What are the reasons why you need cyber insurance?

10 Reasons Why You Need Cyber Insurance include:

  1. Complying with breach notification laws costs time and money remember, laws apply where your customer is domiciled, not just where you’re located.
  1. Third party data is valuable and you can be held liable or fined if you lose it.
  1. Data is one of your most important assets, yet it’s not covered by standard property insurance policies.
  1. Systems are critical to operating your day to day business, but system downtime is not covered by standard business interruption insurance.
  1. Cybercrime is the fastest growing crime in the world, but most attacks are not covered by standard property or crime insurance policies. Our best techies work hard at online security, but criminals operate 24/7 and new crimes are emerging almost daily.
  1. Retailers face severe penalties if they lose credit card data. You don’t have to be Target Stores. Or J.P. Morgan Chase, to be a target. Even small retailers often face hundreds of thousands of dollars in costs and fines.
  1. Your reputation is your number one asset, so why not insure it? If you want to safeguard your reputation in the event of a security breach, you’ll need the help of good cyber policy to respond.
  1. Social media usage is at an all-time high, and claims are on the rise and Services’ Businesses can be held liable for the actions of their employees.
  1. Portable media devices and remote access have increased the risk of a loss or theft.
  1. It’s not just big business being targeted by hackers, but numerous small businesses too. The media focuses on large-scale breaches, but cyber-attacks are quickly becoming one of the greatest risks for small businesses.

How you respond to a breach will likely determine whether your business survives?

When asked what the worst thing was for him, the CIO said “having to walk out and face“. CNN and a world of reporters, it was nothing I’d ever contemplated, let alone trained for.

The City eventually recovered, but officials and employees were left with an indelible scar – from a data breach.

Data breaches and cyber-attacks are in the news on a regular basis. The latest victims include Home Depot, Community Health Systems, Apple iCloud and one of the more popular victims – Target. These victims are the public companies we read about. While each of these companies will incur millions of dollars in losses (i.e., notification costs, credit monitoring costs, IT investigative costs, legal costs defending class action law suits and public image repair), each of these companies carry cyber liability insurance to help pay for costs incurred because of a data breach. What about the small business owner running a five million dollar business? Are they being attacked? How does their business insurance program help offset losses from a data breach? Do most companies carry cyber liability insurance?

Do you?

Any business or non-profit entity storing personal information of individuals (i.e., name, date of birth, address, credit card number, email address, etc.) has the risk of being attacked and should consider a cyber-liability insurance policy. According to the Advisen Insurance Intelligence 2013 Cyber Liability survey, 52% of 329 companies surveyed carried cyber liability insurance – an increase of 17% from the 2011 survey. Cyber-attacks are here to stay and will more than likely increase over the coming years.

According to the Advisen Insurance Intelligence 2013 Cyber Liability survey, 52% of 329 companies surveyed carried cyber liability insurance – an increase of 17% from the 2011 survey.

At its basic form, cyber liability insurance was built to cover a business’ liability for a data breach in which the firm’s customers’ personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

There are over 30 insurance companies offering a cyber-liability insurance policy. Not all coverage forms are the same and some are better than others. It is important to review the fine print on a cyber-liability coverage form to ensure there are no surprises should a data breach occur.

Can data breach cause severe emotional agony?

Data breach can cause severe emotional agony:

If you find yourself in the unfortunate situation of a cyber-loss, it could turn out to be a minor issue, or it could be devastating. We’ve asked people and organizations about their experiences after a cyber-breach and it’s sobering to hear their stories.

After the City of Akron, Ohio had its website hacked in May, 2013, it was, discovered that over 30,000 entries including names, social security numbers addresses and phone numbers were compromised. The City’s CIO and his team worked tirelessly to address the breach. It was an extremely tough period for everyone. Some felt guilty, some felt personally threatened, some were fearful for their jobs even though they’d done nothing wrong. No one was prepared for the emotional turmoil, it was like being a victim of a fire or tornado.

Why Data Breach Limits are so important?

What does it cost if your systems are breached?

