Think of all the well-regarded companies you've seen named in the news, not for their products orservices, but for their alleged failure to protect the personal information of their customers.
Breaches to computer networks and the ramifications of unauthorized access to sensitive data are the key elements of cyber risk, a growing problem for businesses in many industries.
Confusion about what constitutes a cyber risk - and the myriad of coverage options for the risks associated with data/information security - present a challenge to the bottom line profit of a company. To find the appropriate risk management solution, you need to understand what a cyber exposure is, how it can give rise to loss, and what different coverage forms offer.
Simply stated, cyber exposures are directly connected to the responsibility you have for certain electronic information. The risks associated with this information being compromised or misused are myriad. These risks include personal injury, intellectual property infringement, and financial injury, as well as obligations associated with Consumer Protection and Data Privacy Regulations.
Exposures generally fall into two categories:
"Third Party" Liability - the risk of a third party claiming your business caused them damages, typically associated with the client's responsibility to protect certain private or confidential information.
"First Party" Expenses - certain expenses, other than those from a third party's claim, you may incur as a result of a cyber event. Expenses could be related to notification, credit monitoring, cyber investigation, crisis management, and data privacy regulatory expenses.
You don't inherently have a higher level of cyber risk simply because of your type of company.
In fact, your company could have a lower cyber risk than your customers. The degree of risk depends on the products and services you offer, as well as the type and amount of private and confidential information you manage, control, store, transfer, and maintain.
Evaluating the Exposure
As an insurance professional, our ability to identify cyber exposures and recommend appropriate coverage will add value as we forge long-term relationships. Asking the right questions is key to evaluating your exposure. A few simple questions can help you identify a potential cyber exposure and open an in-depth discussion.
Helping You Reduce Exposure
As youevaluate cyber risks, we can help them understand the importance of addressing the items within your control. One such item is the elimination of any unnecessary data. Even better - completely eliminate the collection of data that is not being used.
Many companies collect or maintain sensitive data without having a specific purpose for such information, increasing cyber risks without a viable business benefit. Other areas to discuss include: the tracking of sensitive information, verification information security controls, assessment and monitoring of access privileges for users including remote access, web applications review/testing, and computer systems event log monitoring.
In addition, if you have a cyber exposure, you'll want to understand the nature and costs losses that could result - and the fact that many General Liability policies don't cover them.
How are businesses faring amid ever-growing data privacy and security dangers? Massive hackings continue to make headlines. More businesses are feeling the pain of regulatory fines and penalties.
Recently, PCI Data Security Standards fines have driven some smaller operations out of business altogether.
Identifying Your Cyber Exposures
These questions can help us identify and understand your cyber risks.
1. What types of products or services do you provide? 2. Who are your direct and indirect customers? 3. What is the purpose or function of your products/services (what does the product actually do)? 4. How are third party vendors or service providers involved with your products or services? Identify the specific services provided by any third party vendors. 5. What type of sensitive information (confidential, personal, intellectual property) is associated with the product or service you sell? 6. Do you or any of your vendors have access to or control of this sensitive information at any time? If so, when? How often? How long? How much? Where? 7. How is sensitive information protected while in your possession or control? Do you utilize access restrictions, encryption, segregated storage, usage monitoring, password protection, etc.? 8. What policies are in place to ensure proper handling procedures are followed by all employees? 9. Do you collect or manage personal information of individuals other than your own employees? If so, what personal information is involved (full name with social security number, medical information, financial account information, driver’s license number, credit card information, etc.)? Could this information qualify as nonpublic personal or personally identifiable information under a Data Privacy Regulation? 10. Approximately how many individually identifiable names with related personal information are under your control? 11. How are the company’s networks and information protected? Do you utilize access restrictions, encryption, segregated storage, usage monitoring, password protection, etc.? 12. At what point do you purge personal information that is no longer needed? 13. Does a third party vendor have access, manage, store, transfer, control, or maintain any sensitive information that your company has responsibility for? If so, identify the type and amount of this information. 14. Have you reviewed the information security policies and procedures of their third party vendors to ensure sensitive information is protected at all times? 15. Have you established contractual terms (i.e. indemnification, insurance requirements, notification requirements) with the third party vendors to ensure you are protected in the event the vendor suffers a breach of sensitive information? 16. Are other contractual conditions established with the third party vendor to limit vendor’s use of your data, prohibit vendor from disclosing data to others, return or destroy your data at the completion of the contract, require vendor to comply with applicable data privacy regulations/laws, and allow you to audit the vendor’s data security procedures?
---------------------------------------------------------- ------------------------------------------------- Protecting Your Business from Cyber Threats
By Ilya Leybovich
Increasing computerization of production methods and greater reliance on digital data systems have made cyber security a significant concern for manufacturers. How can businesses deal with the new wave of cyber threats?
