Tailoring a Cyber Policy to Your Business
Cyber insurance coverage is a relative newcomer to the insurance market, which can present some challenges for both businesses and insurers. To date, there are no official industry standards for cyber insurance, but there have been major strides in recent years to establish some. The National Institute of Standards and Technology (NIST) offers a comprehensive overview of the current state of cyber risk management. Adherence to these standards is currently voluntary, but many experts believe that the NIST recommendations have become the unofficial industry standard for cyber risk management.
Still, with the breakneck pace of technological evolution and increasing pressures to digitize data, most businesses are already vulnerable. The best way to protect yourself and your business is to conduct a risk assessment and identify any gaps in your coverage. Here are a few things worth looking for:
- Understand the coverage that you have, and the coverage that you don’t. Many people might make the mistake of assuming that a commercial general liability (CGL) policy covers losses in the event of a cyber attack. However, assumptions like that can be dangerous and costly, as many CGL policies specifically exclude electronic data. Take the time to review your current coverage and identify any exclusions that might leave you vulnerable.
- Understand your company’s specific needs. Companies vary in their use of and dependence on data. For instance, customer data held by financial or health care businesses is comparatively more valuable to criminals. Other companies, like online merchants, may potentially suffer greater losses as the result of an attack that crashes a website or interrupts service. Different policies have different limits, sub-limits and exclusions for different kinds of losses, so it’s important to work with an expert who can find exactly where your liabilities lie and what kinds of coverage you need.
- Consider retroactive coverage. Unfortunately, cyber breaches often go undetected for a long time. As a result, a policy that only offers coverage to the date of inception might leave you vulnerable to a cyber attack that hasn’t yet been discovered. To mitigate your liability as much as possible, get coverage with the earliest possible retroactive date.
- Obtain coverage for third-party vendors. Many businesses outsource their data processing or storage to a third-party vendor. This is a smart move, especially if you aren’t equipped to handle the IT side of your business. Unfortunately, it may leave you liable for damages if the actions of that third party are responsible for a breach. Make sure you have coverage for the actions or omissions of third parties with whom you do business.
Lessons Forgotten: Harrowing Reminders from Verizon’s 2015 Data Breach Investigations Report
When Verizon released its annual report on data breaches, the biggest shock might have been how little had changed from last year’s report. Businesses ignored known vulnerabilities and failed to implement simple fixes, resulting in losses that could have easily been prevented. The report identified a number of key areas that have been breached, but some stood out more than others. Here are three of the most frightening takeaways from the report, and what you can do to protect yourself:
- Old vulnerabilities: 99.9 percent of vulnerability exploits occurred more than a year after the vulnerability had been identified. Worse, almost 97 percent of exploited vulnerabilities came from a list of just 10 disclosed vulnerabilities. A few patches would have eliminated almost all of these incidents. It’s a simple fix, and one that your business can’t afford to ignore.
- Phishing still matters: Phishing relies upon the law of large numbers, and with a large enough audience, success is almost guaranteed. According to the report, “a [phishing] campaign of 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey.” Malware filtering has improved, but it isn’t perfect. Employee awareness is the last, and best, line of defense against malware in email.
- Privilege abuse: According to the report, 55 percent of insider incidents involved the abuse of privileges. Auditing and fraud-detection can only do so much, and often after the damage has already been done. Consider reducing and controlling privileges instead. It might make certain tasks slightly more inconvenient, but protecting sensitive patient or client data is worth it.