Cyber Liability: A BIG Risk for Small Businesses

Did you know that small businesses experience cyber incidents at roughly the same rate as drivers experience car accidents? Though most of us would never go without auto insurance, a majority of small businesses don’t have cyber liability insurance coverage. According to the 2018 Small Business Cyber Insurance and Security Spotlight Survey conducted by the Insurance Information Institute and J.D. Power:

  • 10 percent of the small businesses surveyed suffered at least one cyber incident in the prior year.
  • The average cyber-related loss was $188,400. In 2016, the average loss was $73,000.
  • Nearly 60 percent of small businesses are very concerned about cyber incidents.
  • 59 percent do not have cyber insurance coverage.

The potential impacts of a cyber incident that most concern small businesses include:

  • financial loss (47 percent);
  • information breach / theft (35 percent);
  • reputation / brand image issues (14 percent); and
  • regulatory / governance and legal issues (4 percent).

According to the survey, businesses with cyber insurance often had similar coverages, including coverage for:

There is one last thing to consider if your small business still doesn’t have cyber insurance coverage. According to the survey, 97 percent of the insured small businesses that experienced a cyber incident indicated that their cyber insurance policies adequately covered their losses. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Did you know that small businesses experience cyber incidents at roughly the same rate as drivers experience car accidents? Though most of us would never go without auto insurance, a majority of small businesses don’t have cyber liability insurance coverage. According to the 2018 Small Business Cyber Insurance and Security Spotlight Survey conducted by the Insurance Information Institute and J.D. Power:

Every Small Business Needs a Cyber Security Strategy

Did you know that more than 50 percent of small and medium-sized businesses (SMBs) experienced a cyber-attack in the previous year? Cybercriminals tend to be opportunistic. They target the unprepared. Unfortunately, far too many SMBs don’t have a plan to prevent or respond to cyber-attacks.

SMBs can significantly reduce the likelihood of falling victim to cybercriminals by preparing a cyber security strategy. Let’s look at the essential elements of an effective strategy.

Prevention. The primary goal of every cyber security strategy should be prevention. An effective prevention strategy requires:

Detection. SMBs must be able to detect cyberattacks when they happen. An effective detection strategy requires:

  • Technology. Cyberattacks are so sophisticated that SMBs need quality intrusion detection systems that are routinely updated to remain current with evolving threats.
  • Real-Time Alerts. Tracking attacks provides data that can be used to generate real-time alerts.
  • Documentation. Records make it easier to evaluate attack trends and characteristics and update strategies accordingly.

Mitigation. A rapid response to a cyberattack is critical to limiting the damage. An effective mitigation strategy includes:

  • Response Plans. Once an attack is detected, SMBs must be ready to contain, assess and respond to the threat. A response plan should specifically identify personnel and designate responsibilities in the event of an attack.
  • Periodic Evaluations. Remediation and mitigation strategies must be reviewed and updated periodically to remain current with constantly evolving cyber threats.

Insurance. Preparation is important, but it isn’t always enough. SMBs should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws.

Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Did You Know…Data Breaches Exposed More Than 18 Million Records PER DAY?

It looks like 2018 is going to be a record year for data breaches…in a bad way. Gemalto, a global digital security provider, released its Breach Level Index for the first half of 2018. It revealed a mix of good, bad and ugly. When compared to the first half of 2017, the number of data breaches worldwide actually went down. Unfortunately, the number of lost, stolen or compromised data records went up. Now for the ugly. This number went up 72 percent!

During the first six months of 2018, there were 944 data breaches worldwide, nearly 60 percent occurred in North America. As a result of these breaches, more than 3.3 billion data records were compromised or exposed. That works out to 18.5 million records per day. Nearly three quarters of a million records per hour!

