Thanks to a number of high profile cases of cyber theft, many companies are aware of the threat of a cyber or data breach. Most know that it’s no longer a matter of “if” but “when” they will get hit. After all, every company has information hackers can profit from such as stolen identities, credit card information or proprietary secrets, to name a few.
Big companies usually make the headlines when hackers compromise the confidentiality of millions of customers, but the truth is that 60% of all cyber breaches last year involved small and midsize businesses.
What’s more, many small to midsize firms typically prudent in other aspects of their business haven’t taken the time to understand the data security threat nor are they effectively managing the issue, according to new survey data from MMA.
Unprepared and Unaware
The 12-page report, 2015/2016 Cyber & Data Security Risk Survey for Small and Midsize Employers, highlights the fact that many are underestimating the potential danger to their business. Notably, the survey found the following:
- Just 6% of the respondents said they thought their organization’s data security was “bomb proof.”
- 2% said they did not have a corporate recovery plan to deal with the loss of confidential, personally identifiable information.
- 9% said their organization did not have the expertise to develop any kind of data security plan.
- Not surprisingly, those organizations that regularly talk about data security and risk management at the C-level are twice as likely to have implemented a recovery program to help manage a data security breach.
What To Do
Do something. Most companies get overwhelmed even thinking about how to prepare or prevent cyber attacks. From our experience, preparation is key to a company’s success in surviving a data breach. And that preparation can be as simple as 1-2-3.
The people who want to misappropriate your confidential information are getting smarter about it every day.
By nature, great white sharks must keep moving to stay alive. It’s simply how they are built. Like great whites, businesses must stay in motion too, doing business each day in order to thrive. In today’s tech-filled society, computers, software programs and the cloud are critical to keeping things in motion for most businesses.
Even a short period of unscheduled downtime can wreak havoc on a business and, sometimes, it can be downright deadly. In the past, physical threats like fire, theft and water damage were the common perils business owners faced. If your business was interrupted by one of these hazards, the property policy including business interruption would respond and help you get back on your feet.
In today’s hyper-connected marketplace, threats capable of shutting down your business often come in more insidious forms. Data breaches and cyber-attacks are on the rise, unleashing damage like never before and many companies are not prepared for the impact.
System Outages are the Silent Killer
While the Sony Pictures cyber-attack made headlines for the type of private information leaked such as internal email threads discussing celebrities, what you didn’t hear is that Sony Pictures’ computer systems were off-line for over 6 weeks due to the breach.
As a follow up to the previous blog post about who is responsible for a data breach, this post will cover a second misconception about mitigating the cost of a breach.
Misconception #2: “Our current insurance program will help us pay for and recover from the data breach.”
The reality: This could be true, but it all depends on which insurance policies a company has in place at the time of loss. In recent cyber breach cases, attorneys have been struggling to find even a sliver of coverage within the various “standard” insurance policies that will help them recover. They have had some success, however that loophole is disappearing quickly. Why? Because the insurance industry never intended for the General Liability, Property, Directors & Officers Liability or other policies to cover data and cyber threats. Now, most policies are being written with specific exclusions to remove the possibility of coverage applying to data breaches.
The good news is this: The insurance industry has created a solution designed specifically for data breaches. Specialty Cyber/Data Liability policies are available and will cover most of the costs of a data breach. Costs for forensic investigation, legal, crisis communications, notification, and credit monitoring are included in a Cyber/Data Liability policy. Beyond that, the policy can also help defend companies against lawsuits from affected individuals, regulatory investigations, Payment Card Industry (PCI) fines and penalties and more. It’s important to note that certain items are generally not insurable because they are very difficult to quantify or put a value on, such as reputational damage or loss in value from stock price declines.
One more thing to keep in mind— Each insurer writes these policies in their own way – and the quality of the offering varies dramatically. Think of it like buying a new car. Some have features that help you avoid accidents like back up cameras or warning signals and others protect what you have in the car with alarms. Still others are outfitted with devices to help you get your car back if it is stolen. The same is true of Cyber/Data Liability policies. The policies offered differ in terms of basic coverages as well as the loss prevention and breach response services provided. Not sure what exactly your company needs? That’s where your broker comes in. Their job is to negotiate the best policy that fits your company’s needs and your bottom line.
