Tech Tips for Business Owners

Cyber Insurance: 3rd party liability coverage is key

by

Cyber Insurance: 3rd party liability coverage is key

So, we talked in the last blog about cyber insurance coverage for first-party losses. All well and good, but that crime will likely have impact on outsiders, such as your customers.

Third-party losses refer to your liability for the consequences of the data breach to others.For simplicity’s sake, this most often will be those customers whose data was “hacked.” Without question, the biggest issue here is the damage to someone’s data. It may be released to the public, used for criminal purposes such as identity theft, financial fraud, or even to create public scandal. ( remember the dating website for married people looking to have affairs?) There is no end to the mischief and the damage cyber criminals can cause. We can identify at least three main areas where you would want coverage.

  • Network Security – Lawsuits may occur alleging that you failed in some way to provide adequate security for the data. If the data was compromised, or the data could not be accessed as required because of the event, the claim would be you were in some way negligent regarding network security and failed to protect PII.
  • Network Privacy – This refers to lawsuits alleging damage from the exposure of PII. Examples would be identity theft, damage to credit ratings, invasion of privacy, etc.
  • Errors and Omissions – Suits could also claim that mistakes in your software design or a coding error was what led to the vulnerability.

What does your cyber insurance cover? 6 possible coverages.

by

What does your cyber insurance cover? 6 possible coverages.

If you are looking to buy cyber insurance you are going to encounter discussions of first- and third-party coverage for a cyber crime. As mentioned in our last blog, first-party coverage is all about purchasing coverage to handle the direct and indirect losses that create economic loss for your business as a result of the criminal cyber event.

Following the loss or damage to your data faster from a cyber event, first-party losses may include the expenses that cascade down from that first event. Here a six significant expenses that you may want to have covered.

  • Forensic expenses – You will find it necessary to use resources to find out what happened. The ‘when, where, why, how,’ the breach or event occurred and most importantly, who is affected. You can’t begin to fix anything until you find out what is broken.
  • Recovery costs – These are all the extra resources you may expend working to recover lost or damaged data. Depending on the complexity and the resources of your in-house staff, recovery and forensic efforts may require outside consulting support.
  • Loss of income – This would be akin to the business interruption insurance you may have under your commercial property insurance policy. It refers to the income lost as a consequence of the data event
  • Extortion – Did you have to pay a ransom to get your data back? Ransomware is a popular form of cyber attack and while governmental authorities strongly recommend against giving in to ransom demands, many entities end up finding that is the only path to data recovery.
  • Notification – Keep in mind that under various piecemeal state and federal regulations, you may have specific notification requirements to alert anyone whose data was compromised. This may require media ads, mailings, etc.
  • Public relations – Because data breaches often require public notification, a cyberattack can be a branding nightmare. For small businesses, it can be fatal. You will certainly need to expend considerable resources to recover the confidence of your clients or customers.

What does your cyber insurance cover? 6 possible coverages.

by

What does your cyber insurance cover? 6 possible coverages.

If you are looking to buy cyber insurance you are going to encounter discussions of first- and third-party coverage for a cyber crime. As mentioned in our last blog, first-party coverage is all about purchasing coverage to handle the direct and indirect losses that create economic loss for your business as a result of the criminal cyber event.

Following the loss or damage to your data faster from a cyber event, first-party losses may include the expenses that cascade down from that first event. Here a six significant expenses that you may want to have covered.

  • Forensic expenses – You will find it necessary to use resources to find out what happened. The ‘when, where, why, how,’ the breach or event occurred and most importantly, who is affected. You can’t begin to fix anything until you find out what is broken.
  • Recovery costs – These are all the extra resources you may expend working to recover lost or damaged data. Depending on the complexity and the resources of your in-house staff, recovery and forensic efforts may require outside consulting support.
  • Loss of income – This would be akin to the business interruption insurance you may have under your commercial property insurance policy. It refers to the income lost as a consequence of the data event
  • Extortion – Did you have to pay a ransom to get your data back? Ransomware is a popular form of cyber attack and while governmental authorities strongly recommend against giving in to ransom demands, many entities end up finding that is the only path to data recovery.
  • Notification – Keep in mind that under various piecemeal state and federal regulations, you may have specific notification requirements to alert anyone whose data was compromised. This may require media ads, mailings, etc.
  • Public relations – Because data breaches often require public notification, a cyberattack can be a branding nightmare. For small businesses, it can be fatal. You will certainly need to expend considerable resources to recover the confidence of your clients or customers.