According to a Ponemon Institute report, the average data breach in the U.S. costs $145 per record and the average cost per breach incident was $5.9 million. Costs vary by industry with healthcare at a whopping $359 per record and retail at $105.

If you’re interested in your specific financial exposure as a result of a breach we recommend using a Data Breach Calculator where you can take a free assessment, tailored to your operations. Time and time again, studies show that costs can be significantly reduced when prior planning is introduced. To be effective, the planning should include a strong security policy and development of an Incident Response Plan. Organizations that invest in a Business Continuity Management team and appoint a CISO (Chief Information Security Officer) have lower breach costs outcomes.

The most effective way to reduce breach costs after discovery is an immediate and comprehensive response. Strong cyber insurance policies should include Crisis Response and hands-on claim handling.

Often times, the true cost of a data breach can never be measured. For example, how do you place a value on your reputation? You know it’s important, but what’s the dollar amount of its worth? Public companies that are required to disclose data breaches, also must make a provision on their balance sheet, so they have some relative idea of its financial implication. Small businesses, on the other hand, often discover the costs of a data breach are ruinous.

Looking for the easy answer? Transfer your potential cost, expenses and liabilities to an insurance company that has the resources to protect your business and defend your reputation.

Cyber liability insurance is becoming increasingly popular with business owners and risk managers. This type of insurance is finding its way into “Disaster Recovery Plans” similar to flood, fire and earthquake insurance. For any business storing personally identifiable information (PII) or taking credit card payments, it is important to consider the option of a cyber-liability insurance policy to cover the risk of a data breach or cyber-attack.

Do you have this risk?

What is a Third Party Liability in Cyber Insurance?

Third Party Liabilities

In these situations, the insurance company is making a payment to someone else because of the damage they suffered, which was in some way caused by you. In our previous example where your email is infected with a virus, and is distributed to your entire network, the damage caused to the systems of those who opened your email would be a third party liability.

Examples of third party coverage options include:

  • Cyber Liability – loss arising from a hacking attack or virus that emanated from, or passed through, your computer system.
  • Privacy Liability – breach of any personally identifiable information including credit card information, personal healthcare information, and employee personal information.
  • Breach Notification Costs – if you incur a breach that results in one of your clients being responsible for notifying all affected individuals
  • Multimedia Liability & Advertising Injury – defamation, emotional distress intellectual property rights infringement or invasion of rights of privacy.

What are the costs of First Parties in Cyber Insurance?

First Party Costs:

Coverage options in this section of a policy are designed to respond to losses sustained directly by the business (the first party – you). Often times, when a business experiences a data breach, they also suffer a loss or damage to their internal systems. For example, if a virus infects your email and is distributed to your entire network, you could be looking at two distinct exposures. First, you could be liable for the damage caused by the virus to other networks. In addition your internal system would need to be repaired. The repair of your internal system is referred to as a first party exposure.

 

Examples of first party exposures include:

  • Business Interruption and Extra Expenses – breach occurs that causes your business a loss of income until systems are fully restored. This coverage is designed to reimburse you for your loss of income (Business Interruption) during that period of time, as well as the costs you incur (Extra Expenses) to minimize your downtime such as the costs to repair, replace or restore your data.

 

  • Dependent Business Interruption – if you rely on the system of a third-party to conduct your business, and you would suffer a loss of income if that system were unavailable, you might consider including this coverage in your policy. If you use a Cloud based system, check the contracts, it’s unlikely they will pay for your ‘loss of profits’ even if they eventually restore your data and your functionality.

 

  • Extortion – in this situation, your personal data is the hostage. You receive a threat demanding compensation or your compromised data will be released.

 

  • Data Reconstruction & System Damage – costs you incur to retrieve restore or replace your computer programs, systems or data.

 

  • Reputational Harm & Public Relations – even when a data breach causes little damage to internal systems, public knowledge of the breach can have far reaching implications detrimental to the reputation of the business.

 

  • Regulatory Actions & Investigations – costs, expenses, fines and penalties resulting from a regulatory investigation.

 

  • Breach Notification Costs – expenses you incur to notify customers about a breach.

