the contract with them imposes this indemnity obligation, due to non-compliance with data security standards.
Developing a Cyber Risk Management Program
Most insurers will require that you have certain protocols & procedures in place to reduce your organization’s cyber risk. The most basic cyber risk management program should include restricting access to sensitive information and educating employees on data privacy/security and social engineering issues (e.g., phishing, etc.). Also, requiring that employees change passwords frequently and that the passwords be of a complex nature is a must. Written document protection/encryption policies & procedures as well as document retention and destruction policies should be implemented & enforced.
Enlisting the help of an experienced IT consultant is a key component of a cyber risk management strategy. This step should be a multi-faceted security approach to include sophisticated firewalls, intrusion detection systems, anti-virus software (with updates made as soon as possible) and staff training.
An often overlooked step in a cyber risk management program is checking on the adequacy of the IT security and risk management procedures of any outsourced IT services (e.g., internet service providers, hosting service providers, payment processing vendors and offsite archiving/backup providers). Obtaining a certificate of insurance evidencing that these vendors maintain sufficient insurance policies themselves is prudent.
Some insurers now offer policyholders pre-breach services to help ensure that proper security measures are in place before an incident occurs. For instance, at no additional cost Travelers offers an online tool to help spot vulnerabilities and rank cyber security compared to that of one’s business peers. They also offer a confidential one-hour cyber security consultation with a Symantec professional, a cyber security help-line, and training videos for staff.
In the event that a breach can’t be prevented, a readily available recent backup can restore valuable data.
Every Industry Is at Risk
We often hear clients say that they don’t believe they are at risk because they don’t sell goods through their website, or they don’t have access to medical records; however, you don’t have to be in the retail or medical industries to have an exposure. Below are a few examples of claims that could occur in almost any industry:
Claim Provided by Travelers Insurance Co.: A national construction company used a third-party cloud service provider to store their customers’ personal information. The cloud provider suffered a major data breach, compromising the Personally Identifiable Information belonging to thousands of the construction company’s customers in several states. As the owner of the data, the construction company had a legal obligation to provide an adequate and timely notice. The Attorneys General in several states instigated a regulatory investigation against the Company to determine whether they responded appropriately to the breach in accordance with various state laws. As the construction company did not have a document retention procedure and stored far more data than was required, the company was obligated to notify over 10,000 past and present customers that their company’s data had been compromised. Additionally, they had to pay defense costs associated with defending the regulatory investigation.
Claim Provided by Chubb Insurance Co.: A manufacturer leased a copy machine over a two-year period. During that period, the company made copies of proprietary client information and its employees’ personally identifiable information, including pension account numbers, driver’s license numbers and other personal identifiers. After the lease expired, the manufacturer returned the machine to the leasing company through an intermediary company. Prior to making its way back to the leasing company, a rogue employee at the intermediary firm accessed the machine’s data for criminal purposes. The manufacturer incurred $75,000 in expenses in connection with a forensic investigation, notification, identity monitoring, restoration services and independent counsel fees. It also incurred approximately $100,000 in legal fees.
Although cyber risks are on the rise, Harmon Dennis Bradshaw, Inc. is here to help you procure an insurance policy that will lessen the impact to your organization that a cyber-attack would cause. Contact us at 1-800-239-5512.