Coverage Disputes Over Online Attacks Grow

A federal court has ruled that an insurer’s professional liability policy must pay out $6 million for a company’s losses from a business e-mail compromise scam, even though the business lacked cyber coverage.

The ruling is part of a growing trend of businesses that haven’t purchased cyber insurance seeking coverage for cyber-related losses from other policies they do have, such as business liability, professional liability, and directors & officers (D&O) coverage.

Seeking coverage for cyber losses and for e-mail compromise scams from other than cyber policies is not often successful, and whether the insurer will pay out can depend on the nature of the loss.

In this latest case however, a judge in the U.S. District Court in the Southern District of New York ruled that American International Group must cover $5.9 million that a company had been duped out of by Chinese hackers in 2016.

AIG had disputed the claim saying that the professional liability policy the business had does not cover “criminal acts,” adding that it had never sold the company a cyber policy.

These disputes are becoming more common and you should pay attention to your policy exclusions, as well as consider cyber insurance, if you have assets that could be exposed through a cyber attack or fraud.

 

How was the business scammed?

SS&C Technologies received spoof e-mails that purported to come from one of the company’s clients, Tillage Commodities Fund, a commodities investment firm. The e-mails instructed the company to make six wire transfers to a bank account in Hong Kong.

The scammers masqueraded as Tillage employees with e-mail addresses that spelled “Tillage” as “Tilllage.”

But according to court documents, there were telltale warning signs that the e-mails were fishy:

  • One e-mail asking SS&C to wire $3 million contained only the words “How was your weekend?” and then the wire transfer details.
  • E-mails included grammatical errors and unusual syntax like “Let’s round up business today.”

 

Based on the above, staff at SS&C were not too diligent in looking out for possible

business e-mail compromise scams involving a third party hacker posing as someone else (a client, a vendor or even a manager or president of the targeted company) via e-mail and requesting a wire transfer into a bank account.

This type of scam, which cost organizations $300 million every month in 2018, according to the U.S. Department of Treasury, is covered by a standard cyber insurance policy.

SS&C did not have a cyber policy, so it sought coverage under its professional liability policy for the losses it sustained when transferring those funds. AIG did pay for SS&C’s legal defense costs after Tillage Commodities sued, but refused to cover the $5.9 million in stolen funds.

According to court documents, AIG’s policy included a clause that it would not provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.”

 

What this means for your firm

While this case worked out for the insured party, businesses should not rely on their non-cyber insurance policies to continue paying claims. As costs for cyber attacks like ransomware, malware, stolen data and business e-mail compromise scams grow, insurers are increasingly including clauses that explicitly exclude coverage for those risks.

If you have any important company assets in digital form and/or make or receive payments online, it would be wise to secure a cyber insurance policy.

If you don’t, you can try to seek coverage under other policies. That it may be difficult to obtain, but not impossible.

For example, if your company has D&O liability insurance and/or crime insurance, it may be able to seek coverage for any ransomware events since those policies will typically include coverage for kidnapping and ransom.

Some insurers are now providing – either deliberately or unintentionally – kidnapping and ransom coverage that applies to ransoms paid in response to cyber extortion. Among the events that these policies may consider cyber extortion are:

  • Threats to poison a computer system with malware.
  • Threats to change, damage or destroy programs or data stored on a system if the owner does not pay a ransom.

 

That said, many insurers who provide this coverage likely did not anticipate covering ransomware losses and have started changing their D&O and crime policies to specifically exclude ransomware.

Other insurers have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber-extortion losses.

Coverage Gap Concerns as Cyber Threat Grows

Small and mid-sized businesses are increasingly bearing the burden of cyber threats, as criminals consider them low-hanging fruits that often do not have the resources in place to mount a strong defense.

A severe attack on a small company can incapacitate its ability to do business, and the expenses of getting operations back on track coupled with loss of goodwill can easily force many firms into bankruptcy. That’s why it’s important to not only have safeguards in place to avoid being compromised in the first place, but to also take out the proper insurance.

Unfortunately, with more data breaches hitting the news, one of the main concerns that executives have is if their insurance will cover the costs associated with recovering from an attack. Many business owners and executives worry whether the policies they have in place will be adequate in case they are hit by a breach.

