Protecting your organization, large or small, from cyber attacks rests to a great extent on the IT security infrastructure and processes that are in place and managed by in-house and/or outsourced IT professionals. It is interesting to note that more than half of all cyber attacks are directed at small and mid-sized businesses.
According to 451 Research, in 2019, small and medium businesses are increasing their cybersecurity budgets by 14% to better secure their data. No matter how sophisticated IT preventative measures may be, establishing a 100% secure or foolproof environment is not possible. Consequently, it is important to consider complementing your IT security with an appropriate cyber insurance policy.
The following are some of the types of questions that are typically asked with a cyber insurance application:
- What is the maximum total number of unique individual persons or organizations whose protected information could be compromised in a cyber incident… or, stored or transmitted on the applicant’s computer system or a shared computer system related to the business?
(Protected information is associated with employees, retirees, customers, partners, and others that the applicant is responsible for securing).
- Is your organization aware of any situations that could reasonably be expected to give rise to professional, technology, or cyber incident or claim?
- Do you have 3rd-party software protecting your network, such as antivirus, encryption, firewalls, etc?
- Are there incident response plans for data breaches and business interruption?
- Does your organization utilize any software or hardware that has been officially retired by the manufacturer (“end of life”) and, therefore, would not be getting required software updates (patches) for known security vulnerabilities?
- Does your website, computer system, or telephone system request and capture any payment card information, medical records, or protected health information(ePHI)?
- Is your organization HIPAA compliant?
- Has legal counsel screened applicant’s use of domain names and metatags to ensure that they do not infringe on the intellectual property of others?
- Has the organization implemented, documented, and tested backup and recovery procedures at least annually for mission-critical systems?
- Does the organization authenticate funds transfer information?
- Does the organization have a requirement for approval by more than one person to initiate a wire transfer?
Categories of Cyber insurance coverage include items such as:
- Cyber incident response
- Business interruption loss
- Digital data recovery
- Network extortion
- Cyber privacy
- Electronic and social media liability
- Computer fraud
- Funds transfer fraud
- Social engineering fraud
Examples of situations where security can be breached, even with a secured infrastructure can include items such as the following:
- Malware (malicious software) can infect systems with viruses if definitions for them have not been released. These viruses can be received into the system by unsuspecting users.
- Systems not properly backed up with a disaster recovery and business continuity (DRBC) service are at risk of permanently losing data. Even with a quality DRBC service, some data may be lost. For example, if data is backed up every hour, up to one-hour of data could be lost when systems are reset to prior to a breach incident. This business interruption loss can be covered by a cyber insurance policy.
- Computer users can be vulnerable to scams where executives are impersonated and ask an employee to transfer certain funds electronically such as cash, gift cards, etc. These fraudulent transactions can result in significant financial losses, which might be covered or offset by cyber insurance.
Further examples were recently published by The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), which facilitates cybersecurity information sharing, threat analysis, and incident reporting. The NJCCIC is part of the New Jersey Office of Homeland Security and Preparedness (NJOHSP). It works to make the State of New Jersey more resilient to cyber-attacks and promotes statewide awareness of local cyber threats and adoption of best practices.
In a recent bulletin, the NJCCIC highlighted a spoofed technical support webpage containing a fake toll-free number and associated links. A call to this toll-free number would result in the user getting connected to a scammer posing as a technical support representative. The user would be tricked into providing personal or financial information, which could potentially download malware or remote access software onto the user’s system. It is recommended that users refrain from clicking on unsolicited links and to instead navigate directly to official company websites when searching for technical support contact information.
The NJCCIC recommends using strong and unique passwords, using multi-factor authentication where available, and monitoring accounts and systems.
The NJCCIC bulletin also discussed spear phishing attacks that target specific users within mostly financial departments of organizations. Users are scammed into executing transactions or providing data to fraudsters. As mentioned previously, the fraudsters convey a sense of urgency and make it look like the email or request has come from higher level management. Preventive measures to avoid these attacks include implementing email security, awareness training, and authorization processes such as multi-factor authentication and multi-party approval.