According to the Breach Level Index:

  • More than 76 percent of the records breached involved social media, including breaches at Facebook (2.1 billion records) and Twitter (336 million records).
  • Malicious outsiders caused 56 percent of the data breaches.
  • Attacks by malicious insiders fell by 60 percent.
  • 879 million data records were lost by accident.
  • Identity theft remains the leading type of data breach.
  • The number of records stolen through identity theft breaches increased by 757 percent.
  • Financial access incidents decreased in frequency but increased in severity.
  • The healthcare industry experienced the most data breaches of any industry (27 percent).
  • 20 percent of all breaches had an unknown number of compromised data records.
  • Only one percent of the compromised data records were encrypted.

Data security has become a universal concern. Every business is at risk. None are immune. This explains the growing popularity of cyber liability insurance policies. Businesses can purchase Cyber Perils coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws.

Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Social Engineering Fraud: What is It?

Social Engineering Fraud is the process through trick or scheme of gaining the confidence of someone, and inducing them to part with money or something valuable. This infographic shows you what to look for and some tips to avoid Social Engineering Fraud in your business. 

Continue reading “Social Engineering Fraud: What is It?”

Yahoo Data Breach Settlement Highlights Importance of Data Security and Cyber Liability

An inconvenient truth. That’s how a growing number of us view data security breaches. There are victims and soon-to-be-victims. However, despite the seemingly endless stream of data breaches, organizations cannot afford to take a passive approach to data security and cyber threats. Just ask Yahoo!

In 2016, Yahoo announced two separate data breaches that exposed personal information of more than 1.5 billion users. At the time, Verizon Communications was in the process of buying Yahoo’s core Internet businesses. Upon learning of the data breaches, Verizon sliced $350 million off the purchase price. Then, in early March 2018, Yahoo agreed to pay $80 million to settle a breach-related securities class action lawsuit.

Data breaches have become much more than an inconvenient truth in the business world. They are a very costly reality. Fortunately, a growing number of businesses are realizing that if they don’t adapt today, they may not be around tomorrow.

Microsoft participated in a 2018 Global Cyber Risk Perception Survey that found most organizations now rank cybersecurity among their highest risk management priorities. Companies of all sizes have started to estimate the financial impact of a cyber event. According to the survey, organizations were most concerned about:

Business Interruption
Reputational Damage
Breach of Customer Information
Data / Software Damage
Extortion / Ransomware
Liability to Third Parties
Disruption / Interruption of Systems
Loss / Theft of Intellectual Property
Organizations that conducted the following cybersecurity activities were more confident in their ability to manage cyber risk.

Cybersecurity assessments
Penetration testing
Benchmarking (peers / industry-wide)
Modeling potential cyber loss scenarios
Phishing awareness training for employees
Encryption and multi-factor authentication
Reduced external system connectivity
Improved vulnerability and patch management
The survey also revealed that organizations are more confident in their ability to understand and assess cyber risk than their ability to mitigate or respond to it. Perhaps this explains why cyber liability insurance continues to play an important role in protecting against cyber liabilities. According to the survey, organizations:

increased coverage limits under existing cyber liability insurance policies;
re-structured existing cyber liability policies; or
purchased broader cyber liability insurance coverage.
Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.

To receive regular insurance and risk management informational updates, please subscribe to our newsletter.

How Can You Limit the Damage Caused by Identity Theft?

What’s worse than filing your taxes? Finding out that your return was already filed and your refund check was already cashed. Yep, that’s definitely worse. Unfortunately, tax season has become the time of year when many first discover that their identities have been stolen.

According to Javelin Strategy & Research’s 2017 Identity Fraud Study, there were 15.4 million U.S. victims of identity theft in 2016, which is 16 percent higher than 2015. It was the highest rate since Javelin began tracking identity fraud in 2003.

So, what should you do if your identity has been stolen? According to the Federal Trade Commission (FTC), you must take immediate action to limit the damage.

What to do right away.

Contact the fraud department of each company (retailer, bank, etc.) where you know fraud occurred. Explain that someone stole your identity and ask them to close or freeze the accounts so no one can add new charges unless you agree. Change logins, passwords and PINS for your accounts.

