social-facebook-header social-twitter-header social-google-header social-youtube-header social-linkedin-header

Are You Covered for Cyber Business Interruption?

By Mike Grant, Director, Technology Practice

clock October 5, 2015 at 10:00 AM

By nature, great white sharks must keep moving to stay alive. It’s simply how they are built. Like great whites, businesses must stay in motion too, doing business each day in order to thrive. In today’s tech-filled society, computers, software programs and the cloud are critical to keeping things in motion for most businesses.

Even a short period of unscheduled downtime can wreak havoc on a business and, sometimes, it can be downright deadly. In the past, physical threats like fire, theft and water damage were the common perils business owners faced.  If your business was interrupted by one of these hazards, the property policy including business interruption would respond and help you get back on your feet.

In today’s hyper-connected marketplace, threats capable of shutting down your business often come in more insidious forms. Data breaches and cyber-attacks are on the rise, unleashing damage like never before and many companies are not prepared for the impact.

System Outages are the Silent Killer

While the Sony Pictures cyber-attack made headlines for the type of private information leaked such as internal email threads discussing celebrities, what you didn’t hear is that Sony Pictures’ computer systems were off-line for over 6 weeks due to the breach.

Read More

Topics: Property + Casualty, Cyber & Data Security

Communication Tips for Surviving the Data Breach Epidemic of 2015

By Theodore J. Kobus III, Partner, BakerHostetler

clock June 1, 2015 at 10:00 AM

Ted Kobus, co-leader of BakerHostetler’s Privacy and Data Protection team, advises on risk management, compliance, incident response strategies, and regulatory and class action defense. He has led more than 750 incident responses, is ranked in Chambers USA, and was named an MVP by Law360 for Privacy/Consumer Protection. He is currently representing Premera Blue Cross Blue Shield in incident response, law enforcement investigation, legislative inquiries, regulatory investigations, and the over 20 class action lawsuits filed to date.

Only five months into 2015, several high-profile data breaches have already affected nearly 100 million people, and this apparent data breach epidemic shows no signs of slowing down. As the fallout from these breaches continues to unfold, organizations not yet affected should take this opportunity to study these incidents and assess their own preparedness to deal with a similar event while they still can.

However, even the most rigorous breach preparations can be undercut by one crucial aspect of breach response: communication. When it comes to data breaches, perception is reality. Regardless of how diligent, thorough, or prepared an organization may be, the timing and manner in which the organization communicates a breach to the public and regulators shape how the incident is perceived more than any other aspect of breach response.

Here are 5 communication tips for surviving the data breach epidemic of 2015:

1. Don’t Go Public Until You Have All the Facts

When responding to a data breach, organizations must walk a fine line between prompt notification and accurate notification. Prompt notification is essential if affected individuals are to protect themselves. However, notifying individuals prior to gathering the information needed to assess and fully understand the incident creates the risk of providing inaccurate information. And inaccuracy can turn an already difficult situation into a nightmare.

In addition to creating a negative perception of an organization’s competency and honesty, an organization that disseminates incorrect information must spend significant time and resources to rectify the situation. These efforts may overshadow the positive aspects of the organization’s response, such as remediation efforts and corrective actions.

Taking time to collect all of the facts before going public is the best way to ensure that communications are accurate and complete, and doing so may even reveal that notification is unnecessary.

2. Avoid Sending Out Multiple Notices

When an individual receives a notice that their information has been compromised, they will likely (and understandably) be alarmed and concerned about the security of their identity. When an individual receives multiple notices regarding the same incident, they will likely (and understandably) be confused and irritated as well as alarmed and concerned about the security of their identity.

A follow-up notice rarely contains good news, and no matter how artfully the notice is written, the mere fact that multiple notices are required for a single incident naturally raises suspicion amongst recipients as well as regulators. Multiple notices also prolong the life of an incident in the public eye and increase the likelihood of inconsistency or contradiction in an organization’s messaging, intentional or otherwise. Sometimes multiple notices are unavoidable, but organizations should do everything they can to evade stirring up confusion and skepticism.

Read More

Topics: Human Resources, Cyber & Data Security

Cyber Data Breach: Debunking Common Misconceptions

By Mike Grant, Director, Technology Practice

clock February 23, 2015 at 10:00 AM

As a follow up to the previous blog post about who is responsible for a data breach, this post will cover a second misconception about mitigating the cost of a breach.

Misconception #2: “Our current insurance program will help us pay for and recover from the data breach.” 