Cyber insurance: What is first-party and third-party coverage

by

Cyber insurance: What is first-party and third-party coverage

When you start looking at cyber insurance, you are likely going to encounter discussions of first- and third-party coverage. This is referring to the protection against losses incurred by first- and third-parties as a result of a cyberattack. First-party is all about you. The term refers to all of the losses you suffer directly because of the event. Third-party refers to all of the losses suffered by others as a result of the cyber event which hit your business. Generally, this is going to refer to your clients and others whose data you handled and that was compromised in some fashion as a result of the cyber event.

So, let’s take a high-level look at the risks that fall under first-party losses.

First Party losses – all about you

First-party is all about covering the direct and indirect losses that create economic loss for your business as a result of the criminal cyber event. Let’s start with the immediate consequence to your business from a cyber attack: that is the loss or damage to the electronic data you hold. That can be any electronic data that you possess, including the data of your clients. The compromising of customer data is of special concern when it includes Personally Identifiable Information (PII). PII can identify a specific individual. Examples include full name, address, social security number, birth date, etc. Cyber insurance would generally help you cover the expenses from a data breach only from a specified covered peril such as a DoS, hackers, virus, etc.

However, breaking out all of the first-party losses reveals quite a complex list of expenses. In our next blog, we will give you a breakout of the major expenses that can result from that initial criminal event.

Cyber insurance: What is first-party and third-party coverage

by

Cyber insurance: What is first-party and third-party coverage

When you start looking at cyber insurance, you are likely going to encounter discussions of first- and third-party coverage. This is referring to the protection against losses incurred by first- and third-parties as a result of a cyberattack. First-party is all about you. The term refers to all of the losses you suffer directly because of the event. Third-party refers to all of the losses suffered by others as a result of the cyber event which hit your business. Generally, this is going to refer to your clients and others whose data you handled and that was compromised in some fashion as a result of the cyber event.

So, let’s take a high-level look at the risks that fall under first-party losses.

First Party losses – all about you

First-party is all about covering the direct and indirect losses that create economic loss for your business as a result of the criminal cyber event. Let’s start with the immediate consequence to your business from a cyber attack: that is the loss or damage to the electronic data you hold. That can be any electronic data that you possess, including the data of your clients. The compromising of customer data is of special concern when it includes Personally Identifiable Information (PII). PII can identify a specific individual. Examples include full name, address, social security number, birth date, etc. Cyber insurance would generally help you cover the expenses from a data breach only from a specified covered peril such as a DoS, hackers, virus, etc.

However, breaking out all of the first-party losses reveals quite a complex list of expenses. In our next blog, we will give you a breakout of the major expenses that can result from that initial criminal event.

Should I look into cyber insurance?

by

Should I look into cyber insurance?

Among those firms who take risk management seriously, there is a growing awareness of the need to consider some manner of insurance to protect against the costs of cybercrime. Standard commercial property insurance policies do not generally include provisions for the damages from cybercrime. Cybercrime can be thought to include any digital or internet-based attack that compromises you and/or your customers’ data and/or causes disruption to business operations. A non-inclusive list might include Denial of Service (DoS) attacks, phishing scams, adware, ransomware attacks, system/website cloning, viruses, and other malware, and viruses. So what is it that so worries business leaders? In a growing number of commercial policies, cyber events are specifically excluded. The consequences can be serious. Fines and penalties, loss of customer confidence, and liability lawsuits can shut a business down for good, especially smaller businesses that lack the deep pockets to hold out until the worst of the storm passes. Cybercrime creates a large range of potential first- and third-party losses that few businesses can hope to absorb on their own. As a result, executives who recognize the catastrophic damage that a cyberattack can inflict on their business are looking at cyber insurance to transfer the financial losses to a third party.