Contact one of the three credit bureaus to place a free 90-day fraud alert. That company must tell the other two. A fraud alert makes it harder for someone to open new accounts in your name. When you have an alert on your report, a business must verify your identity before it issues new credit in your name.

Get your credit reports from Equifax, Experian and TransUnion. Review your reports and note any accounts or transactions you don’t recognize.

Report identity theft to the FTC. The FTC will create an Identity Theft Report and recovery plan. An identity theft report proves to businesses that someone stole your identity. It also guarantees you certain rights.

File a report with your local police department. Tell the police someone stole your identity and that you need to file a report. Ask for a copy of the police report.

What to do next.

Close new accounts. Ask the fraud department of each business where an account was opened to close the account. Request a confirmation letter and keep a record of who you contacted and when.

Remove fraudulent charges from your accounts. Let the fraud department know which charges are fraudulent and ask that they be removed from your account. Request a confirmation letter and keep a record of who you contacted and when.

Correct your credit report. Write each of the three credit bureaus. Identify what information on your report came from identity theft and ask them to block that information. You have the right to block fraudulent information so that it won’t show up on your credit report and companies can’t try to collect the debt from you. If you have an Identity Theft Report, credit bureaus must honor your request to block this information.

Consider an extended fraud alert or credit freeze. Both can help prevent further misuse of your personal information, but there are important differences between the two. For example, an extended fraud alert allows access to your credit reports as long as steps are taken to verify your identity. A credit freeze stops all access until it’s removed. Though fraud alerts are free to place and remove, there may be small fees associated with credit freezes.

Protective measures to protect against identity theft are important, but they’re not always enough. However, there is insurance that is specifically designed to protect both individuals and businesses against identity thieves and hackers. For example, identity theft coverage can help individuals cover the cost of clearing their name. Cyber Liability and Security Breach (Cyber Perils) coverage can protect businesses against various cyber threats, including the cost of complying with data breach notice laws.

Please contact us if you would like more information about insurance specifically designed to protect against identity theft.

Additional information is also available in our weekly Risk Management Newsletters.

Can Your Car Be Hacked?

Cyber threats and data security remain a big concern for individuals and businesses alike. But sometimes, the most effective cybersecurity comes down to the little things, like using strong passwords, installing security updates and keeping your car’s key fob in the freezer. Wait, what?

It’s true. Storing key fobs in a refrigerator or freezer can prevent someone from hacking into your car.

There is a developing concern that increasingly connected motor vehicles are vulnerable to cyber attacks. This concern prompted the Federal Bureau of Investigation to release a public service announcement to alert consumers about the potential cyber threats that come with increased vehicle connectivity.

Vehicle hacking occurs when someone uses a computer to gain unauthorized access to vehicle systems to retrieve driver data or manipulate vehicle functionality. Though not all hacking incidents jeopardize safety, like a hacker taking control of a vehicle, the FBI stresses the importance of taking appropriate steps to minimize risk. This means consumers must understand the ways in which their vehicles may be hacked.

Here are some vulnerabilities that can be exploited to hack a vehicle.

  • Wireless Tire Pressure Monitors. These systems are directly connected to the vehicle’s main computer and transmit wireless signals that can be intercepted by hackers.
  • Multi-Media Systems. Files downloaded and used in vehicles (music, movies, etc.) may contain viruses or malicious software (malware) that can be used by hackers to gain access.
  • In-Car Wi-Fi. Vehicles that are directly connected to the Internet can be hacked like any other device that is connected to the Internet.
  • Bluetooth. Viruses and malware can be introduced when smartphones are synced to Bluetooth capable vehicles. In addition to vehicle-specific hacks, like remotely unlocking or starting a vehicle, a hacked Bluetooth system could jeopardize the security of sensitive data stored on synced smartphones.
  • Navigation Systems. Internet connections and outside networks used by in-car navigation systems can give hackers access to a vehicle’s controller network or stored data.
  • Key Fobs. Keyless entry and start systems continuously transmit random codes between a fob and the vehicle. These transmissions can be intercepted and hacked. The random codes that are constantly being transmitted by fobs can be blocked by storing the fob in a metal drawer, refrigerator or freezer.

