It’s generally a great thing that so many aspects of business are moving online, and we’re able to store more information in digital formats. But along with progress also comes increased exposure to cyber risk. It’s safe to say that in 2020, no one will be protected to the level that they don’t need cyber risk coverage as part of their business protection plan.
Taking necessary measures to protect your own proprietary business information and your employees’ private information is not enough. All the parties that you subcontract with may have granted you certain accesses to their data and vice versa, they may have information on or access to data on you and your clients that puts you as well as all the other parties at risk.
The cyber attack on Target that made headlines a few years ago is an example of one party unknowingly causing risk for another party. While internet-connected HVAC systems seemed like a revolutionary way that Target could save on energy consumption across their massive retail network, the HVAC company that Target hired for the monitoring turned out to be the reason for a breach resulting in the theft of data on an estimated 40 million debit and credit cards. By stealing log-in info that gave the HVAC company remote access into Target’s network, the thieves were able to gain access to Target’s payment systems. Thankfully, before the hackers discovered it, a smart home services provider was spared from a potentially disastrous breach of sensitive information. The provider allowed users to remotely control smart devices like light switches, outlets and video cameras without any kind of password protection to protect address and other sensitive information that could have compromised their clients’ security in many different ways.
The lessons learned from the above examples illustrate that even large enterprises often grant remote access rights to software, hardware, and numerous other vendors and external third parties without putting measures in place for ensuring that the access is properly authenticated and secured. Small local businesses are even less likely to be prepared, yet none of us are immune from attack. You likely have access to a wealth of information that hackers would love to get their hands on. You collect personal and financial data on your clients and potential clients. If you pay your vendors and suppliers online, you have information to their bank accounts and payment systems.
For adequate protection, you’ll want to find a cyber risk policy that protects you against both first-party and third-party cyber liability. Think of first-party cyber liability insurance like your property protection insurance on your office building; it protects your business against the financial and loss of business impacts of data breaches and cyber attacks. First-party cyber security claims could be filed when someone maliciously destroys your data, plants a virus on your hard drive, floods your bandwidth to cripple the business, or captures data and tries to hold it for ransom. First-party coverage also protects against accidental data loss, including employee error and things like a power surge or natural disasters that could wipe out your data. Third-party insurance is like general liability insurance covering legal expenses that could result from your firm being blamed for causing another firm’s cyber losses.
Your cyber risk coverage should include legal fees, forensics, notification and call center costs, credit monitoring fees and the possible need for public relations services. Many providers now have a specialized incident response team and experienced claims representatives. Having these individuals as an extension of your team can be invaluable. Be sure you’re working with an agent and a provider as well as an attorney that pays close attention to the changing regulatory landscape for breach notification laws.
While insurance is a vehicle for reducing your exposure to risk, the best plan of action is to avoid the potential risk in the first place. Our world is a different place than it was just a few years ago, and the hackers are getting craftier every day. I personally have a client who reported that his payroll manager received an email (which looked to have been sent directly from the CEO’s email address) asking for a wire transfer to be sent. Fortunately, she was wise enough to be suspicious about it. Credential harvesting using legit user IDs and passwords has become all too common.
We can’t anticipate everything these criminal masterminds might do next, but we can and should provide ongoing employee education about best practices. Teach your team about good password hygiene. Be sure you have data backup and software updates/patches are current.
If your employees are accessing data from a mobile device, a basic best practice would be to use encryption software on your company’s network and require that employees have their device password protected. It is equally important to ask your vendors and suppliers to attest to their company’s security measures and be prepared to provide documentation.
Cyber security isn’t just for tech companies or financial giants. It’s an essential part of any risk management strategy.
Author: Ross Conner, Partner, Hotchkiss Insurance