Incorporating information technology (IT) systems and infrastructure into day-to-day operations allows manufacturers to access and distribute data more efficiently, helping them make sound business decisions and improve their companies' competitiveness. However, the advantages conferred by networked data systems and information-sharing technology also increase the risk of data theft, hacking, virus infection and other cyber-security threats.
For this reason, companies are beefing up their digital defenses to protect themselves from the latest cyber hazards.
"In past years, plants haven't worried about cyber security because they didn't connect to the outside world," Automation World acknowledges. "New data systems have changed that for most plants. [S]oftware and devices share data, and where data is shared, there is always the possibility of a breach."
The complexity and variety of cyber-security threats can be daunting, particularly due to the rapid rate at which new risks develop as well as the increasingly sophisticated methods of cyber criminals. According to the recently released Cisco 2009 Mid-Year Security Report, cyber criminals "are aggressively collaborating, selling each other their wares and developing expertise in specific tactics and technologies. Specialization makes it tougher to shut down illegal activity, because there are many players in this ecosystem."
Loss, theft or interception of sensitive business data are some of the largest cyber threats for commercial and industrial enterprises. A study from the Ponemon Institute found that the average cost of a data breach in 2008 was $202 per customer record. The information security firm also determined that breaches lost U.S. companies an average of $6.7 million and that the expense has continued to rise, by 38 percent between 2004 and 2008.
Among the major data-breach incidents recorded in its database, the Open Security Foundation reports that 48 percent derive from businesses. Sixty-five percent of security violations are perpetrated by external sources, while 30 percent come from within the company, either accidentally or maliciously.
How can manufacturers protect their businesses from the proliferation of cyber threats?
Although there is no single comprehensive defense strategy capable of shielding every type of company, Manufacturing Business Technology recommends taking a "defense-in-depth" approach for protecting industrial assets. This method entails both physical and electronic defense layers at separate manufacturing levels coupled with effective security policies designed to meet a variety of threats.
Security policy development requires a consistent plan involving "physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system, " but without introducing excessive restrictions. This can mean building a resilient network infrastructure to provide information to necessary sources while limiting widespread access, or evaluating the risk potential of how data is used and deployed within the company.
Management Business Technology also suggests "computer hardening," which relies on IT best practices to shield computers from danger. The hardening process includes replacing direct Internet access with a "barrier zone" to secure shared data and service, enforcing tougher password and terminal access settings, uninstalling any components or protocols unnecessary for performing manufacturing tasks and implementing antivirus and antispyware programs.
Similarly, "controller hardening" may be used to better protect machinery and production equipment controls from tampering. This involves the use of authentication and authorization programs to verify a user's identity, electronic safety features to prevent configuration changes and physically restricting access to sensitive devices.
Depending on a business's size, however, some security measures may not be practical or even necessary. Microsoft's Small Business Center offers the following tips for small-business owners to protect themselves from cyber threats:
What to do when they receive suspicious e-mail (when in doubt, delete!);
To disconnect from the Internet when not online;
To consider the risks of file-sharing;
How to perform data back-up procedures; and
Actions to take if their computers become infected.
Regardless of a company's size or the scale of threats to which it may be exposed, implementing and maintaining a thorough cyber-security policy is a crucial step in succeeding in today's increasingly online business community.
As more organizations are realizing the value of social networks, online criminals are increasingly taking advantage of social-media networks to access and exploit businesses' vulnerabilities.The complexity and variety of cyber-security threats are daunting, particularly due to the rapid rate at which new risks develop as well as the increasingly sophisticated methods of cyber criminals. Now, we can add the most popular social-networking Web sites to the ever-evolving means of cyber crime.In its annual report on network security, Cisco Systems Inc. states that the impact of social media on network security "cannot be overstated."Social media sites, particularly Facebook, experienced explosive growth in 2009, and adoption of such resources will likely continue to grow into 2010."It is now routine for workers of all generations to interact with colleagues, customers or partners using social networks that, a few years ago, would have been populated mostly by computer users in their teens and twenties," according to the report, released this week. "In addition, it is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter."Although some companies have adopted outright bans on the use of these sites in the workplace, the blurring of personal and business communications makes this strategy impractical.Likewise, the Ponemon Institute, an information-security research center, believes that social networking can be valuable. It is "a useful and powerful tool for individuals and organizations who consider their strategic value and take thoughtful, necessary precautions to their use," Susan Jayson, executive director and cofounder of the Ponemon Institute, writes at her blog.As more organizations realize the value of social networks as a business requirement, social networks increasingly become a playground for cyber criminals. This is because many members of such sites often fail to take