Understanding Cyber Liability
Think of all the well-regarded companies you've seen named in the news, not for their products or
services, but for their alleged failure to protect the personal information of their customers.
Breaches to computer networks and the ramifications of unauthorized access to sensitive data
are the key elements of cyber risk, a growing problem for businesses in many industries.
Confusion about what constitutes a cyber risk - and the myriad of coverage options for the risks
associated with data/information security - present a challenge to the bottom line profit of a
company. To find the appropriate risk management solution, you need to understand what a
cyber exposure is, how it can give rise to loss, and what different coverage forms offer.
Cyber Exposure
Simply stated, cyber exposures are directly connected to the responsibility you have for certain
electronic information. The risks associated with this information being compromised or misused
are myriad. These risks include personal injury, intellectual property infringement, and financial
injury, as well as obligations associated with Consumer Protection and Data Privacy Regulations.
Exposures generally fall into two categories:
"Third Party" Liability - the risk of a third party claiming your business caused them damages,
typically associated with the client's responsibility to protect certain private or confidential
information.
"First Party" Expenses - certain expenses, other than those from a third party's claim, you may
incur as a result of a cyber event. Expenses could be related to notification, credit monitoring,
cyber investigation, crisis management, and data privacy regulatory expenses.
You don't inherently have a higher level of cyber risk simply because of your type of company.
In fact, your company could have a lower cyber risk than your customers. The degree of risk
depends on the products and services you offer, as well as the type and amount of private and
confidential information you manage, control, store, transfer, and maintain.
Evaluating the Exposure
As an insurance professional, our ability to identify cyber exposures and recommend appropriate
coverage will add value as we forge long-term relationships.
Asking the right questions is key to evaluating your exposure. A few simple questions can help
you identify a potential cyber exposure and open an in-depth discussion.
Helping You Reduce Exposure
As youevaluate cyber risks, we can help them understand the importance of addressing the items
within your control. One such item is the elimination of any unnecessary data. Even better -
completely eliminate the collection of data that is not being used.
Many companies collect or maintain sensitive data without having a specific purpose for such
information, increasing cyber risks without a viable business benefit. Other areas to discuss
include: the tracking of sensitive information, verification information security controls, assessment
and monitoring of access privileges for users including remote access, web applications
review/testing, and computer systems event log monitoring.
In addition, if you have a cyber exposure, you'll want to understand the nature and costs losses
that could result - and the fact that many General Liability policies don't cover them.
How are businesses faring amid ever-growing data privacy and security dangers? Massive hackings
continue to make headlines. More businesses are feeling the pain of regulatory fines and penalties.
Recently, PCI Data Security Standards fines have driven some smaller operations out of business
altogether.
Identifying Your Cyber Exposures
These questions can help us identify and understand your cyber risks.
1. What types of products or services do you provide?
2. Who are your direct and indirect customers?
3. What is the purpose or function of your products/services (what does the product actually do)?
4. How are third party vendors or service providers involved with your products or services?
Identify the specific services provided by any third party vendors.
5. What type of sensitive information (confidential, personal, intellectual property) is associated
with the product or service you sell?
6. Do you or any of your vendors have access to or control of this sensitive information at any
time? If so, when? How often? How long? How much? Where?
7. How is sensitive information protected while in your possession or control? Do you utilize access
restrictions, encryption, segregated storage, usage monitoring, password protection, etc.?
8. What policies are in place to ensure proper handling procedures are followed by all employees?
9. Do you collect or manage personal information of individuals other than your own employees?
If so, what personal information is involved (full name with social security number, medical
information, financial account information, driver’s license number, credit card information, etc.)?
Could this information qualify as nonpublic personal or personally identifiable information under a
Data Privacy Regulation?
10. Approximately how many individually identifiable names with related personal information are
under your control?
11. How are the company’s networks and information protected? Do you utilize access restrictions,
encryption, segregated storage, usage monitoring, password protection, etc.?
12. At what point do you purge personal information that is no longer needed?
13. Does a third party vendor have access, manage, store, transfer, control, or maintain any
sensitive information that your company has responsibility for? If so, identify the type and amount
of this information.
14. Have you reviewed the information security policies and procedures of their third party vendors
to ensure sensitive information is protected at all times?
15. Have you established contractual terms (i.e. indemnification, insurance requirements, notification
requirements) with the third party vendors to ensure you are protected in the event the vendor
suffers a breach of sensitive information?
16. Are other contractual conditions established with the third party vendor to limit vendor’s use
of your data, prohibit vendor from disclosing data to others, return or destroy your data at the
completion of the contract, require vendor to comply with applicable data privacy regulations/laws,
and allow you to audit the vendor’s data security procedures?
June 2011 © The Hartford
----------------------------------------------------------
-------------------------------------------------
Protecting Your Business from Cyber Threats
By Ilya Leybovich
Increasing computerization of production methods and greater reliance on digital data systems have
made cyber security a significant concern for manufacturers. How can businesses deal with the new
wave of cyber threats?