Here are some tips that can help minimize the risk of vehicle hacking.

  • Keep the vehicle’s software current. Routinely check for (and install) new security updates. The FBI cautions that hackers may send socially engineered e-mail messages to vehicle owners who are looking for legitimate software updates. These messages may include links to malicious web sites or attachments containing malware.
  • Be careful when modifying a vehicle’s software. According to the FBI, improper software modifications or adjustments can introduce new vulnerabilities that may be exploited by hackers. They can also affect the installation of authorized software updates.
  • Exercise discretion when connecting third-party devices to a vehicle. Modern vehicles have standardized diagnostics ports (OBD-II) that directly connect to a vehicle’s computer systems. These ports have traditionally been used by maintenance and service technicians. However, third-party devices, such as insurance dongles and telematic monitoring tools, are increasingly being connected to these ports. The FBI cautions that the security of these devices is important because they can provide a new means of access for hackers.
  • Exercise discretion when giving others physical access to a vehicle. The FBI advises that vehicles, like personal computers or smartphones, should not be left in unsecure locations or with people who are not trusted.

When protective measures are not enough, it helps to have insurance coverage that is specifically designed to protect both individuals and businesses that have been victimized by hackers. For example, identity theft coverage can help individuals cover the cost of clearing their name. Businesses can rely on Cyber Liability and Security Breach (Cyber Perils) coverage to protect against various cyber threats, including the cost of complying with data breach notice laws.

Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.

Additional information is also available in our weekly Risk Management Newsletters.

Don’t Lose Sight of Security Among the Internet of Things

Did you know that there will be nearly 21 billion devices connected to the Internet by 2020?

According to Gartner, an information technology research company, 5.5 million new devices are connecting every day. This rapidly growing network of Internet-enabled physical devices capable connecting, communicating and identifying with other devices is commonly referred to as the Internet of Things. Not surprisingly, businesses are looking for ways to harness its power and potential. Unfortunately, hackers are too.

The Internet of Things adds a new security dimension that businesses must consider. A single insecure connection could expose not only sensitive information transmitted by a device, but everything else on a business’s network. Though there isn’t a one-size-fits-all approach, the Federal Trade Commission has identified various security measures that businesses can generally adopt to help minimize the risks created by the Internet of Things.

Encourage a culture of security. Designate senior executives who are responsible for security. Since most security breaches are avoidable, train staff to recognize and report vulnerabilities. Address security expectations and requirements in contracts with service providers.

Adopt a risk-based approach. Direct attention and allocate resources to protect network connections that are most vulnerable and sensitive information.

Consider (and reconsider) the need to collect or retain sensitive information. Steps must be taken to protect sensitive information that is collected and retained out of business necessity. Unnecessary sensitive information should not be collected or retained at all.

Manage passwords.Implement an effective way to manage passwords. Do not rely on default passwords.

Take advantage of readily available security tools.There’s a tool out there for a number of basic security testing tasks, such as scanning networks for open ports, reverse engineering of programming code or decompiling, checking password strength and scanning for known vulnerabilities. Many of these tools are free, and some of them work automatically.

Protect interfaces between devices and servers. Weaknesses are often found at the point where a device communicates with servers. The interface between a mobile device and the cloud, for example, could create an opening for hackers to access an entire network. There are a number of ways to test entry points for weaknesses. “Fuzzing” is a method that sends a device or system unexpected input data to detect possible defects. Businesses should use manual and automated tools to test interfaces.

Limit permissions. Access to sensitive information should be limited to only those who actually need it. Limiting access to the lowest level that will allow for normal functioning is known as the principle of least privilege. To maximize effectiveness, permission limits must strike a balance between utility and security.

