SEMA News—March 2017

BUSINESS

By Bob Corwin

Cyber Attack!

Is Your Business Covered?

What do cyber thieves want? Organized crime generally targets credit-card, bank-account and credential data.

Although cyber threats on Fortune 500 companies make headlines, victims come in all shapes and sizes. Ponemon Institute, a Michigan-based research center dedicated to research on privacy, data protection and information security, found that 51% of surveyed CEOs reported experiencing a data breach not just daily but hourly.

No business is immune. Cyber attackers prey on everyone from local stores that collect customer email addresses for promotions to car dealers that communicate with buyers via their smartphones. In the automotive aftermarket, any retailer, wholesaler or manufacturer that collects consumer credit-card and personal data is a potential target. And it doesn’t stop with consumer data. A data breach can also include employee records, social-security numbers and personal email addresses.

Outside of the well-publicized data breaches that have recently rocked large companies such as Sony, Target and Blue Cross, the Identity Theft Resource Center in San Diego, California, documented more than 761 known data breaches exposing more than 83 million records in 2014 alone. Many of these were smaller companies. The financial consequences to businesses of any size can easily run into millions of dollars.

What Hackers Want

What do cyber thieves want? Organized crime generally targets credit-card, bank-account and credential data. Nation-affiliated or client hackers are most often in search of credential and internal organizational data, along with trade secrets. Hacktivists want credentials, personal and organizational data. On the black market, a single social-security number can fetch $30, while a “full identity kit” can sell for up to $1,300. However, a cyber thief’s motivation isn’t always financial gain. They can equally be out to blackmail, embarrass or take revenge on organizations and institutions or merely disrupt them for a variety of reasons.

Think of all the places where your company and personal information resides and all the ways it can be shared or transferred in today’s connected world, and you begin to get an idea of the enormity of the risks. Moreover, every employee who uses the internet is vulnerable, therefore making your business vulnerable.

According to the Ponemon Institute, employees’ personal smartphones and tablets are the devices most susceptible to security breaches. A mobile study found that 68% of employers allow employees to use their own mobile devices at work, yet 81% had no knowledge of the regulated data that resides on those devices.

In short, many businesses fail to grasp the true risks they face, let alone take steps to protect and insure themselves against such attacks. The December 2016 edition of SEMA News offered best practices for what to do before and after the unthinkable does occur (“We’ve Been Hacked!,” p. 52). This article complements that advice with guidance on insurance against potential losses from cyber attacks.

Basically, there are three ways of mitigating the risks of cyber attacks. First, you can try to eliminate or reduce your own risk. Second, you can assume your risk and all its consequences yourself. Or third, you can adopt the practice of “transferring” your cyber risk and protecting your company assets through insurance. However, over the past several years, an increasing number of general-liability insurance carriers have come to exclude security breaches and other electronic threats that could give rise to a claim from their policies. Therefore, if you opt for insurance, it’s more important than ever to consider adding specific cyber liability coverage to your risk-management portfolio. Purchasing such data privacy coverage before disaster strikes is key to its affordability.

When approaching the insurance marketplace, keep in mind the following questions:

• Does your business store sensitive data about clients, products, personal employee information, financial data or medical information?
• Does your business use a service provider that stores any sensitive data on your behalf?
• Does your organization use computers, mobile devices and/or the internet?
• How might a breach negatively affect your business’ performance?
• Do you know the cost associated with dealing with a cyber attack?
• Do you have a preparedness plan in place?
• Do you know the regulatory, state and federal laws surrounding data breaches?

While the answers to those questions will help tailor the correct policies to your needs, the following coverages are considered essential to most cyber liability policies:

• Liability coverage for identity theft; breach of privacy; failure to protect confidential client data; and transmission of spyware, viruses and malicious code.
• Liability protection against a breach occurring through your service provider where your company is nevertheless held responsible.
• Coverage for forensic analysis, notification and call-center costs, including credit monitoring and identity-theft prevention services.
• Worldwide protection.

Note that protecting your company from third-party consumer losses is as important as first-party losses. Your direct loss of productivity, profitability, reputation, data and even costs associated with regulatory government investigation and penalties are musts to factor into any coverage you purchase.

Remember that your company’s finances and reputation are at risk when a breach occurs. Many companies assume that cyber attacks will always come from outside their organization, but they often originate within a business. What if an employee steals client information for personal benefit? What if an employee loses confidential data or turns over sensitive customer information to the wrong recipient? You need to consider these risks when seeking insurance protection, and make certain that you get all of the essential coverages in your policy.

Best-Practices Basics

Of course, insurance protection assumes that your company is applying best practices to its cyber defense. There are well over 20 methods that must be employed in this regard, but some may be admittedly beyond the in-house reach of the average company. For sophisticated IT systems, the importance of hiring consultants or organizations specializing in cyber security to assist your company cannot be underestimated, since there is so much at stake. Nevertheless, there are many basics your company can start with. The cyber essentials concentrate on five key controls:

• Boundary Firewalls and Internet Gateways: These are devices designed to prevent unauthorized access to or from private networks. Note that proper setup of these devices, either in hardware or software form, is important for them to be fully effective.
• Secure Configuration: Ensuring that systems are configured in the most secure way for the needs of the organization.
• Access Control: Ensuring that only those who should have access to systems actually have that access at the appropriate levels.
• Malware Protection: Ensuring that virus and malware protection is installed and up-to-date.
• Patch Management: Ensuring that the latest supported versions of applications are used and all of the necessary patches supplied by the vendor have been applied.

When it comes to cyber attacks, the days of “it won’t happen to us” are over. Cyber crime occurs every day, and no company is immune. Of course, amid all the unabated hacks and attacks, we hear only of the data breaches but seldom of the companies that successfully defend themselves against them. There is no better time than now to update, improve and defend your company from cyber attacks—and no better time than before a data breach occurs to consider the purchase of a corporate cyber liability insurance policy. Doing so may well number your company among the unsung cyber heroes.

Bob Corwin is first vice president of Alliant Insurance Services and coordinates insurance programs on behalf of SEMA members. He can be reached at 760-304-7114 or bcorwin@alliant.com.