If you are running a small or mid-sized company, do not underestimate the growing threat to your business.

According to a survey by online insurance news service Advisen and Nationwide Insurance Co., the types of cyber losses mid-sized business incur are:

  • Malicious breaches resulting in data losses, 52%
  • Unintentional data disclosure by staff: 16%
  • Physical loss or theft of data: 13%
  • Network or website disruptions: 5%
  • Phishing, spoofing and social engineering: 5%
  • Other: 9%

 

Insurance concerns

One of the chief concerns for executives is any overlap or gaps between their property, liability, crime and cyber policies when it comes to covering the costs of recovering from an attack, according to the report by Advisen and Nationwide.

Some companies feel they don’t need cyber coverage because they believe their property and liability policies will cover any related losses.

Here are some of the main findings:

  • 95% of respondents named data breach as the number-one risk they expect to be covered by a cyber insurance policy.
  • 94.5% said they expected cyber-related business interruption to be covered by a cyber policy.
  • 89% said they expect their cyber policy to cover cyber extortion or ransom demands.
  • 36% said they have cyber-related property damage/bodily injury coverage under another policy, reflecting the belief that some coverage for cyber-related losses can be found under traditional policies.
  • 60% of respondents said they are concerned about perceived gaps and overlaps in their insurance coverage.

For funds-transfer fraud losses, the majority of respondents believed coverage should be found under the crime policy, but also stated they would like to be able to recover under both crime and cyber policies ― or have separate policies with higher limits.

These findings show that businesses are seeking clearer differentiation between cyber and traditional policies, and an understanding of which events are insured and which are not.

 

The takeaway

One thing to be aware of is that since cyber insurance is a new and still evolving product, all policies do not cover the same thing. That’s why it’s important for businesses to weigh their choices carefully with our guidance.

While the cyber threat has grown, more insurers have also changed language in their property and liability policies to limit coverage of cyber events.

Typical property insurance policies offered higher limits for business interruption for covered property damage. And because of the high costs associated with a data loss, more executives want to see similar limits for business interruption coverage on their cyber stand-alone policies.

This market demand may drive insurers to refine their cyber insurance policies, including increasing cyber-related business interruption limits up to the level of standard property forms, according to the report.

It’s important that when shopping for a cyber policy, you work closely with us to find the one that best fits your needs. We can help you evaluate your risks and coverages and identify any gaps by looking at your existing policies.

Protecting Your Company Data During Layoffs

One of the most perilous times for a company in an employment relationship is when a worker is leaving. Departing employees have taken customer lists, vendor lists and sometimes company secrets on the way out the door, whether they were laid off, fired or quit on their own.

This unethical, and sometimes illegal, time-honored tradition has been made all the easier in the digital age with a trove of data easily e-mailed, uploaded to the cloud or downloaded on a thumb drive.

Minimizing the risk of laid-off or leaving employees absconding with sensitive company data requires planning between management and your legal counsel. There are a number of measures you can employ to preserve the value of your intellectual property and other important company proprietary information, such as:

Having employees sign non-solicitation agreements – In many states, non-solicitation agreements are enforceable. Such agreements often address the protection of proprietary, confidential information, like a list of customers and suppliers.

If a non-solicitation agreement is crafted properly, it can serve as a strong measure preventing departing employees from soliciting a former employer’s customers and suppliers at their next place of employment.

Using non-disclosure agreements -If you have company data that competitors could use to the detriment of your business, it would be wise to require your staff to sign non-disclosure agreements, which hold employees to their fiduciary obligations under law.

A typical non-disclosure agreement identifies the employer’s proprietary and confidential information and requires the employee to acknowledge the value of preserving the secrecy of such information. The agreement requires that the employee keep such information secret for a certain period of time.

Before writing up a non-disclosure agreement, management and legal counsel need to take an inventory of all the data the employer wants to protect. In order to be enforceable, a non-disclosure agreement must be supported by “adequate consideration” (which means evidence of employment, such as the payment of a wage for the employee’s services).

Requiring the return or destruction of property – Before employees leave your employ, make sure that they have returned all of the company’s property, particularly any items that contain confidential information. That may include laptops, originals and any copies of company documents that the employee has made.

