Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
Cyber Security
Cyber Update – Summer 2018
The information security and the methods and goals of computer hackers are constantly evolving, and likewise Cyber Liability Insurance must adjust to these new threats and liabilities.
The latest developments as of April 2018 are as follows:
New and Increasing Threats and Exposure
- Executive Email Takeover – Incidents of criminals breaking into email systems and taking over the accounts of corporate executives are on the rise. Hackers’ goals are to steal two things: information (Personally Identifiable Information or “PII”), and also money through automatic clearing house transfers or wire transfers.
- Corporate Computer Weaponization – Hackers are increasingly using servers and hard drives of an unsuspecting company to either store stolen information or use the servers as a launching platform to attack other companies’ networks.
- Ransomware – Ransomware attacks continue, and, as the price of Bitcoin (the currency typically demanded by hackers) goes up, so do the real dollar cost of the ransom demand. As an example, the ransom demand to the City of Atlanta in a recent ransomware attack was $51,000, which the city did not pay.
Lessons Learned:
i. Back Up Everything – Companies can survive ransomware if they back-up not only their data, but also structural components of their network such as “Golden Images” which can sometimes also be compromised by ransomware.
ii. Be Prepared to Replace Hardware – If hardware such as laptops are numerous and critical to operations, be sure to have a strategy for replacing them quickly if they are all compromised by a ransomware attack
4. New European Regulations– The General Data Protection Regulation (GDPR), new European Union cyber law goes into effect May 25, 2018. It applies to companies that have information in their possession of any European Union citizens.
5. Social Media– Recent disclosure of data breach on Facebook have companies reviewing their policies, in particular whether or not they should be interacting with customers on social media platforms such as Facebook or Instagram.
Insurance Developments
Overview: Greater Focus –Insurance companies continue to focus on Cyber Insurance, meaning that they are offering new, broader policy forms that automatically include coverages such as business interruption and data restoration; providing expanded education for insureds and insurance professionals; and creating resource libraries and question hotlines that are more sophisticated and robust than earlier versions.
- Broader Forms – Original policies covered just liability and breach response costs (legal fees, computer consultants, public relations, notification expenses), but now policies also include:
- ransomware extortion payments,
- business interruption costs such as renting temporary facilities
- lost business due to systems failures, cloud or web hosting provider outages, and
- network corruption and computer configuration errors.
- Increased Access to Legal Advice – Carriers are offering more and better access to Breach Coaches and Breach Response Team legal resources at lower deductibles (or first dollar coverage)
- Discounted Services – Some carriers are offering various additional services at discount rates, such as pre-breach preparedness training including table-top crisis management exercises, threat intelligence, and risk assessments.
Continuing Issues
- Accidental Data Breaches – Accidental disclosure of PII by employees remains a significant problem, causing about one third of all data breaches.
- Fines and Penalties – Various government regulators, such as the Office of Civil Rights of the Department of Health and Human Services, which oversees HIPAA, continue to seek multi-million-dollar fines against companies who negligently allow unauthorized disclosure of protected healthcare information.
- Negative Publicity – News organizations continually report data breaches. Even the smallest breaches, if it there is a human-interest element, can result in negative publicity in the local press.