The Secrets Out
It’s no secret that cybercriminals use social ingenuity to go around secure technology protection to filter through different banking accounts, email accounts, company databases, and other areas with sensitive data. These attacks are all-too familiar. The criminals can then take this data to steal money, identities, plan future attacks or in the case of collecting compromising personal data and use it for extortion attempts. We know that the financial impact can be devastating enough without all the other factored in.
How it Happens
Here is a prime example, cybercriminals may hack into someone’s email account and start filtering through conversations for keywords like due dates on project payments or bills, amounts owed, and the specific discussions in the emails. Once they have such specific information, they can pretend to be a trusted person making a legitimate request. They sometimes use fear as a tactic to persuade the person “to act immediately” to avoid consequences for the company. Such as, “We see you have an outstanding invoice, we are going to penalize you, or demand difficult delays or restrictions, etc.”
Just earlier this year, a company who fell victim to this very type of attack and was urged to send $1.75 million to cybercriminals. During a large construction project, the company was contacted by the “general contractor”, who expressed concern that the company had missed the last two monthly payments. The staff person overseeing this project was shocked as they were very diligent in paying bills on time and even had proof of payments. FBI investigators later were able to discover that the hackers had broken through the company’s emailing system and were able to then pose convincingly as the general contractor requesting the payment. During this cyber mishap, the hackers communicated to the staff person that their bank routing and account information had changed. The staff person then sent the money to the cyber criminals’ accounts instead of the true general contractor.
Unfortunately, most general liability and professional liability policies do not cover this type of loss.
This is why you need Cyber Insurance.
Cyber insurance, also known as cyber risk insurance or cyber liability insurance, is a policy created to help organizations minimize the risk of exposure by lowering the costs involved with rebuilding after a cyber-related security breach or similar event. Conventional methods used to compromise networks and sensitive data sources are malware, ransomware, and distributed denial-of-service (DDoS).
Does My Company Need Cyber Insurance?
The answer is yes, most likely, you do.
It’s no surprise that Cybercrime is on the rise today. The prevalence of cybersecurity incidents is increasing rapidly. As companies are engaging in an increasing number of applications, devices, and other technology tools and services, they become more vulnerable to attacks. Just like businesses insure against business problems, physical risks, and natural disasters, they need insurance coverage for cyber-attacks as well. If you are like many companies, your General Liability and Professional Liability policies most likely don’t address how vulnerable you are to cyber risks.
In this Enable blog, we have covered dozens of ways to protect you, your systems, and data. If carried-out thoroughly, items such as multi-factor authentication, password management, security training for staff, enforcement of security policies, email security practices, business continuity, managed firewalls, disk encryption, consistent patching, and sophisticated SIEM tools can all greatly reduce the chances of your company falling victim to the cyber-attacks we have been discussing. Nonetheless, in the ever-growing world of cybercrime in which we all now operate, we believe that companies should consider the available cyber insurance options carefully.
Some Practical Considerations
Most insurance providers can individualize policies based on need and size.
- Theft and fraud – Covers loss of the policyholder’s data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.
- Forensic Investigation – Covers the legal, technical, or forensic services necessary to assess whether a cyber-attack has occurred, to determine the impact of the attack, and to stop an attack.
- Business Interruption – Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
- Extortion – Provides coverage for the costs associated with the investigation of threats to commit cyber-attacks against the policyholder’s systems. The coverage extends to payments to extortionists who threaten to obtain and disclose sensitive information.
- Computer Data Loss and Restoration – Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software, or other information destroyed or damaged as the result of a cyber-attack. Many carriers have an absolute exclusion in their policy form for the replacement, reproduction, and restoration of data lost or damaged during a security breach or other error or omission
- There are many additional coverage options as well, e.g., rogue employee coverage, privacy liability, media liability, privacy notification costs, etc. Some of these may apply to your specific church situation, and some may not. Your insurance counsel should be able to guide you into those choices that make sense for your circumstances. As with all financial decisions, stewardship demands a prayerful consideration of the costs and benefits derived.
Comparing Policy Forms and What to Look Out For
- Identify your unique risks. The first step in buying cyber insurance is to understand the nature and the extent of the risks facing your organization.
- Identify the limit structure (coverage, aggregate policy, sub-limits imposed).
- Are data breach expenses inside or outside the policy limit? Are they included?
- Is there coverage for inadvertent disclosures (i.e. cell phone or laptop with unencrypted data)?
- Understand the “triggers.” It is essential to understand what activates coverage under your cyber policy.
- Is there coverage for violation of the insured’s privacy or data handling policies?
- What coverage restrictions are imposed?
- What are the proposal’s subjectivities or conditions (underwriting requirements)?
- Does the application contain a warranty statement?
- Available risk management services: what loss prevention tools are available? Are there any fees associated with these services?