Utilize encryption. Standard encryption techniques are available to protect sensitive data that is stored on devices and transmitted to networks. Not all encryption is created equal, so stronger encryption methods should be selected over weaker ones.

Emphasize authentication. Security starts by making sure people are who they say they are. The importance of proper authentication has magnified the Internet of Things. An authentication failure involving a single connected device could expose the entire network to which the device connected. Depending on the nature of a business or its sensitive information, additional authentication measures may be necessary. For example, a two-factor authentication process that requires a password and a secure token.

Finally, businesses must remember that data security is a dynamic process that requires constant attention and frequent adjustments. Since hackers are constantly adapting, so must security measures. Nevertheless, it’s impossible to protect against every cyber threat or prevent every data breach, so business should seriously consider Cyber Liability Insurance. Unlike traditional business insurance policies, Cyber Liability and Security Breach (Cyber Perils) Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws.

Given the complexity of the risk and the absence of one-size-fits-all coverage, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.

Additional information is also available in our weekly Risk Management Newsletters.

Best Practices for Avoiding (Most) Data Security Breaches

Did you know that 93% of data breaches could have been avoided? Everyone should be interested in this somewhat shocking statistic because cyber threats and data security remain primary concerns among virtually every organization, regardless of size, industry or purpose. It’s true that some cyber threats simply cannot be avoided, which is why businesses should do everything in their power to avoid those that can.

The first step is recognizing and addressing some of the more common avoidable causes of security breaches and data loss. According to the Online Trust Alliance, these include:

  • Employee errors (lost data, files, drives or devices and improper disposal);
  • Accidental disclosures (via email and public postings);
  • Business Email Compromises (socially engineered exploits like phishing and whaling);
  • Unencrypted data and disclosed keys;
  • Improperly configured systems, networks and devices;
  • Failing to update or patch systems against known vulnerabilities; and
  • Using end of life devices, operating systems and applications.

The next step is implementing security processes and procedures. When it comes to defending against cyber threats and ensuring data security, business-specific circumstances and operations typically determine which essential preventative measures are most likely to be effective. Nevertheless, there are various baseline security best practices recommended by the Online Trust Alliance that most businesses can easily implement and manage, such as:

  • Encrypting data at rest, in storage and in transit. Without the corresponding cryptographic keys, encryption renders data useless to hackers. It may also exempt businesses from having to comply with various state data breach notification laws.
  • Managing passwords. Use password managers to generate and store passwords. Multi-factor authentication (smartcards and PINs in addition to passwords) can also be required to access sensitive information or accounts.
  • Adopting the least-privilege user account (LUA) strategy. User accounts should be given the least amount of privilege (access) required to perform their necessary functions.
  • Auditing security measures. Periodically conduct penetration tests and vulnerability scans to identify and mitigate vulnerabilities.
  • Monitoring emails. Require email authentication of all inbound and outbound mail servers to detect malicious and spoofed emails.
  • Managing mobile devices. Require authentication to unlock devices, lock out devices after numerous failed login attempts, encrypt communications and storage, and enable remote wiping of mobile devices that are lost or stolen.
  • Managing wireless networks. Only authorized wireless devices should be given network access. “Guest” network access should be kept on separate servers.
  • Implementing a data breach response plan. Conduct a post-mortem after every incident and make necessary adjustments. Practice by regularly testing response plans and personnel.

Since it’s impossible to protect against every cyber threat or prevent every data breach, the final step is obtaining Cyber Liability Insurance. According to PricewaterhouseCoopers’ 2016 Global State of Information Security Survey, 59% of businesses surveyed purchased cyber security insurance to mitigate the financial impact of data breaches and cyber incidents when they do occur. Businesses are increasingly realizing that what can’t be protected or prevented must be insured.

Unlike traditional business insurance policies, Cyber Liability and Security Breach (Cyber Perils)Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws. Given the complexity of the risk and the absence of one-size-fits-all coverage, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.

Additional information is also available in our weekly Risk Management Newsletters.