Because of the severe consequences of cybercrime, businesses are now exploring cyber insurance policies in hopes of protecting themselves against financial ruin. However, these policies represent a bit of a minefield as this is a relatively new and unsettled area of insurance. Insurance firms trying to write policies face a lot of unknowns at this point, which means coverage may differ dramatically between insurers and there may be many areas where you remain exposed to considerable risk. Just two examples to get you thinking. Some policies may create requirements and security standards you must meet before an event will be considered a covered loss.

  • How would you handle those requirements internally to keep your company in compliance? And what about ransomware?
  • If you had to pay the ransom, would the policy cover that payout?

There are a lot of weeds to get into when looking for a cyber insurance policy and it is important you recognize the complexity of the issues. Cyber insurance has a lot of moving parts. In the meantime, cyber insurance doesn’t absolve you of the ongoing need to be vigilant about network and data security. Contact a managed service provider to learn more about what you can do to keep your business safe.

5 Ways SMBs Can Save Money on Security

by

5 Ways SMBs Can Save Money on Security

Small-to-medium sized businesses and large enterprises may seem worlds apart, but they face many of the same cyber-security threats. In fact, in recent years, cyber-criminals have increasingly targeted SMBs. This is because it’s widely known that SMBs have a smaller budget, and less in-house expertise, to devote to protection. Thankfully, there are several things SMBs can do today to get more from even the most limited security budget. And, no, we aren’t talking about cutting corners. Far too often, SMBs cut the wrong corners and it ends up costing them more money in the long run. It’s a matter of taking a smarter approach to security. Here are five smart approaches to take

  • Prioritize – Every business has specific areas or assets critical to its core operations. Seek the input of valued staff and team members to determine what these are. Is there certain data that would be catastrophic if it was lost or stolen? If hackers compromise a network, or prevent access to certain applications, how disruptive would it be to daily business operations? What kind of potential threats or vulnerabilities pose the greatest risk to the company or your customers/clients? Focus on the most likely risks, not theoretical risks that “could happen.” Asking such questions gives you a clearer and more complete perspective as to where to focus available security resources.
  • Develop and Enforce Policies – Every SMB needs to implement a security policy to direct employees on appropriate and inappropriate workplace behaviors relative to network, systems, and data security. Merely drafting this document isn’t enough. Employees must be held accountable if they fail to adhere to policy. Such policies should be updated regularly to reflect new technology and cultural shifts. For example, a document written before social media took off, or before the BYOD (Bring-Your-Own-Device) movement, doesn’t necessarily apply today.
  • Education – Ongoing end user training must be provided. Many security breaches happen because employees fail to recognize phishing schemes, open emails from unknown sources, create poor passwords that are seldom changed, and don’t take proper precautions when using public Wi-Fi connections on personal mobile devices also used for work.
  • Take to the Cloud – Running applications and servers in-house is a costly endeavor. Leveraging the cloud today allows SMBs to cut costs while also strengthening their security. Cloud operators typically have built-in security features, alleviating SMBs of the burden of maintaining security themselves. Today, not only can SMBs shift much of the burden of IT to the cloud, but they can also outsource much of their security by taking advantage of the remote monitoring, maintenance, and security tools provided by Managed Service Providers (MSPs).
  • Don’t Aim for Perfection – There is no such thing as perfect security. Striving for perfection is expensive and can prove to be more costly in the end. Improving protection and response would be a more ideal allocation of funds. It can take a hacker several months to figure out your systems and do real damage. Having the ability to quickly detect their presence, and mitigate any potential damage they may cause, is a more realistic and less expensive approach than thinking you can completely remove any probability whatsoever of a hacker breaching your system.