Incorporating information technology (IT) systems and infrastructure into day-to-day operations allows
manufacturers to access and distribute data more efficiently, helping them make sound business
decisions and improve their companies' competitiveness. However, the advantages conferred by
networked data systems and information-sharing technology also increase the risk of data theft, hacking,
virus infection and other cyber-security threats.
For this reason, companies are beefing up their digital defenses to protect themselves from the latest
cyber hazards.
"In past years, plants haven't worried about cyber security because they didn't connect to the outside
world," Automation World acknowledges. "New data systems have changed that for most plants. [S]oftware
and devices share data, and where data is shared, there is always the possibility of a breach."
The complexity and variety of cyber-security threats can be daunting, particularly due to the rapid rate
at which new risks develop as well as the increasingly sophisticated methods of cyber criminals.
According to the recently released Cisco 2009 Mid-Year Security Report, cyber criminals "are aggressively
collaborating, selling each other their wares and developing expertise in specific tactics and technologies.
Specialization makes it tougher to shut down illegal activity, because there are many players in this
ecosystem."
Loss, theft or interception of sensitive business data are some of the largest cyber threats for commercial
and industrial enterprises. A study from the Ponemon Institute found that the average cost of a data breach
in 2008 was $202 per customer record. The information security firm also determined that breaches lost
U.S. companies an average of $6.7 million and that the expense has continued to rise, by 38 percent
between 2004 and 2008.
Among the major data-breach incidents recorded in its database, the Open Security Foundation reports that
48 percent derive from businesses. Sixty-five percent of security violations are perpetrated by external
sources, while 30 percent come from within the company, either accidentally or maliciously.
How can manufacturers protect their businesses from the proliferation of cyber threats?
Although there is no single comprehensive defense strategy capable of shielding every type of company,
Manufacturing Business Technology recommends taking a "defense-in-depth" approach for protecting
industrial assets. This method entails both physical and electronic defense layers at separate
manufacturing levels coupled with effective security policies designed to meet a variety of threats.
Security policy development requires a consistent plan involving "physical and electronic procedures
that define and constrain behaviors by personnel and components within the manufacturing system,
" but without introducing excessive restrictions. This can mean building a resilient network infrastructure
to provide information to necessary sources while limiting widespread access, or evaluating the risk
potential of how data is used and deployed within the company.
Management Business Technology also suggests "computer hardening," which relies on IT best practices
to shield computers from danger. The hardening process includes replacing direct Internet access with
a "barrier zone" to secure shared data and service, enforcing tougher password and terminal access
settings, uninstalling any components or protocols unnecessary for performing manufacturing tasks and
implementing antivirus and antispyware programs.
Similarly, "controller hardening" may be used to better protect machinery and production equipment
controls from tampering. This involves the use of authentication and authorization programs to verify
a user's identity, electronic safety features to prevent configuration changes and physically restricting
access to sensitive devices.
Depending on a business's size, however, some security measures may not be practical or even
necessary. Microsoft's Small Business Center offers the following tips for small-business owners to protect
themselves from cyber threats:
- Set up your defenses;
- Stay abreast of the threat;
- Encrypt everything;
- Get help from your employees;
- Don't store credit card numbers;
- Buy a shredder — and use it;
- Mind your mobile devices;
- Run your updates;
- Research your Internet service provider; and
- Know what to do when it happens.
In addition, the Better Business Bureau recommends that managers tell their employees the following:
- Not to open e-mail from unknown sources;
- What to do when they receive suspicious e-mail (when in doubt, delete!);
- To disconnect from the Internet when not online;
- To consider the risks of file-sharing;
- How to perform data back-up procedures; and
- Actions to take if their computers become infected.
Regardless of a company's size or the scale of threats to which it may be exposed, implementing and
maintaining a thorough cyber-security policy is a crucial step in succeeding in today's increasingly online
business community.