 

  • Computer Crime – this is the fastest growing law enforcement issue, why? According to FBI Special Agent Corey Collins, “because it’s easier safer, pays better and if caught, the penalties are significantly less.” For example, walk into a bank with a gun and get away with the average heist about $2,000) and you’ll do a minimum 7 years in jail. Conversely, steal) 250,000 online from the same bank and your first offense is a measly 6$ months in jail.

Is there a standard Cyber Liability Policy?

There is no “standard” Cyber Liability Policy

Cyber is a whole new animal. There is no standard policy. Each company offering coverage has developed their own list of coverage options available and exclusions included, which is great for consumers because so many different options exist. However, it presents a challenge in that no standard cyber policy is available that consumers, Insurance Advisors and even court systems can use as a benchmark.

The importance of actually reading an insurance policy has never been more critical.

It’s also important to note that information provided in this eBook is current as of publication, and could become obsolete quickly. This content is not intended to be legal advice, and it should not be used as a guide to purchase a specific policy. Cyber insurance is hugely complex, and since each policy is different, only a licensed Insurance Advisor is equipped to assist you in developing the specific policy to adequately protect your business.

Cyber insurance typically reimburses the costs you incur in the event of data or information breach. Costs vary considerably depending on the circumstances, the types of perils involved, and the extent of the damage caused.

For example, having your credit card transactions skimmed for a week is vastly different from receiving a lawsuit by a competitor for comments made by an employee !family member on social media – which interestingly, has already happened.

As mentioned previously, there are no standard cyber insurance policies. Insurers offer a wide variety of options, but each is distinct. We strongly recommend reviewing your basic exposures, as outlined below, and then matching your needs to the policy best suited for your business. A Licensed Insurance Advisor can help you with this process.

What Does Cyber Insurance Pay For?

First, it may help you to understand where we are from an insurance industry perspective. The insurance contracts (better known as the policy) in use today are largely the exact same as they were 50 years ago. Minor changes have been made over time, exclusions added for things like mold and terrorism as these risks became more apparent, but by and large, mostly unchanged. These policies have been court tested, time and time again, and nearly all insurance companies have adopted the same language as the standard in the industry.

What types of claims are occurring?

We’re often asked about the types of claims or breaches affecting businesses and while national headlines grab our attention when a major retailer like Home Depot is attacked, the truth is, there are hundreds of small businesses suffering these attacks every day.

We often don’t hear about them because the amount of data stolen is not substantial compared to a fortune 500 company.

But to the small business that suffered the breach, it’s usually severe enough that they never fully recover and often times, have to close their doors.

  • Stolen Laptops – A regional retailer contracted with a third party service provider. A burglar stole two laptops from the service provider containing the data of over 80,000 clients of the retailer. According to applicable notification laws, the retailer – not the service provider – was required to notify the affected individuals. Total expenses incurred for notification and crisis management alone was nearly $5,000,000.
  • Rogue Employee – An employee learns she may be terminated, and in response, she steals names addresses, social security numbers and other personal information from customer files. She sold the information to her cousin who used the identities to fraudulently obtain credit cards. The affected individuals filed suit against the company for identity theft.
  • Small Business Hacked – A business is hacked by a local teenager who stole social security numbers and bank account data from customer files. He sold the information to an internet website which used it to create false identities for criminals to use. The business incurred notification and credit monitoring costs, and the legal expenses as well as the damages from potential lawsuits resulted in more than $500,000 in damages.
  • Manufacturer Duped – A manufacturer located in northeast Ohio nearly transferred $315,000 to China-based solely on an email request to pay for raw materials that appeared to be legitimate. If you think this couldn’t happen to you, or that you would easily be capable of uncovering the fraud, you might be interested to know that the FBI released information indicating that thieves had stolen $215 million over a 14 month period using this exact scam. Certainly, those businesses that were victims thought it couldn’t happen to them too.
  • Spyware Virus – A man sent an email to his ex-girlfriend hoping to monitor what she did on her computer. She opened the email on her work computer, and over the course of two weeks, the spyware emailed the man more than 1,000 screenshots of confidential data on 150 customers. The business incurred notification and credit monitoring expenses for the affected customers.
  • Dumpster Diving – A woman looking for coupons in a large recycling bin found records containing social security numbers and medical histories. The papers came from a local medical office, and included details about more than sixty patients, including drugs they were taking, and whether they were seeing a psychiatrist. The papers were tossed by an employee with an otherwise long and stellar service record. The incident constituted a breach of HIPPA, and resulted in governmental fines against the medical office.
  • Data Theft Extortion – A U.S. based information Technology Company contracted with an overseas software vendor. The vendor left certain “administrator” defaults on the company’s .server and a “hacker for hire” was paid $20,000 to exploit the vulnerability. The hacker demanded an extortion payment, otherwise he would post records of millions of registered users on a blog available for all to see. The extortion expenses and payments are expected to exceed $2,000,000. Do you think you would pay? If your answer is no, you might want to read up on Cyber Extortion: A Growth Industry.