Coordinate with IT, insurance, and legal resources
A company that stores and maintains a database of personal information (such as names, addresses, social security numbers, or payment card details) is responsible for protecting that data. It is recommended that organizations coordinate cybersecurity preventive and response actions with their internal and external IT provider(s), insurance company, and legal counsel. Depending upon your business and industry, regulatory compliance should also be addressed – such as state financial industry regulations, ISO, HIPAA, and PCI.
The State of New York is a notable example of new regulations associated with cybersecurity.
New York State – Department of Financial Services – 23 NYCRR 500
In 2017, New York State’s Department of Financial Services (DFS) instituted Cybersecurity Requirements for Financial Services Companies in Part 500 of Title 23 of its official codes, rules, and regulations for the State. This was due to the exposure to significant financial losses to regulated entities and consumers whose private information could be revealed or stolen for illicit purposes. The regulation requires financial services companies to assess their risk profiles and design a cybersecurity program that addresses their cyber risks. Topics addressed in a cybersecurity program include policies, management oversight, vulnerability assessments, audit trails, access privileges, application security, risk assessments, personnel training, data retention, encryption, incident response, enforcement, and other factors.
Key cybersecurity questions to be addressed include:
- How often are security protections tested?
- How are breaches detected?
- Who is alerted when a breach occurs?
- What employees are assigned to investigate and responds to a suspected or actual breach?
- When must authorities and/or customers be notified if a breach occurs?
Additional Cyber Insurance Considerations
Due to the proliferation of organizations increasingly using the Internet to conduct various business transactions, those organizations are more and more exposed to cybercrime risks. It is a fallacy to believe that cyber attacks are mostly directed at large companies or government entities. In actuality, attacks are increasing across the board. According to the National Cyber Security Alliance, over 70 percent of cyber attacks are against small businesses. Also, nearly 50 percent of small businesses have been attacked.
As mentioned earlier, your IT security, insurance, and legal protections cannot eliminate cybercrime risks. However, coordinating the activities of these groups and implementing appropriate protective measures and procedures can significantly reduce those risks.
A starting point is to create a cyber risk profile for your company. This should include identifying expenses you want to have covered by insurance in the event of an incident. Decisions need to be made in terms of what risks should be accepted or transferred. Cyber insurance policies provide a vehicle to transfer certain risks. The policies are designed to mitigate certain risks by offsetting costs associated with recovery after a damaging cybersecurity-related breach or other events. These costs are incurred as a result of forensics investigations, monetary losses, downtime, business interruption, data loss and recovery, crisis management, fines, and other factors.
Notifications of data breaches to customers and regulatory bodies may be required. Additionally, organizations may incur legal expenses associated with lawsuits and extortion associated with the unauthorized release of confidential information and intellectual property.
Many reputable insurance companies offer cyber insurance policies, although coverage varies depending upon the insurance company and the policy. Any special circumstances and policy limits should be understood, along with coverage for first and third parties.
The Federal Trade Commission provides many useful suggestions regarding the procurement of cyber insurance to protect against business losses. It emphasizes discussing with your insurance agent what policy would best fit your organization’s needs. Key elements that it suggests for coverage include:
- Data breaches, such as theft of personal information
- Cyber attacks on data held by third parties and network breaches
- Cyber attacks occurring anywhere in the world, not just in the U.S.
- Lawsuit defense expenses
Third-party cyber coverage provides protection for third-parties that bring a claim against your organization for:
- Payments to affected consumers
- Defamation losses
- Litigation and costs of responding to regulatory inquiries
- Other settlements and judgments
- Accounting costs
General liability insurance policies typically just cover accidents, injury, and property damage … not cyber damages. Organizations that store customer information, collect online payments information, or use the Cloud should consider cyber insurance.
IT Security and Cyber Insurance are Complementary
In summary, IT security measures and cyber insurance coverage are complementary efforts to mitigate overall risks associated with increased cyber attack activity and protecting an organization’s sensitive data. On both sides, experienced professionals should be engaged to provide the best and most sensible solutions. In the end, protective actions will not entirely eliminate cyber risks. However, thoughtful planning and implementation of high-quality IT security and cyber insurance policies will greatly mitigate those risks.