Resources
Cyber Security — A Must for the Smart Grid
by Rob Spiegel
Automation World, August 2009
Cisco 2009 Mid-Year Security Report
Cisco Systems, 2009
Fourth Annual US Cost of Data Breach Study
by Larry Ponemon
Ponemon Institute, January 2009
Data Loss Statistics
DataLossDB (Open Source Foundation), 2009
Remarks by the President on Securing Our Nation's Cyber Infrastructure
The White House.gov, May 29, 2009
Securing U.S. Critical Infrastructure from Cyber Attacks
LogLogic, 2009
Cyber Security for Industrial Assets
by Gregory Wilcox and Dan Knight
Manufacturing Business Technology, Aug. 7, 2009
Keep Your Small Business Safe: 10 Tips
by Christopher Elliot
Microsoft Small Business Center, 2009
Information for Businesses in the Virtual World
Council of Better Business Bureau
*********************************************************************************
****************************************************************************************
Cyber Crime Hits Businesses Through Social Media
By David R. ButcherAs more organizations are realizing the value of social networks, online
criminals are increasingly taking advantage of social-media networks to access and exploit
businesses' vulnerabilities.The complexity and variety of cyber-security threats are daunting,
particularly due to the rapid rate at which new risks develop as well as the increasingly
sophisticated methods of cyber criminals. Now, we can add the most popular social-networking
Web sites to the ever-evolving means of cyber crime.In its annual report on network security,
Cisco Systems Inc. states that the impact of social media on network security "cannot be overstated."Social media sites, particularly Facebook, experienced explosive growth in 2009,
and adoption of such resources will likely continue to grow into 2010."It is now routine for
workers of all generations to interact with colleagues, customers or partners using social
networks that, a few years ago, would have been populated mostly by computer users in
their teens and twenties," according to the report, released this week. "In addition, it is
common for workers to blend business and personal communications on these social
networks, further blurring the network perimeter."Although some companies have adopted
outright bans on the use of these sites in the workplace, the blurring of personal and business communications makes this strategy impractical.Likewise, the Ponemon Institute, an
information-security research center, believes that social networking can be valuable. It
is "a useful and powerful tool for individuals and organizations who consider their strategic
value and take thoughtful, necessary precautions to their use," Susan Jayson, executive
director and cofounder of the Ponemon Institute, writes at her blog.As more organizations
realize the value of social networks as a business requirement, social networks increasingly
become a playground for cyber criminals. This is because many members of such sites often
fail to take precautions to prevent the spread of malware and computer viruses.Cisco claims
that most employees have not been sufficiently taught to protect themselves from viruses
and other scams that can infect corporate computer systems when other people access
their personal Web pages."Without concern for their impact on information security," Jayson
writes of social media sites, "companies that ignore the risks will almost certainly suffer consequences."While cyber criminals look to social media for new victims, spam remains a
"tried-and-true" method for deceiving people. Cisco's annual security report estimates that
worldwide spam volume next year will likely rise 30 percent to 40 percent above 2009 levels.
On other cyber-crime fronts, Cisco reports that the rate of online banking fraud will continue
to grow next year. According to the Computer Security Institute's (CSI)
2009 Computer Crime and Security Survey, released this week, financial fraud is consistently
a highly expensive type of attack, averaging almost $450,000 in losses per organization
suffering from fraud.Forbes recently noted how cyber criminals can successfully pull off major
hacks against smaller companies, pointing to a small bookkeeping business run by a couple
who mixed their individual and commercial accounts.The business owners took out a $50,000
line of credit with their bank, later linking it to their business checking account. Hackers
tapped into their online accounts and directed that $26,500 from the credit line be placed
in the business account. The intruders then transferred the assets to a bogus entity and
when the owners realized the money was missing 10 days later, it was in already in an
Austrian bank, which refused to return it.Says Forbes:Who foots the bill? Under federal law,
losses in individuals' accounts are the banks' problem; commercial customers receive no
such concessions. That might sound like a free pass for the small guy, until you consider
that most businesses are run by individuals.In fact, small and medium-sized businesses
(SMBs) are prime targets of cyber attacks. A 2008 McAfee study revealed that more than
one-third of SMBs were attacked more than four times in the last three years. The research
concluded that 28 percent of those attacked took at least a week to recover — a devastating
length of time spent offline for small firms that conduct business and sales via the Web.
According to the CSI's 2009 report, average losses due to security incidents were $234,244
per respondent. The survey's respondents included corporations, government agencies,
financial institutions, medical institutions and other organizations throughout the United
States.Last January, the Ponemon Institute reported that the expense of breaches to U.S.
companies rose by 38 percent between 2004 and 2008. In 2005, the information security
firm found that the average incident cost $4.45 million. Over the next three years, costs
rose steadily to an average total incident cost of $6.65 million for 2008. (Ponemon's latest
annual Cost of a Data Breach study will be released in the near future.) "Regardless of
business size, viruses, hacker intrusions, spyware and spam can lead to lost or stolen data,
computer downtime, decreased productivity, compliance issues, lost sales and even loss of
reputation," the Internet Security Alliance (ISA) makes clear. "But no one-size-fits-all approach
can effectively address the problem."In a report released last week, the ISA called cyber
security a fundamentally economic rather than technical issue. The industry group, affiliated
with Carnegie Mellon's cyber security laboratory, said that U.S. government and private
businesses need to overhaul the way they look at cyber security by "effectively addressing
the fragmentary and diverse nature of the technical, economic, legal and policy challenges."
Resources2009 Annual Security Report
Cisco Systems, Inc., Dec. 8, 2009Cisco: Social Media Newest Playground for Cybercriminals
Cisco Systems, Inc., Dec. 8, 2009Social Networks Expose Lax Privacy Attitudes
by Susan Jayson
The Ponemon Institute, June 14, 20092009 Computer Crime and Security Survey http://www.gocsi.com/form
The Computer Security Institute, Dec. 8, 2009Is Your Online Bank Account Safe?
by Asher Hawkins
Forbes, Oct. 29, 2009Does Size Matter? The Security Challenge of the SMB
McAfee, July 2008Fourth Annual US Cost of Data Breach Study
The Ponemon Institute, January 20092010 Will See Sharp Rise in Breach Costs
by Mike Spinney
The Ponemon Institute, Dec. 9, 2009Manufacturing Industries Cybersecurity
The Internet Security AllianceImplementing the Obama Cyber Security Strategy via the
ISA Social Contract Model
The Internet Security Alliance, Dec. 3, 2009
=================================================================
|