 

Data & Information Security

The internet brings the world to our fingertips… a powerful tool capable of making our lives so much easier, creating an untold number of opportunities that would have been nearly unfathomable just twenty years ago. Unfortunately there’s a downside… too many fingertips being up to no good.

Scams, bugs, viruses, spyware, crime and cyber nuisances affect everyone, and every business.

As technology works to keep pace with increasing demands for performance and security, its inevitable there will be hiccups and the occasional disaster.

There is so much we can do to mitigate this, but perhaps just being aware of the risks is the most crucial

We’ve heard some techies say “you can’t, solve security with technology alone you need people”. We all need to be aware that security is a process, that a breach is inevitable, and to train so that we’re ready when it occurs. We need to have an incident response plan, to understand that it’s a continual process, and that we need to make incremental improvements to our awareness and our response.

It’s a joint responsibility; a new one we’re largely unprepared for because the technology is complicated and few of us are experts. But that excuse does us no good when a breach occurs, so we need to do our best to prepare… now! We need to learn security protocols, develop strong passwords, and allocate the resources necessary to properly and adequately respond when the breach does occur.

Cyber insurance is just one piece of the solution.

How will I know if my company needs a vulnerability assessment?

Contact us and we will explain, in detail, why your company needs a vulnerability assessment.

Isn’t a vulnerability assessment something that only large companies can afford?

No, not really.

The cost of a vulnerability assessment depends on the scope.

Each project is different in scope and objectives, therefore, the cost varies based on how complicated the project is.

What will be delivered to me after the assessment is completed?

We provide you with the complete report of your systems and actionable suggestions. We make sure that this report is acceptable not only by the IT people but also by the executives. This way, the executives are able to decide if their spend on IT security is cost effective.

What is the difference between a vulnerability assessment and a penetration test?

The easiest way to distinguish these two tests, is by looking at the reports.

In general, a penetration test is more focused, more direct, and more detailed. A vulnerability assessment is designed to enumerate the threats to your internal critical resources; penetration testing, alternatively, is designed to exploit vulnerabilities as a proof-of-concept.

Penetration tests are intended for organizations that have developed strong information security practices over time and are ready to put their efforts to the test.

Vulnerability assessments are intended for organizations of all sizes and maturity levels and tend to be utilized more often.

What’s the best way to determine how often penetration testing is needed? Are there certain organizations or industries that should do it more often?

There’s no one best answer. Similar to the questions “How often should I exercise?”, “How often should I go for a dental cleaning?” and “How often should I change the oil in my car?” there are many variables when it comes to penetration testing.

What should be some considerations are: network complexity, how often systems and applications are changed, third party applications, updates, and the concept of “Least Privilege”, budget, and so on.

What are you trying to accomplish with penetration testing? Is it to satisfy a compliance checkbox or to meet client or business partner requirements?

Our view is that it needs to be to minimize business risks.

As such, do it as often as is necessary to keep your security risks to a manageable level, for today’s hackers, NEVER SLEEP, and the more often you pen test, the more sleep you will get!

As we have seen far too often, the “bad guys” work in teams, and have no time tables-just targets, don’t become a victim.