Also make sure that company information, electronic files or other information stored on the employee’s personal or home computer is deleted.

Changing or deleting access codes, passwords – To make sure that a former employee does not access sensitive company data, you should change or eliminate any access codes, passwords for company e-mail, voicemail, telephone conference lines and computer systems, or access to your facilities via doors with coded locks.

Also collect any company ID cards. If you have concerns you can also notify customers, suppliers and others that the employee no longer works for you.

Making an exit record – Make sure you have a record (a checklist, for example) of the measures required of departing employees. This checklist will confirm that each departing employee has complied with your measures.

Also, have each departing employee sign an acknowledgment that all of the company’s property has been returned or destroyed, and that they have read, understood and agree to be bound by their ongoing obligations under their non-disclosure and non-solicitation agreements.

Conducting exit interviews – The final thing you should do is conduct a formal exit interview with each departing employee. During the exit interview, try to ascertain the confidential information known to the departing employee and ensure that all records of that information have been returned.

This is the time to remind the employee about their obligations under the non-disclosure agreement and the ramifications of violating the agreement either directly by disclosure or indirectly by performing work for other employers or for themselves that requires use of this confidential information.

Don’t Fall Victim to the Business E-mail Compromise Scam

West African organized-crime rings have been targeting U.S. business with “business e-mail compromise” scams that are costing firms millions of dollars every year.

Losses to businesses that are targeted by these scams hit an all-time high in the first quarter of 2018, with $685 million in losses reported by 4,081 victims. That’s more than the amount lost for all of 2017 in such scams: $675 million.

The gangs send fake messages to businesses’ finance departments purporting to be a vendor for the company with an invoice requiring payment.

These criminals do research before targeting companies, meaning they go to company websites and look for the right people to send e-mails to. They may even pull annual reports and find what companies they do business with, and then spoof those accounts (meaning they impersonate other firms in the e-mails).

Some criminals will fake a CEO’s e-mail account and e-mail that company’s finance office ordering payment to a certain account. In one case cited by Dow Jones Newswires, a real estate attorney received an e-mail from the purported sellers of a local property and asking the lawyer to wire the proceeds of the sale to the criminals’ bank account. The lawyer wired $246,218.83 to the scammers.

 

The main scams

Money request via compromised account of company exec

  1. A criminal compromises or spoofs the e-mail account of an executive, such as the CEO.
  2. The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the controller.
  3. The controller submits a wire payment request, as per instructions from his or her “boss.”

 

Invoice from supplier via spoofed e-mail address

A fraudster compromises the e-mail of a business user employed by their target company; for example, someone in accounts payable. This is how it’s done:

  1. The criminal monitors e-mail of the business user, looking for vendor invoices.
  2. The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
  3. The scammer then spoofs the vendor’s e-mail to submit the modified invoice.
  4. Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.

 

How to avoid getting burned

  • Confirm an e-mailed monetary request purportedly from a company executive by creating a new e-mail and entering their known e-mail address; don’t reply to the suspicious e-mail as it will likely go to the criminal.
  • The e-mails typically have a similar tone, urging secrecy and expedience. Set up your e-mail gateway to flag key words such as “payment,” “urgent,” “sensitive” or “secret.”
  • Look for odd uses of the English language. Many of the scammers are foreigners abroad.
  • Although the late-stage e-mails used in these scams may not contain malware, malicious code is often used as part of an overall scheme to initially compromise an employee’s e-mail account. So, make sure you have an effective malware detection solution in place.
  • Register all domains that are slightly different from the actual company domain.
  • Scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
  • Ask your accounts payable staff to get to know the habits of your customers, including the details of, reasons behind, and amount of payments.

If you have any questions or would like to speak to a professional advisor, please contact ACBI Insurance at 203-259-7580.

Ransomware Becomes Biggest Cyber Threat Facing Businesses

Ransomware is turning out to be the biggest cyber threat facing companies in 2017 after attacks more than quadrupled in 2016 from the year prior, according to a new study.

If you are not familiar with this fast-evolving cyber threat, typically the perpetrators will essentially lock down your database and/or computer system and make it unusable, then demand that you pay a ransom to unlock the system.

The “Beazley Breach Insights Report January 2017” highlights a massive and sustained increase in ransomware attacks.