To make sure your organization is prepared for a data breach, stream the seminar, “Avoiding a Data Breach Nightmare” by clicking below.
Due to recent data breaches at big name companies, awareness is high when it comes to cyber threats. Yet, misconceptions abound regarding a company’s liability and how insurance mitigates the cost of a breach.
Misconception #1: “Our company outsources critical processes to cloud providers, credit card processors and other specialty vendors. If a breach occurs, they are liable, not us."
The reality: Forty seven states (and many foreign countries) have their own privacy laws that identify the responsible party in the event of a breach. Even with many different privacy laws, there is consensus when it comes to identifying the victim and responsible party and your company might not be off the hook the way you would imagine.
For example, in the case of the Target breach, the crime originated with a HVAC vendor that did business with Target. While hacking into the vendor’s computers, cyber criminals found a password that allowed them to access the Target IT system. Once in Target’s system, the hackers dropped in malware that grabbed credit card numbers during transactions made at the store. This data was then sent outside of Target’s system where the hackers could sell the credit card numbers on the black market.
To uncover the responsible party in this case, ask: Whose customers’ data was stolen? Who was originally entrusted with that data?
Although there were plenty of parties involved, Target is ultimately accountable because the victims of the attack are Target customers. Target is responsible for notifying their patrons of the breach and monitoring their credit. Throw in the high costs of the forensic investigation, legal services, crisis communication and damage to the brand and the potential loss grows.
While it’s possible for Target to recover some of these costs from the other vendors in the chain, it is dependent on the terms of the signed contract and the financial capability of that vendor to indemnify them.
Make sure to check out our blog on the common misconception that a company’s current insurance program will help them recover from a data breach. To make sure your organization is prepared for a data breach, stream our seminar, on how to avoid a data breach nightmare and download the MMA 2014 Cyber & Data Security Risk Survey Report.
It’s no secret that cyber security is a major business concern. After all, every few weeks another massive breach makes front page news. While awareness is high, the real impact to middle market firms gets lost in the big name headlines. In order to identify business practices and trends among emerging and private organizations, Marsh & McLennan Agency LLC recently surveyed its nationwide client base on this crucial topic.
Here are some of the key takeaways from the nearly 600 responses:
- 80% of respondents said their business activities include at least five of the following key cyber risk factors:
- Processing credit card transactions
- Holding past or present employee records
- Processing/accessing banking information
- Using computers connected to the Internet
- Hosting websites that collect personal or confidential information
- Holding client, customer or supplier information
- Using the Cloud
- Holding information subject to HIPAA
- Linking employee laptops/PDAs to the employer's network
- Most respondents indicated that they outsource many of these business activities that expose them to cyber risk. Nearly 40% of the respondents have no process to ensure their protection in the event the vendor’s data is breached. Among those companies that have a procedure, most have processes that are inadequate.
- Nearly 61% of respondents had little understanding of how their insurance policies would respond to a cyber loss. Of that group, 83% had little to no understanding of cyber insurance policies.
- 60% of respondents do not have a corporate disaster recovery plan in place.
Data breach is a hot topic – and for good reason. Stories about businesses getting hacked are in the news almost every day. And it’s not just large corporations or technology companies that are affected. Any business, large or small, is at risk. According to The Hartford Insurance Company, one third of the data breaches investigated in 2012 took place at organizations with fewer than 100 employees. To hackers, any information is good information, so even small companies are vulnerable.
Why should you be concerned about data breaches? Breaches can have tremendously negative effects on your business, both in terms of cost and damaged reputation. The most obvious is the cost of corrective measures needed in the aftermath of the data breach including forensic investigation, legal services, notification costs, auditing and consulting services, public relations services, credit monitoring and more. According to the Ponemon Institute’s 2013 Cost of Data Breach Study, it costs an average of $188 per individual record that has been compromised.
In addition to being extremely expensive, a data breach can destroy trust and customer loyalty. Ponemon Institute’s study pointed out that for healthcare and financial services companies in particular, the risk of customer abandonment is high post-breach. Had the breaches at Target, Neiman Marcus and other retailers been included in the study, the retail sector would have been undoubtedly at the top of the high risk category.
So what can a business do to protect itself against this threat of a costly data breach?