Cyber-attacks on businesses are increasing – what do you need to know to cover your business?
Okay, so not all data breaches seem as serious as the recent attack on the U.S. Government’s Office of Personnel Management – case in point the hack on Domino’s Pizza in France and Belgium in 2014. A group claimed to have broken into Domino’s customer base and announced that they had found some “juicy stuff”. Turns out that the “juicy stuff” was nothing but 600,000 customer’s pizza topping preferences. The group demanded that Dominoes pay 30,000 Euros or else they would release the information over the internet.
Domino’s refused to give the attackers a single penny at which the hackers started tweeting of the cyber-attack and writing emails to the clients telling them that they had a legitimate case against Domino’s. Turns out that the email was written in English and a majority of the readers did not pay attention.
But the incident raises questions on the importance of data that a business stores. What if a client’s preference of toppings was something else? Think of another industry.
How important are the “juicy” details of a patient’s health chart? How about the date of birth and social security number of a client in some other business?
The most obvious items that business try to protect are banking details or credit card numbers, but these are not the only vulnerability that business face. Information in any form is a risk that a company assumes when they store it. Furthermore, it isn’t only about electronic data storage that a business should be concerned about information on paper can easily be stolen.
Many business owners take cyber risk for granted as it is an unseen threat. The same was the case with the Office of Personnel Management. The breach of personnel records was not known until a vendor trying to sell their services did a security scan of their networks and found that there was malware embedded in their network. It is assumed that the malware was there for over a year.
According to recent studies by the Ponemon Institute, the average time it takes to detect an attack is 170 days. It takes on average 45 days to resolve the incident, and costs a business an average of $217 per record. To put this in further perspective, a doctor’s office typically has on average, 2,300 patient records. A data breach for that office would cost roughly about $500,000 to resolve and normally cover, among others, costs for legal counsel, notification, public relations consultants, forensics experts, a call center and credit monitoring services. Furthermore, should a business not have insurance the costs could increase to three times more to combat an incident.
Protective measures alone cannot ensure that a breach will not occur. The organizations surveyed for the Ponemon Institute study saw an average of 138 successful cyber-attacks per week. Furthermore, a business cannot function without having proper communication with its clients. Email is one of the first areas that is used to embed malware or viruses. Think of all those emails you have recently received from friends stating “Check this out” with a hyperlink. Chances are that most of those links could leave your business paralyzed without you even knowing it. The treat is real.
The basics of Cyber Insurance:
No two businesses are alike when it comes to cyber risk, therefore it is key to understand the particular threat your business faces and to ensure your cyber policy is tailored to cover those risks. Furthermore, no two cyber insurance policies are alike as there is no industry standardization on the coverage that are offered. Therefore, it is very important that you understand what coverage you are getting.
A majority of policies cover:
- Data breach/privacy crisis management: This includes expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
- Multimedia / Media liability: Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
- Extortion liability cover: Typically, losses due to a threat of extortion, professional fees related to dealing with the extortion.
- Network security liability. Third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.
- Business Interruption: Coverage for the time the business is unable to operate properly.
As all policies have a set of exclusions, terms and definitions. Understanding them can be very important. Additional questions to consider when shopping for a Cyber Liability Policy are:
- Is there a way to reduce the premium by putting in additional security controls?
- Will the business go through a risk review at some point and what assistance will be provided to improve the security and governance of information?
- Is this information provided in the risk review industry specific to assist you?
- What is expected of you to reduce or limit the risks?
- Do you have to use encryption on all devices? What of data stored on third party devices that are not encrypted?
- How much of a difference would a claim make to the premiums and will there be a reduction in premium for each year you do not have a claim?
- Is there coverage for malicious acts by employees?
- As it is sometimes impossible to know if you have a current breach or not, does the policy cover you for acts that have occurred and yet unknown? As not all data breaches are found immediately (the Red October Virus was found 5 years later), what about claims outside of the coverage period?
- Do you have to provide evidence of compliance of any of the laws governing data?