Another report, the “2017 SonicWall Annual Threat Report,” found that cyber criminals are shifting their attention from malware and other types of threat to ransomware – as evidenced by a significant decline in the former types of attack and a dramatic increase in the latter.

Here’s what SonicWall saw in 2016:

  • Unique malware attacks fell to 60 million from 64 million in 2015, down 6.25%.
  • Total malware attack attempts fell to 7.87 billion from 8.2 billion, down 4%.
  • Ransomware attacks exploded to 638 million attempts in 2016 from 3.8 million in 2015, up a massive 166 times!

SonicWall’s report estimates that around $209 million in ransoms was paid in the first quarter of 2016 alone.

“It would be inaccurate to say the threat landscape either diminished or expanded in 2016 – rather, it appears to have evolved and shifted,” said Bill Conner, president and CEO of SonicWall. “Cybersecurity is not a battle of attrition; it’s an arms race, and both sides are proving exceptionally capable and innovative.”

The unprecedented growth of ransomware was likely driven as well by easier access in the underground market, the low cost of conducting a ransomware attack, the ease of distributing it and the low risk of being caught or punished.

Ransomware is also growing in both sophistication and type of attack, and the hackers are proving to be inventive in how they can cripple your business enough to elicit the ransom.

When you are most vulnerable

And there are some times that businesses are more susceptible than others in being targeted for an attack.

“Organizations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods,” the report states. “Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the more valuable files unencrypted.”

Ransomware enters a company’s system in a variety of ways.

The most common method is when an employee clicks on a link in a bogus e-mail that opens the door to malicious code to start rifling through your systems. But more often, an employee unintentionally clicks on a link or sends information.

The types of attack will vary from industry to industry.

How Ransomware Infiltrates

  • Hack or malware: 40%
  • Insider: 7%
  • Unintended disclosure 28%
  • Physical loss: 6%
  • Portable device: 6%
  • Other/unknown: 9%

Horror stories

  • Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to regain access to its data in February 2016.
  • Lansing Board of Water & Light paid ransomware attackers $25,000 after they had paralyzed the company’s information system in April 2016.
  • A four-star hotel in the Austrian Alps paid 1,500 euros (about $1,600) in bitcoin after ransomware had locked up the computer running the hotel’s electronic key lock system, leaving guests unable to enter their rooms.

If you have any questions or would like to speak to a professional advisor, please contact ACBI Insurance at 203-259-7580.

Compromized E-mails Grow as Hackers Double Down on Employees’ Bad Clicks

As the cyber threat spreads its tentacles, a new report sheds light on a rising risk, with the number of business e-mail compromises growing at an increasing rate.

The report by Beazley Breach Response Services, part of specialist insurer Beazley P.L.C., found that the e-mail threat is greater for organizations that use Office 365, Microsoft’s cloud-based package of popular software like Word, Excel and Outlook, the e-mail platform.

The study found that hack and malware breaches via Office 365 accounted for 13% of incidents during the first quarter of 2018.

The report should set off alarm bells at all organizations since e-mail is central to how we get business done these days.

Financial services, health care and professional services are the top sectors targeted by attempts to compromise e-mail as a way to gain entry into an organization’s systems.

 

What’s happening?

Employees are usually the weakest link in an organization’s chain. Anybody with e-mail in an organization can let in hacks and malware by clicking on a link in a phishing e-mail, but also on a HelpDesk message or Microsoft survey. Once they click on these links, the employee is directed to a website that appears legitimate, with the Microsoft logo and a general “look” that mimics the company’s own website.

There they are asked for e-mail credentials, including a password. Once those details are supplied, the malware does its stuff and infects the system or the hacker starts harvesting the user’s credentials and logs into the mailbox undetected.

 

What happens when hackers gain access to e-mail?
After getting access, hackers can:

  • Run searches to steal personally identifiable information.
  • Steal bank information to send e-mails requesting fraudulent wire transfers.
  • Search the inbox to determine what HR and benefits self-service portal the employer uses, and then request a password reset for the user in that system. Once in the self-service portal, the attacker redirects the employee’s paycheck to one of their accounts.
  • Send spam e-mails to all of the user’s contacts in an attempt to get others to give up their credentials as well.