The reality: This could be true, but it all depends on which insurance policies a company has in place at the time of loss. In recent cyber breach cases, attorneys have been struggling to find even a sliver of coverage within the various “standard” insurance policies that will help them recover.  They have had some success, however that loophole is disappearing quickly. Why? Because the insurance industry never intended for the General Liability, Property, Directors & Officers Liability or other policies to cover data and cyber threats. Now, most policies are being written with specific exclusions to remove the possibility of coverage applying to data breaches. 

The good news is this: The insurance industry has created a solution designed specifically for data breaches. Specialty Cyber/Data Liability policies are available and will cover most of the costs of a data breach. Costs for forensic investigation, legal, crisis communications, notification, and credit monitoring are included in a Cyber/Data Liability policy. Beyond that, the policy can also help defend companies against lawsuits from affected individuals, regulatory investigations, Payment Card Industry (PCI) fines and penalties and more. It’s important to note that certain items are generally not insurable because they are very difficult to quantify or put a value on, such as reputational damage or loss in value from stock price declines. 

One more thing to keep in mind— Each insurer writes these policies in their own way – and the quality of the offering varies dramatically. Think of it like buying a new car. Some have features that help you avoid accidents like back up cameras or warning signals and others protect what you have in the car with alarms. Still others are outfitted with devices to help you get your car back if it is stolen. The same is true of Cyber/Data Liability policies. The policies offered differ in terms of basic coverages as well as the loss prevention and breach response services provided. Not sure what exactly your company needs? That’s where your broker comes in. Their job is to negotiate the best policy that fits your company’s needs and your bottom line.

To make sure your organization is prepared for a data breach, stream the seminar, “Avoiding a Data Breach Nightmare” by clicking below.

Read More

Topics: Property + Casualty, Cyber & Data Security

Cyber Data Breach: Debunking Common Misconceptions

By Mike Grant, Director, Technology Practice

clock February 2, 2015 at 10:00 AM

Due to recent data breaches at big name companies, awareness is high when it comes to cyber threats. Yet, misconceptions abound regarding a company’s liability and how insurance mitigates the cost of a breach.

Misconception #1: “Our company outsources critical processes to cloud providers, credit card processors and other specialty vendors. If a breach occurs, they are liable, not us."

The reality: Forty seven states (and many foreign countries) have their own privacy laws that identify the responsible party in the event of a breach.  Even with many different privacy laws, there is consensus when it comes to identifying the victim and responsible party and your company might not be off the hook the way you would imagine.  

For example, in the case of the Target breach, the crime originated with a HVAC vendor that did business with Target.  While hacking into the vendor’s computers, cyber criminals found a password that allowed them to access the Target IT system.  Once in Target’s system, the hackers dropped in malware that grabbed credit card numbers during transactions made at the store.  This data was then sent outside of Target’s system where the hackers could sell the credit card numbers on the black market.

To uncover the responsible party in this case, ask:  Whose customers’ data was stolen? Who was originally entrusted with that data? 

Although there were plenty of parties involved, Target is ultimately accountable because the victims of the attack are Target customers.  Target is responsible for notifying their patrons of the breach and monitoring their credit.  Throw in the high costs of the forensic investigation, legal services, crisis communication and damage to the brand and the potential loss grows.

While it’s possible for Target to recover some of these costs from the other vendors in the chain, it is dependent on the terms of the signed contract and the financial capability of that vendor to indemnify them. 

Make sure to check out our blog on the common misconception that a company’s current insurance program will help them recover from a data breach. To make sure your organization is prepared for a data breach, stream our seminar, on how to avoid a data breach nightmare and download the MMA 2014 Cyber & Data Security Risk Survey Report.  

Read More

Topics: Property + Casualty, Cyber & Data Security, Technology

Cyber Awakening: 2014 Data & Cyber Risk Report Findings

By Mike Grant, Director, Technology Practice

clock January 12, 2015 at 11:07 AM

It’s no secret that cyber security is a major business concern. After all, every few weeks another massive breach makes front page news. While awareness is high, the real impact to middle market firms gets lost in the big name headlines. In order to identify business practices and trends among emerging and private organizations, Marsh & McLennan Agency LLC recently surveyed its nationwide client base on this crucial topic.

