March 2019 Issue
With cyber crime constantly making headlines, some business owners are gaining awareness of the risks posed by a data breach. We typically see large companies, in the wake of a breach, paying huge sums of money, issuing public apologies and promising to make changes. Even as this happens, many businesses still think, ‘that will never happen to us’. They especially think this if their business does not work with large volumes of personally identifiable information (PII), protected health information (PHI) and payment card industry (PCI) data. A lack of understanding of existing cyber threats and associated exposures leads companies to the false conclusion that they are insulated from a cyber incident. This is far from the truth, and learning about the risks and best prevention and response measures is more important than ever before.
Companies of all sizes are at risk, even small- and medium-sized enterprises (SMEs). In reality, cyber criminals love SMEs. They are usually seen as less secure and easier to exploit, so they are low-hanging fruit. The kind of information the business has often does not even matter. Cyber crime and ransomware, as well as the resulting business interruption and digital asset damage, are all common consequences of a cyber attack, and all of them have very little to do with the records the company keeps. A cyber criminal might, for instance, encrypt essential company documents and threaten to destroy or publically release them unless the company pays a ransom. When a company is attacked, the lost revenue from cyber business interruption alone can be devastating. The 2018 Cost of a Data Breach Study, funded by IBM, estimates that the global cost of a cyber breach is $3.86m. The cost of preparing for a cyber incident pales in comparison to the cost of a breach when you are not prepared. And even if a company uses a third-party vendor for things like payment processing, they are not immune if an attack occurs. While services can certainly be outsourced, liability cannot. This is something many companies learn the hard way when one of their third-party vendors gets hacked.
Companies that do grasp the seriousness of a cyber incident often instinctively look to cyber security as the solution. While cyber security is an important part of cyber risk management, no technology tool is a silver bullet. Instead, cyber security measures should be viewed as one component of a larger, comprehensive cyber risk management plan. This holistic approach to cyber exposures gives companies a much better chance of preventing a serious incident. And if one does occur, they will be better prepared to respond and recover.
Employee training has a huge role to play in any comprehensive cyber risk management plan. It is not enough to be compliant with PCI standards. In fact, many companies have been breached despite the fact they were PCI compliant. Target is just one prominent example, as they were certified PCI compliant just a few months before a breach was discovered in 2013 which affected the credit cards of 41 million customers. Beyond compliance, training can and should be used to educate employees about good cyber hygiene. The data we see on cyber breaches is consistent: a significant portion of cyber attacks were successful because of human error. Ninety-one percent of successful cyber breaches start with a spear phishing email, according to Trend Micro. For those types of attacks to be successful, an employee has to trust the malicious email before unwittingly giving hackers access to the network. There is a reason why so many cyber attacks start as phishing emails. They work, and they work because employees have not developed the skills and knowledge needed to spot a malicious email, while at the same time they are under constant attack. Training goes a long way to remedying this issue. PCI compliance does nothing to stop a phishing email, but a mandatory training course can be the difference between avoiding a cyber attack and falling victim to one.
Cyber liability insurance is as important as employee training. Because liability cannot be outsourced, companies need to protect themselves in the event of any cyber incident that can be linked back to them. The costs associated with a breach can be devastating enough to put smaller companies without insurance out of business. Cyber insurance is an important part of a cyber risk management plan because it offers benefits that can both help prevent a cyber breach from happening and limit exposure if one does occur.
Commercial general liability (CGL) insurance is something most companies have already, and some are under the impression that this is adequate for cyber. In reality, dedicated cyber policies exist because of the very fact CGL policies do not provide good protection against cyber incidents. Many CGL policies have exclusions that prevent companies from getting covered for a cyber breach. Several high-profile cases, such as the Sony PlayStation hack in 2011, illustrate this. Sony took its insurance company to court when it tried to get the costs of its cyber breach covered under a CGL policy, only to be told its policy simply covered physical losses. Some CGL policies advertise cyber coverage, but this coverage is often subpar and has more to do with marketing than actual protection. A company that experiences a serious cyber breach will not find adequate cyber coverage with a CGL policy.
Companies should seek out dedicated cyber policies that are reviewed by cyber experts. The best cyber policies will include coverage for expenses, such as expert cyber legal counsel, cyber extortion, business interruption, data recovery and reputational harm. If a company is breached, it will need to hire an IT forensics team to investigate the breach and assess the damage. This is not cheap, though a good cyber insurance policy will cover it. Furthermore, virtually every jurisdiction in the US has breach notification requirements in the event of a data breach. This means companies need to notify several parties, including their customers and regulators, about the breach. Companies often underestimate this expense: they do not realise this means setting up an expensive, dedicated call centre to handle notification responsibilities. Good cyber policies cover this, too.
Determining whether or not a particular cyber policy is the right fit usually requires an expert. The language included in the policy varies from carrier to carrier, and cyber policies placed in the standard market often include inadequate coverage. CGL policies do not cut it, and the right cyber policy should be tailored to meet the specific needs of the policyholder. Consulting an expert in cyber insurance is well worth it when choosing a policy.
Cyber liability is a reality of our modern world. Just like automobile insurance became necessary when everyone began using cars to get around, cyber insurance has become essential as the world increasingly uses the internet to do business. People should look at cyber insurance as catastrophic insurance: you hope you will never have to use it, but you will really need it if something happens. And that ‘if’ only gets more likely with each passing year as cyber attacks grow in number and intensity. 2019 will likely be a record-breaking year for the global cost of cyber breaches, and while insurance is not the only solution, it certainly helps transfer financial risk and, perhaps most importantly, sets up the plan for what to do when a breach occurs.
Brian Thornton is the president of ProWriters Insurance. He can be contacted on +1 (484) 321 2335 or by email: brian.thornton@prowritersins.com.
© Financier Worldwide
BY
Brian Thornton
ProWriters Insurance
FORUM: Third-party corruption and fraud risk management
Why cyber business interruption is a bigger threat than GDPR
Cyber security due diligence in M&A transactions
Gun jumping is an enforcement priority for EU competition authorities
Challenges and trends in reporting for asset managers
Where angels fear to trade: algorithms and antitrust
Directors’ duties and liability under Saudi law
How to deal with different motivations to shape an effective compliance programme