 

The top two causes of data breaches reported to Beazley Breach Response Services were hack or malware (42%) and accidental disclosure (20%). Social engineering and disclosure by insiders were the next highest causes of incident, each at 9%.

Other threats that also gain entry when employees click on bad links are ransomware that can shut down an organization’s entire system. Hackers then demand a ransom to unlock it.

 

What you can do

There are a number of simple ways to thwart infiltrators:

  • Change passwords regularly
  • Have dual-factor authentication
  • Remove auto-forwarding or auto-delete rules
  • Teach your employees how to detect bogus-looking e-mails. If unsure, one of the best ways is to look at the sender’s full e-mail address and see if it comports with the e-mail address of a known entity, like a bank.

 

Office 365 tips

For organizations that use Office 365, Beazely recommends that they:

  • Require two-factor authentication for access to Office 365.
  • Use the Secure Score tool. This Microsoft tool can be used by anyone who has administrative privileges for an Office 365 subscription. It assists not just in analyzing, but also with implementing best practices regarding their Office 365 security.
  • Enforce strong password policies. Educate employees about the risks of recycling passwords for different applications.
  • Alert employees who have access to accounts-payable systems or wire transfer payments about these types of scams.
  • Train all employees to beware of phishing attempts.
  • If you use cloud-based platforms, investigate what logging is available and make sure it is enabled. For instance, if you’ve migrated from on-premises Exchange to Office 365, audit your security settings, which are reset to default settings during migration. In Office 365, you must turn on audit logging in the Security & Compliance Center.
  • Work with your cloud provider’s technical team to determine what activities are logged and ensure you have the visibility you need, for the monitoring period you need.

If you have any questions or would like to speak to a professional advisor, please contact ACBI Insurance at 203-259-7580.

 

 

Finding Coverage for the Latest Computer Fraud Scams

As cyber scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events.

Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two companies suffered similar incidents, but two different federal appeals courts came out with opposite opinions, with one saying that a company’s crime insurance policy covered the event, while the other court said it didn’t in its case.

The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so you should always read your policy and discuss your concerns and potential risks with us.

This is all important because this kind of crime is growing quickly. Business e-mail compromise scams quadrupled in 2017, and losses ranged from a few thousand dollars up to $3 million, according to an analysis of insurer Beazley’s clients. The average claim amount they received from this type of scam in 2017 was $352,000.

The FBI has cited business e-mail compromise schemes used to intercept and hijack wire transfers as one of the fastest-growing cyber crimes.

 

Court case one: Covered

In this case employees of Medidata, a clinical-trial software firm, wired $4.7 million to an account they were led to believe was for an acquisition by their employer via a series of fraudulent e-mails that they thought were from their company’s president and the firm’s outside legal counsel.

As part of the scam, a third party was able to send multiple Medidata employees e-mails that looked like they came from the company president, even including his picture in the “from” field. 

The company didn’t have a cyber insurance policy, but it had a Federal Insurance Co. executive protection policy, which included a crime section that included coverage for computer fraud, funds-transfer fraud and forgery. The insurer rejected Medidata’s claim and the company sued in federal court. The lower court ruled in favor of the insurer, but upon appeal the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, the fraudsters did insert the spoofing code into Medidata’s e-mail system, which the court said is part of the computer system, and they sent messages that were made to look like they were from high officials at Medidata in order to trick the employees.

The court held that the insurer must pay under the computer fraud portion of its policy.

 

Court case two: Not covered

In the second case, a federal district court found no crime policy coverage where a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors.

The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.

 

The takeaway

Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news.

We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cyber crime policies.

If you have any questions or would like to speak to a professional advisor, please contact ACBI Insurance at 203-259-7580.

‘Heartbleed’ Bug Underscores Need for Cyber Risk Insurance

American businesses took a one-two punch in the gut this spring: Investigators discovered a serious vulnerability in a popular cryptographic protocol in very common use by commercial Web developers all over the world. The so-called “Heartbleed Bug” was nestled in the very prominent OpenSSL cryptographic software library, and allowed cyber thieves to steal information that both the Web programmers and the end user/customers thought was protected. The popular website Mashable.com published an extensive list of websites and vendors whose systems may have been compromised by the Heartbleed Bug. If you do business with any company on this list that may have been affected, you may wish to change your password information.