A client needs to make sure that they are doing the proper testing — “penetration testing” in the purest sense, is rarely enough.

Neither are higher-level “checklist audits”.

Any company, that is relying on “plain vanilla” vulnerability scans is a path to facilitate a breach-a soft target.

By focusing on performing “security assessments” that look at the company’s exposure, threat landscape, the threat surface, end points,  and potential attack surface(S), are far better served, than limiting your tests to whatever someone is asking you to do-be proactive, again, don’t be a victim-is the mantra.

To a hacker, with very bad intentions to do harm, all systems and applications are fair game for attack.

More important question than how often you should test, is the need for your business to ensure that it’s performing its security tests effectively and consistently.

The cost is minimal compared to the damage that hackers can inflict.

Can my IT staff perform a vulnerability assessment?

Yes, of course your IT staff are able to do these assessments.

However, it depends on the certifications, skills, and focus of your staff. The most common pitfall found is that the IT staff are too “complacent, and not outsiders” such that they are bound to overlook their own errors.

Thus, it is better to let UFI as an impartial, “third party” do the vulnerability assessment.

When testing for vulnerabilities, will it interrupt the network?

No.

Although there is a possibility of these things to happening, we usually try our best to let your network run as normal as possible, while we are doing the assessment.

We already had a firewall installed, do we still need a vulnerability assessment?

Firewalls are more like a “lock on the gate of our home”.

Remember though, a home has windows.

Without proper cyber security, it’s the same as leaving all of the windows open.

It is crucial to assets in place, although you have a firewall.

Should vulnerability assessments look at more than just external systems?

Yes.

When we talk about cyber security, it is important to take all of the organization’s technology and personnel into account.

These include internal and external hosts, network devices, commercial off-the-shelf applications, third party applications, vendors, telephones, applications, and even security devices, and the cleaning crew.

Why are vulnerability assessments important?

If you don’t know where you are, a map wont help.

These assessments allow organizations to figure out exactly where they stand from a cyber security perspective.

Not only critical information on tactical vulnerabilities, that would allow an attacker access to your most sensitive information, vulnerability assessments also help to strategically identify non-technical opportunities to enhance your information security posture.

What is vulnerability assessment?

Vulnerability assessments are the security tests that aim to determine how safe your network is.

It checks if your network is susceptible to attack.

The most effective way to do it is by using a combination of manual techniques and automated vulnerability assessment software.

What is Big Data Analytics?

One common approach is the incorporation of security big data analytics to aid the discovery of malicious activity hidden deep in the masses of an organization’s network traffic.

Big data is defined as any type of data, structured and unstructured, that can provide insight into network activity.

How to defend network against APT attacks?

First and foremost, take stock of the controls that already exist on the network and ensure they are both effective and well-managed.

Most enterprises already have a mixture of firewalls, intrusion detection and prevention systems (IDS/IPS), antimalware packages and other controls.

Are they audited regularly?

Do they have current signatures?

Are they consistently deployed?

Check the basics before even considering adding additional layers of defense.

What is Sand Boxing technology?

The primary technique employed by a variety of advanced malware-detection products.

Potential malware threat is identified using various techniques.

Network traffic analysis is used to discover potential threats on the network.

Patterns of behavior are analyzed, and suspicious files are sent to the “sandbox”.

The file is then examined in an environment of virtual machines that analyze behavior in a suite of different operating systems and software versions.

All changes made by the file are recorded, and a report is presented which shows all areas of the operating system and software that were changed.

Based on this report, the file can be flagged as malware.

How to defend the network against APT attacks?

The threat landscape has changed irrevocably.

The primary foe of security professionals is no longer an asocial teenager basking in the glow of a monitor looking for an easy target, but rather the highly skilled technologists who are deliberately seeking treasure troves of sensitive information.

These attacks are representative of what security professionals face today.

Aptly named advanced persistent threats, APT is a “fuzzy” and even controversial term that refers to a style of attack rather than any specific technique.

Targeted APT attacks are waged in a one-to-one fashion by professional hackers using advanced skills.