Here are some of the key takeaways from the nearly 600 responses:

  • 80% of respondents said their business activities include at least five of the following key cyber risk factors:

-  Processing credit card transactions
-  Holding past or present employee records
-  Processing/accessing banking information
-  Using computers connected to the Internet
-  Hosting websites that collect personal or confidential information
-  Holding client, customer or supplier information
-  Using the Cloud
-  Holding information subject to HIPAA
-  Linking employee laptops/PDAs to the employer's network

  • Most respondents indicated that they outsource many of these business activities that expose them to cyber risk.  Nearly 40% of the respondents have no process to ensure their protection in the event the vendor’s data is breached.  Among those companies that have a procedure, most have processes that are inadequate.
  • Nearly 61% of respondents had little understanding of how their insurance policies would respond to a cyber loss. Of that group, 83% had little to no understanding of cyber insurance policies.
  • 60% of respondents do not have a corporate disaster recovery plan in place.
Read More

Topics: Property + Casualty, Cyber & Data Security, Technology

2015 Economic Trends: An Optimistic Forecast

By Trindl Reeves, Principal, Chief Sales Officer, Commercial Department

clock January 8, 2015 at 11:01 AM

Between the Ebola epidemic, the disappearance of flight 370, ISSA declaring war on the world and a massive cyber attack on Sony Pictures, 2014 was a pretty scary year. However, when we look at the insurance market, we had the lowest year of insurable losses since 2009. Driven by good losses, the market is transitioning from premium rate increases to a gradual decline in rates. We can expect a lag in the reduction of rates, as it usually takes a couple years to see big changes.

As we begin 2015, let’s take a look at what’s going on in five specific areas of insurance: Property, Casualty/Excess Coverages, Employment Practices Liability, Workers’ Compensation and Data Security.

Read More

Topics: Property + Casualty, Cyber & Data Security, Market Trends

Insurance Claims Spooky Story #3: The Scary Clown Hacker

By Yvette Beaubien, Esq., Director Property & Casualty Claims

clock October 29, 2014 at 10:19 AM

You sell face paint to retailers and online in the United States, but your supplier is located in a foreign country.  You regularly wire payments to your overseas vendor for face paint.  Scary clowns are all the rage this year and your clown face paint kit is selling like hot cakes—your retailers have placed another purchase order for 100 cases by October 1st. Your supplier needs you to pay past due invoices by the end of day in order to make this deadline. However, your accounts payable clerk and CFO are out of the office attending a seminar. 

You receive the email from the supplier with the amount payable and a notification that the wire transfer account information has changed.  You don’t have time to wait for the CFO and accounts payable clerk to return, so you go ahead and make the payment.  Two days later the supplier emails you to request payment and confirm you still want the product shipped for delivery by October 1st. You check your online bank account and see the money has cleared. The bank confirms that the money was transferred, but to an account in New York.  You go back to the email you received and notice that the sender’s email address was not sam@vendor.com but sam1@vendor.com.  You’ve just been tricked in the worst way.  

To avoid this trick in the future, treat yourself to the following smart business practices:

Read More

Topics: Property + Casualty, Cyber & Data Security, Technology

Insurance Update: 2014 – The Cyber Awakening

By Mike Grant, Director, Technology Practice

clock August 6, 2014 at 10:00 AM

Data breach is a hot topic – and for good reason. Stories about businesses getting hacked are in the news almost every day. And it’s not just large corporations or technology companies that are affected. Any business, large or small, is at risk. According to The Hartford Insurance Company, one third of the data breaches investigated in 2012 took place at organizations with fewer than 100 employees. To hackers, any information is good information, so even small companies are vulnerable.

Why should you be concerned about data breaches? Breaches can have tremendously negative effects on your business, both in terms of cost and damaged reputation. The most obvious is the cost of corrective measures needed in the aftermath of the data breach including forensic investigation, legal services, notification costs, auditing and consulting services, public relations services, credit monitoring and more. According to the Ponemon Institute’s 2013 Cost of Data Breach Study, it costs an average of $188 per individual record that has been compromised.

In addition to being extremely expensive, a data breach can destroy trust and customer loyalty. Ponemon Institute’s study pointed out that for healthcare and financial services companies in particular, the risk of customer abandonment is high post-breach. Had the breaches at Target, Neiman Marcus and other retailers been included in the study, the retail sector would have been undoubtedly at the top of the high risk category.

So what can a business do to protect itself against this threat of a costly data breach?

Read More

Topics: Property + Casualty, Cyber & Data Security, Technology

Subscribe to the Blog

Follow Us


Search Blog