Just a matter of days later, the largest arts and crafts story in America, Michael’s, announced that thousands of credit card numbers had been compromised Aaron Brothers, a Michael’s subsidiary, was also affected by an attack by highly sophisticated criminals using malware that had not been encountered before by their security consultant firms. Michael’s has contained the threat, and the malware is no longer compromising credit card numbers and expiration dates. The attack occurred between May 8, 2013 and January 27, 2014, potentially affecting 2.6 million cards.

Furthermore, Florida officials are now investigating an attack on Hess customers who purchased gas using their credit cards. Criminals installed a number of card skimmers at a number of Hess stations in Florida.

These attacks come on the heels of a massive leak of credit card information at the prominent Target chain of retail stores.

The result isn’t just a risk to customers and card-issuing banks. Businesses who take any form of electronic payment must consider themselves at risk of liability arising from the compromise of their electronic payment systems. As we saw from the Heartbleed Bug, even the most sophisticated businesses with large and highly skilled information technology staffs of their own were vulnerable to flaws in the coding far upstream.

Furthermore, as we see in the Hess case, smaller firms can no longer assume they will not be targeted by cyber-thieves. If they can install skimmers on gas pumps and go undetected for months, they can install them almost anywhere. And it may well be the business that winds up holding the bag for liability for damages caused by cyber attacks that they failed to prevent. A recent survey showed that some 72 percent of all cyber breaches occur at small-to-medium sized businesses.

Liability can also come from government sources: The Federal Trade Commission recently filed suit against the Wyndham hotel chain for failing to provide adequate security for customers’ private information, after the FTC dealt with the fallout of three separate breaches in just a few years.

Cyber Risk Insurance

Fortunately, it is possible for businesses to purchase protection against this potentially devastating risk, through obtaining cyber risk insurance. This insurance protects the company against catastrophic liability arising from cyber attacks or other information security lapses.  Policies are now available from a variety of firms, and are designed to be affordable and realistic even for the smallest businesses that may be affected.

What’s covered?

Cyber liability insurance, or cyber risk insurance, is still evolving, but policies could cover one or more of the following risks, according to the National Association of Insurance Commissioners:

  • Liability for security or privacy breaches. This would include loss of confidential

information by allowing, or failing to prevent, unauthorized access to computer

systems.

  • The costs associated with a privacy breach, such as consumer notification,

customer support and costs of providing credit monitoring services to affected

consumers.

  • The costs associated with restoring, updating or replacing business assets stored
  • electronically.
  • Business interruption and extra expense related to a security or privacy breach.
  • Liability associated with libel, slander, copyright infringement, product disparagement

or reputational damage to others when the allegations involve a business website,

social media or print media.

  • Expenses related to cyber extortion or cyber terrorism.
  • Coverage for expenses related to regulatory compliance for billing errors,
  • physician self-referral proceedings and Emergency Medical Treatment and

Active Labor Act proceedings.

One size does not fit all. It’s crucial to take a look at the specific language of the policy as well as the premium, and choose the policy that best fits your overall risk management strategy and liability exposure.  If you have any questions or would like to review this important coverage, please call ACBI at 203-259-7580 or visit our website.

Protection Against Data Breaches

Just prior to the Christmas holiday in 2013, the prominent retail chain Target announced that it had been the target of a massive hack of its credit card processing systems. The breach compromised as many as 40 million credit card numbers. Law enforcement authorities and Target’s own investigators confirmed that stolen card numbers were coming up for sale on Internet sites catering to identity thieves at anywhere from $20 to $100 per card.

The complaint reads, in part: “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.”

All businesses are at risk

If Target’s modern Internet security and encryption can be hacked into, so can yours. And if your business fails to protect this information against criminals both internal and external to your organization, you could be liable for damages.

Target was named a defendant in a lawsuit within days of the news breaking. Naturally, Target can afford the top attorneys in the country to defend its interests For most small or medium-sized businesses, the attorney’s fees alone involved in mounting a defense would be a very significant hardship, even in much smaller cases.