precautions to prevent the spread of malware and computer viruses.Cisco claims that most employees have not been sufficiently taught to protect themselves from viruses and other scams that can infect corporate computer systems when other people access their personal Web pages."Without concern for their impact on information security," Jayson writes of social media sites, "companies that ignore the risks will almost certainly suffer consequences."While cyber criminals look to social media for new victims, spam remains a "tried-and-true" method for deceiving people. Cisco's annual security report estimates that worldwide spam volume next year will likely rise 30 percent to 40 percent above 2009 levels. On other cyber-crime fronts, Cisco reports that the rate of online banking fraud will continue to grow next year. According to the Computer Security Institute's (CSI) 2009 Computer Crime and Security Survey, released this week, financial fraud is consistently a highly expensive type of attack, averaging almost $450,000 in losses per organization suffering from fraud.Forbes recently noted how cyber criminals can successfully pull off major hacks against smaller companies, pointing to a small bookkeeping business run by a couple who mixed their individual and commercial accounts.The business owners took out a $50,000 line of credit with their bank, later linking it to their business checking account. Hackers tapped into their online accounts and directed that $26,500 from the credit line be placed in the business account. The intruders then transferred the assets to a bogus entity and when the owners realized the money was missing 10 days later, it was in already in an Austrian bank, which refused to return it.Says Forbes:Who foots the bill? Under federal law, losses in individuals' accounts are the banks' problem; commercial customers receive no such concessions. That might sound like a free pass for the small guy, until you consider that most businesses are run by individuals.In fact, small and medium-sized businesses (SMBs) are prime targets of cyber attacks. A 2008 McAfee study revealed that more than one-third of SMBs were attacked more than four times in the last three years. The research concluded that 28 percent of those attacked took at least a week to recover — a devastating length of time spent offline for small firms that conduct business and sales via the Web. According to the CSI's 2009 report, average losses due to security incidents were $234,244 per respondent. The survey's respondents included corporations, government agencies, financial institutions, medical institutions and other organizations throughout the United States.Last January, the Ponemon Institute reported that the expense of breaches to U.S. companies rose by 38 percent between 2004 and 2008. In 2005, the information security firm found that the average incident cost $4.45 million. Over the next three years, costs rose steadily to an average total incident cost of $6.65 million for 2008. (Ponemon's latest annual Cost of a Data Breach study will be released in the near future.) "Regardless of business size, viruses, hacker intrusions, spyware and spam can lead to lost or stolen data, computer downtime, decreased productivity, compliance issues, lost sales and even loss of reputation," the Internet Security Alliance (ISA) makes clear. "But no one-size-fits-all approach can effectively address the problem."In a report released last week, the ISA called cyber security a fundamentally economic rather than technical issue. The industry group, affiliated with Carnegie Mellon's cyber security laboratory, said that U.S. government and private businesses need to overhaul the way they look at cyber security by "effectively addressing the fragmentary and diverse nature of the technical, economic, legal and policy challenges." Resources2009 Annual Security Report Cisco Systems, Inc., Dec. 8, 2009Cisco: Social Media Newest Playground for Cybercriminals Cisco Systems, Inc., Dec. 8, 2009Social Networks Expose Lax Privacy Attitudes by Susan Jayson The Ponemon Institute, June 14, 20092009 Computer Crime and Security Survey http://www.gocsi.com/form The Computer Security Institute, Dec. 8, 2009Is Your Online Bank Account Safe? by Asher Hawkins Forbes, Oct. 29, 2009Does Size Matter? The Security Challenge of the SMB McAfee, July 2008Fourth Annual US Cost of Data Breach Study The Ponemon Institute, January 20092010 Will See Sharp Rise in Breach Costs by Mike Spinney The Ponemon Institute, Dec. 9, 2009Manufacturing Industries Cybersecurity The Internet Security AllianceImplementing the Obama Cyber Security Strategy via the ISA Social Contract Model The Internet Security Alliance, Dec. 3, 2009
Information is not an offer to sell insurance. Insurance coverage cannot be bound or changed via submission of this online form/application, email, voice mail or facsimile. No binder, insurance change, addition, and/or deletion to any insurance policy coverage goes into effect unless and until confirmed directly with a licensed agent. Note any proposal of insurance we may present to you will be based upon the values developed and exposures to loss disclosed to us on this online form/application and/or in communications with us. All coverage is subject to the terms, conditions and exclusions of the actual policy issued. Not all policies or coverage is available in every state.
Please contact our office at 918-346-6973 or 918-660-0090 to discuss specific coverage details and your insurance needs. In order to protect your privacy, p/ease do not send us your confidential personal information by unprotected email. Instead, discuss that personal information with us by phone or send by fax.
Statements on this website as to policies and coverage and other content provide general information only and we provide no warranty as to their accuracy. Clients should consult with their licensed agent as to how coverage pertains to their individual situation. Any hypertext links to other sites or vendors are provided as a convenience only. We have no control over those sites or vendors and cannot, therefore, endorse nor guarantee the accuracy of any information provided by those sites or the services provided by those vendors.
Information provided on this website does not constitute professional advice. If you have legal, tax or financial planning questions, you need to contact a qualified professional.