Posted On 15 Oct 2020
Why you Need Cyber-security Insurance
On Wednesday, April 18th, 1906 at 5:12am the famous San Francisco earthquake hit. Over the next three days eighty percent of the city was destroyed and over three thousand people lost their lives.
Believe it or not, it was not the shaking earth that caused a majority of the property damage and death. No, surprisingly most of the damage and death over the next few days was caused by broken gas lines and the resulting major horrific fires.
What does that have to do with cyber-security or cyber liability? What are the secondary consequential costs to a cyber-security breach? What are the cyber issues that are equivalent to those broken gas lines?
Let us look at some recently published statistics:
- Sixty percent of all the cyber-attacks worldwide are directed at small to mid-size businesses according to the U.S. National Cyber Security Alliance.
- One out of five small to mid-size businesses will fall to cyber-attacks despite substantial investment in computer security. (Better Business Bureau)
- One half of all small to mid-size businesses that experience a major security breach will go out of business in six months. (U.S. National Cyber Security Alliance)
- The average cost of a cyber-security data breach is more than $650,000. (Ponemon Institute)
- This damage occurred while American companies spent 85 million dollars on cyber-security software in 2017 and the cost of cyber-security breaches were in the trillions. (IDC Cybersecurity Ventures)
Your current farm owner’s policy or business owner’s policy does not have coverage for cyberattacks. It won’t cover lost money from down time or shut down of your business. It won’t cover any stolen money or reimburse the ransom. It won’t pay any liability that you could be responsible for if the computer pirates harm a vendor or customer of yours.
There are two types of coverage available;
A. Cyber liability
- Professional errors and the risks of doing business on the internet or working with a network system.
- Data privacy wrongful acts (i.e., someone hacking in and stealing personal information).
- Network security wrongful acts (i.e., inadvertently transmitting a virus to another business).
- Content and media wrongful acts (i.e., illegally using/obtaining images or posting information on a webpage).
- Internet protocol wrongful acts (i.e., using a given address for reasons outside of business purposes).
- Personal information warfare involves computer-based attacks on data about individuals. It may involve such things as disclosing or corrupting confidential personal information, such as those in medical or credit files.
- Corporate information warfare may involve industrial espionage or disseminating misinformation about competitors over the internet.
- Global information warfare is aimed at a country’s critical computer systems. The goal is to disrupt the country by disabling infrastructure systems, such as energy, communication or transportation.
I now cover my insurance business with a Cyber Insurance Policy. The policy provides the following coverages:
- Privacy liability, including employees $1,000,000.
- Privacy regulatory claims coverage $1,000,000.
- Security breach recovery coverage $1,000,000.
- Security liability $1,000,000.
- Multimedia liability $1,000,000.
- Cyber extortion $1,000,000.
- Business income & digital asset restoration $1,000,000.
- PCI, DSS Assessment* $1,000,000. (*These are written demands received by your acquiring bank, or a credit card association for monetary fines, penalties, reimbursements or fraud recoveries)
Of course, all insurance policies will have exclusions, limits and exceptions. These is a part of every insurance policy to clearly define what is covered and will be paid for and what is not covered and won’t be paid for. The following are examples of cyber liability exclusions, but is not a complete list. (Please read your policy for a complete list.)
- Employment practices
- Failures or malfunction of satellite systems, telephone systems, wireless communications
- Fire, wind, hail, lightning, smoke, explosion (these are your basic coverages provided on a property policy)
- Express or implied breach of a contract
- The presence or contamination of, or discharge and disposal of pollutants
- The selling of securities
- Wrongful acts
- Criminal conduct
- Dishonest acts
- Intentional acts
My policy has a $2,500.00 deductible with an annual premium of $400.00. Cyber liability insurance can be an integral part of your overall strategy to protect your computer systems. Software programs and important information and data. The premium is driven by:
- Type of business
- Overall financial size of business
- Payroll and how many employees are in the business
Maintaining cyber defenses
The apparent ease with which cyber criminals are able to infiltrate and capitalize on a company’s treasure trove of information and electronic assets is stunning. The fact that it is happening with increasing frequency is reason for concern. However, each event provides cyber experts with greater insight into how to develop more robust cybersecurity measures to prevent repeat attacks. While there always will be new cyber threats to address, implementing security protocols that block the path of known cyber threats is a good start. Here are a few basic protocols to consider:
- Passwords. In addition to requiring passwords to gain access to any computer system, a strong password is necessary. Change your password immediately if you think it may have been compromised, but do not reuse a password from another account. If your company can support two-factor authentication, use it.
- Limit access to information.Chances are your company’s human resources records are off limits to most employees because of the sensitive nature of the information contained in those records. Similarly, you should limit who has access to all sensitive information.
- Encryption. Encrypting data while it is resting on your network and while in transit to third parties is an effective strategy in combating unauthorized access to that information and may serve as a safe harbor in the event that you lose control over the data in your possession.
- Monitor the flow of information.While there may be a legitimate reason for a significant uptick in the amount of data leaving the company, it also can serve as an indication of a cyber theft. Comparing the ordinary usage of employees over time will allow spikes in data transfers to stick out and trigger an investigation.
- Payment card information.While maintaining customer payment information on your computer network is a convenient way to speed up payments, it presents a risk that needs to be managed. If you can do so, avoid saving payment information on your computer system. However, if you do save this information, it needs to be encrypted and restricted to those employees who handle payments.
- Payments to third parties.Given the risks presented by social-engineering fraud, it is imperative to verify wire-transfer payment requests verbally with the third party receiving the money. Blindly issuing payment to a third party by way of a new bank account is not prudent.
- Software patches.Software can be expensive. However, using pirated software that cannot receive security patches can be more expensive than buying it in the first place. Just ask those companies affected by the WannaCry attack. Even companies that have legitimate versions of software, but do not regularly update their systems, are vulnerable to attack, so activate automatic software updates.
- Business vs. personal internet use.Internet shopping, social media and personal email accounts all present a path that cyber criminals can take to access your network. Encourage employees to segregate their internet usage and only use personal devices to conduct personal business to prevent infected, nonwork-related attachments from becoming the next attack on your network.
Having a plan to protect data and to respond to the loss of data will help your agency weather the next cyber storm. For the plan to succeed there needs to be a corporate culture of cybersecurity, education and regular reassessments of whether the plan needs to change to address new threats.
Do not hesitate to call us for more information on Cyber Insurance Coverage at (585) 589-6236 or email us at email@example.com