The fact is that credit card thieves, hackers, and extortionists attack not just large businesses, but medium- and small-sized businesses, too. In fact, it happens every day. Servers in restaurants, for example, can swipe a credit card using a smart phone and a tiny reader they can carry around in their pockets – or photograph your accounts receivable records. Advances in technology and business methods have also created new dangers for businesses, and an emerging area of insurance and law centered around cyber-risks.

As a small business, your risk isn’t confined to credit card numbers and transactions. You could be facing immense liability from any of these cyber-crime related risks:

 

  • Security breaches business checking accounts
  • Electronic theft of money you hold as a fiduciary for your clients or customers
  • Health insurance records
  • Theft of e-mail addresses
  • Customer bank account and other billing information
  • Personally-identifiable medical information

 

It’s not just criminals that can cause a claim, either. Your servers could be destroyed in a fire, or infected with a computer virus.

Damages can quickly total into the hundreds of thousands or millions of dollars, depending on the size of the business and the nature of the data that was destroyed, compromised or stolen.

Insuring Against the Risk

Fortunately, it’s now possible to insure against the devastating effects of a cyber breach or network disaster. While there is no “standard policy form” at this point, most policies currently available will provide coverage against the following types of risks:

 

  • Data destruction
  • Data recovery costs
  • Business continuation
  • Data theft costs
  • Extortion
  • Legal fees arising from cyber risks

As with any type of insurance, definitions matter, so look beyond the monthly or annual premium costs to see how each peril is defined, and review any exclusions, before electing a carrier or policy.

Who To Involve      

Selecting appropriate coverage is frequently a team effort. Best practices include getting input not just from management and from a licensed insurance agent, but also from dedicated IT personnel, who may be tracking the latest scams and risks in their own professional reading and can help keep management apprised of risks and vulnerabilities.  Call ACBI at 203-259-7580 for a review of this crucial coverage.

How Prepared Is Your Business For A Cyber Attack?

Only 36% of public companies purchased cyber liability insurance in 2012, and only 6% of private companies had cyber liability insurance in 2010.

Why don’t more companies purchase cyber insurance?

Chubb Insurance asked nonbuyers this question, and the #1 response—from 47% of private company respondents and 37% of public company respondents—was “low risk/no exposure.”*

FBI Director Robert Mueller might have had corporate denial in mind when he told a conference of security professionals earlier this year: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” (Source: CNNMoney)

Facts are well-known

A well-publicized Ponemon Institute study** reported that the typical data breach in 2011 resulted in:

  • 28,349 breached records.
  • Total costs of $194 per record (including notification, call centers, forensics and other direct expenses).
  • $561,495 in notification costs.
  • $5.5 million in total organizational costs.

Furthermore, 46 states have enacted legislation requiring companies to notify customers if their personal information may have been compromised.

Cyber risks—and awareness—are growing

Cyber exposures are growing, and awareness of those risks seems to be growing, as well, as indicated by the fact that purchase rates of cyber insurance are slowly rising. More companies are realizing that they may be vulnerable to potentially costly cyber exposures, including cyber liability and cyber crime expense.

The same maybe true for directors and officers (D&O) liability, thanks in part to the October 2011 SEC guidance that companies must consider information security when disclosing risks to investors. As attorney Kevin LeCroix, executive vice president, RT ProExec, said in his blog, The D&O Diary (September 24, 2012), “With increasing scrutiny on companies’ cybersecurity preparedness and disclosure comes the increasing possibility that companies experiencing cybersecurity incidents-and their directors and officers-may face claims from shareholders and other constituencies that they failed to implement appropriate cybersecurity measures or made misrepresentations about their cybersecurity preparedness.”

Although most companies aren’t yet buying cyber insurance, a majority of public companies are at least taking notice, according to Chubb’s survey:

  • Public company decision makers cited cyber risk as their #1 concern from a list of exposures, with 63% expressing some level of concern.
  • 71% of the public companies have an incident response plan (IRP) for an electronic security breach.***
  • 52% of the companies are allocating more financial or human resources toward mitigating the risk of a cyber breach than they did a year ago. Only 3% are allocating fewer resources for this purpose.
  • 24% of respondents said it was likely the company would experience a cyber event sometime in the next 12 months.

ACBI can help you protect your business from this debilitating threat.  We have options for public and private companies, large businesses or small, professional services and non-profits.  Contact us today to find out how we can help.