Compiled by Darby Giannone, Ph. D.
While it may seem funny that Burger King was transformed to McDonalds via a hacked Twitter account, the cyber hacking that overshadows the summit between President Obama and China’s Xi Jinping is not. It is a sign of the electronic networked times that data breaches may be the fastest growing and most financially devastating loss risk facing businesses today. While medical organizations and companies with large databases of financial and personal information are favored targets, The Hartford Financial Service Group reported that 31% of data breaches investigated in 2012 were from organziations with fewer than 100 employees.
What is a data breach? A data breach is when someone obtains proprietary or confidential information from your business without your knowledge or permission by hacking into a computer system, stealing a laptop, smartphone, copier or scanner, or downloading information from a company server. The breach may be perpetuated by a hacker, an opportunistic thief, or an employee. Damage and access may be caused by malware software such as spyware, keyloggers, and viruses spread through email, calls, text messages, or pop-up messages from what appear to be friends or legitimate sources. According to Poneman, smaller organizations experience a higher proportion of cyber crime costs relating to viruses, worms, trojans, phishing, stolen devices and malware. Larger organizations experience a higher proportion of costs relating to malicious code, denial of services, web-based attacks, and malicious insiders.
The Poneman Institute Reasearch Report of 2012 documents the economic impact of cyber attacks. “The total annualized cost of cyber crime for the 2012 benchmark sample of 56 organizations ranges from a low of $1.4 million to a high of $46 million. Participating companies were asked to report what they spent and their in-house cost activities relating to cyber crimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to present an extrapolated annualized cost.” (pg. 5) When calculated according to size of business in terms of number of customers, the cost to small businesses for investigating and responding to attacks as well as resulting lawsuits and regulatory fines averaged $1324 per customer and to large businesess $305 per customer.
If your business collects and maintains personally identifiable information or personal health information (HIPPA & HITECH) in electronic or paper format, you are required to protect that information from unauthorized uses and access by unauthorized users. If your business has developed systems, products and communication tools that are central to your success, there is no law requiring you to protect that information, however loss of such information has a large impact on business stability and profitability.
Immediate steps if you believe your business is a victim of a databreach or cybercrime:
Immediately cease all online activity
· Contact your IT administrator
· Remove the affected computer from the network and all other computer stations that may be affected
· Contact your bank to disable online access to your accounts
· Notify other business partners that may be affected
· Notify your insurance agent and insurance carrier
· File a report with the police department
Significant costs area associated with actions required to mitigate a HIPPA/HITECH data breach:
· Notify affected parties of the breach
· Perform a forensic analysis to determine the data accessed
· Establish a call center to handle customers’ breach-related inquiries
· Implement credit monitoring services for affected parties
· Hire a public relations firm to help restore the firm’s brand and business reputation
· Pay fines assessed by governmental agencies
Businesses thinking about Cyber Liability can put safeguards in place. These safeguards are increasingly inquired about by insurance underwriters who make decisions about policy provisions and exclusions.
· Set standards and processes for proper data management
Encrypt or use other protective measures to safeguard personal information
Decide what type of personal data to maintain, how to store and for how long
Require a strong password to protect all PC’s and mobile devices that access company system
Protect each individual PC with automatic updates of operating system and applications from centrally updated and monitored anti-virus, anti-spywre and anti-spam software
Implement a secure email system
Limit employee use of the internet and email tocompany purposes and eliminate all connections to personal sites
Obtain secure website capability – firewall that includes anti-virus, anti-spyware, and anti-spam services along with content filtering and intrusion prevention, detection and real-time reporting
Know the procedures for working with third party vendors – banks, shredding services, hardware disposal, or outsourced efficiencies such as credit card processing
Have a backup system that regularly retrieves data from the company server and stores it off site
Involve employees in creating a cyber security focusedculture and periodically review procedures to evaluate and update practices
· Develop a crisis response plan
What to do in the event of a data breach
What to do in the event of a disaster that affects data storage
Train all employees and periodically review procedures to evaluate and update practices
Businesses owners generally believe that traditional insurance products – general liability,commercial property, commercial crime – provide coverage to address databreach-related exposurers. This is typically not the case as traditional policies provide limited coverage for some data breach-related costs but most do not cover all. Some general liability policies specifically exclude losses incurred because of the internet.
Cyber Liability Insurance is a relatively new stand alone insurance policy that is specifically designed to provide first and third party insurance coverage for computer and Internet-related exposures and address exposures associated with a databreach. A business will need to answer questions about loss experience including corrective actions and damages, questions about outsourcing and third party providers, and questions about privacy controls and media liability controls. Some of the typical risk control questions a business will need to answer:
· Do you have a firewall?
· Do you have a virus protection program that is used on internet-facing and internal mailservers, desktops, and other mission critical servers?
· Do you use standard configuration for firewalls, routers, and operating systems?
· Do you have a process for managing computer accounts, including the removal of outdated access accounts in a timely fashion?
· Do you have physical security controls in place to control access to your Computer systems?
· Do you have a written business continution/disaster recovery plan that includes procedures to be followed in the event of a disruptive computer incident?
· Do you have a designated individual or group responsible for information security and compliance operations?
Typical Cyber Liability Insurance coverages can include liability insurance for:
· Security breach: Addresses the company’s liability for data breach and loss of confidential information
· Replacement or restoration of electronic data: Cost of data entry, reprogramming, and computer consultation services associated with replacing or restoring electronic data or computer programs destroyed by virus, malicious code or denial-of-service attack
· Web site publishing: Errors, mis-statements, or misleading statements that infringe on copy-right, trademark, trade dress, or service mark; defame a person or organization; or violate a person’s right of privacy
· Programming errors and omissions: Alleged contractual negligence or if the firm’s computer system transmits a virus to a third party
· Business income and extra expense: Loss of business income generated from website or online sales due to ceasing activities because of a virus or extortion threat
· Extortion threats: A threat to introduce a virus, malicious code, or denial-of-service attack; divulge proprietary information contained in the company’s system; inflict rasomware or publish the confidential personal information of company clients
Rough Notes www.roughnotes.com
Professional InsuranceAssociation www.piawest.com
Independent Insurance Agents and Brokers Association www.independentagent.com
Ponemon Research Institute, 2012 Cost of Cyber Crime Study, USA