All posts tagged cyber liability insurance

Despite Cyber Threat, Few Firms Train Staff in Security


Even the most up-to-date firewall and virus protection will not protect you against the biggest threat to your organization’s cyber security – your employees themselves.

Despite this only 45% of companies train their workers in how to prevent breaches, according to a new report released by the Ponemon Institute, even though 55% of organizations surveyed said they believe they had had a security breach caused by a malicious or negligent employee. And, 66% of respondents said employees are the weakest link in their efforts to create a strong security environment.

The report says also even when there is training, there are “critical areas that are often ignored.” According to the report:

  • 49% said training included phishing and social engineering attacks.
  • 36% said training included mobile device security
  • 29% said the course included how to use cloud services securely.
  • 67% said their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential cyber threats.


With the obvious disconnect between employee training and the very real constant threat to any organization with a database, many companies are not doing enough on the personnel side to reduce the threat of cyber attacks, like hacking, malware and other malicious code.

Experian Data Breach Resolution, which sponsored the “Managing Insider Risk through Training & Culture” report, had the following recommendations of what employee training should cover to protect a business from cyber attack.


Basic courses should typically cover these topics:

  • Protecting paper documents
  • Securing protected data
  • Password security
  • Privacy laws and regulations
  • Data classification
  • Safe e-mail practices


Advanced courses should typically cover these topics:

  • Phishing and social engineering,
  • Responding to a data loss or theft
  • Mobile device security
  • E-mail hygiene.


Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. There are new training technologies that simulate real phishing e-mails and provide simple ways to report potentially fraudulent messages.

Experian also recommends that employers provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. This could include a cash reward or gift card at a local coffee shop.

Another approach to changing behavior is to have clear consequences for negligent behavior, such as inclusion in the next performance review or a mandatory one-on-one meeting with a superior.

In addition to training, you should send regular messages to employees about security and privacy practices.

If you have had a data breach, you should require your staff to retake cyber security training. A breach provides the opportunity for you to train your staff about the importance of carefully handling sensitive and confidential information.


The stuff of cyber nightmares

Negligent and malicious behaviors that keep security professionals up at night:

  • Unleashing malware from an insecure website or mobile device (70%)
  • Violating access rights (60%)
  • Using unapproved mobile devices in the workplace (55%)
  • Using unapproved cloud or mobile apps in the workplace (54%)
  • Accessing company applications from an insecure public network (49%)
  • Succumbing to targeted phishing attacks (47%).


Insured protection

While you may have strong firewalls and a solid employee training program, if you do incur a breach, the fallout can cost you. A cyber liability insurance policy can pay for recovery costs, the cost of litigation and fines and notification costs you may incur.

Call us to see if a cyber liability insurance policy is right for your organization. The chances are extremely high that at some point, your systems will be breached.

Exclusions: What Your Cyber Policy Does Not Cover

cyber security

As the threat of hacking and cyber attacks on the databases of all organizations grows, so has the uptake of cyber insurance policies. But when buying a policy and anticipating a claim, it’s important to know exactly what’s covered.

All insurance policies have exclusions for what’s not covered but, since cyber insurance is new to most companies, you may not know what isn’t covered by them.

This article will look at the most common exclusions of these policies, which –because they are still in their infancy – will vary from insurer to insurer. But for the most part, these are the typical exclusions that cut across all insurance companies.

The International Risk Management Institute in a recent blog post noted that cyber insurance buyers should be aware of the following exclusions:


Bodily injury and property damage – This coverage, standard under a commercial general liability policy, is excluded in cyber insurance as a person cannot be physically injured by having their data exposed when your business’s database is infiltrated.

However, the gray area is if someone whose data has been exposed sues you for a claim of mental anguish or emotional distress, which are often claimed by plaintiffs in data breach lawsuits. Some policies will cover this and others won’t.


Employment-related claimsThese are mostly covered by an employment practices liability insurance policy, and are thus excluded from a cyber liability policy. However, if your employees’ personal information was compromised, your policy would likely cover employment-related privacy violations.


War, invasion and insurrection – Most commercial property and liability policies exclude damage resulting from these events, as well as terrorism. But, as the IRMI points out, many cyber attacks could be construed as an act of terrorism.

Talk to us about working with the insurer to include coverage for “electronic terrorism,” so that this area is a little less questionable. “Wording of this kind would preserve coverage for hacking/intrusion-driven losses,” the IRMI wrote recently.


Patent, software and copyright infringement – This is typically covered by intellectual property insurance forms, and not by a cyber policy.

However, some broadly written cyber policies will cover defense costs associated with copyright infringement claims if they are the result of actions by a non-management employee or an outside third party.


Failure to take required security measures – When applying for a cyber policy, the application will include a number of questions regarding the steps you’ve taken to safeguard your data. If an insurer can later show that you failed to implement these security measures, a claim may be denied.

If you have a policy that has this type of exclusion, you need to be vigilant about keeping up your security measures. Not all policies have this exclusion, so if you are in the market for a cyber policy, we may be able to help you find one that doesn’t have it.


Loss of electronic devices – This is sometimes referred to as the “laptop exclusion.” Some insurers exclude coverage for data breaches that were the result of an employee losing a company-issued portable electronic device. A study by the Ponemon Institute in 2015 found that nearly 30% of all data breaches were the result of a laptop or smart phone loss.

The above are the main exclusions that a typical policy will include, but because these policies are relatively new, there is often room for negotiation with the insurance company about them.

Regardless, if you think any of these areas could create a liability for your company, talk to us and we may be able to find a policy that best suits your needs.


How to Avoid Having Your Cyber Claim Denied

You no doubt have seen our admonitions about the need for businesses to secure cyber insurance policies that can help defray the costs of an attack on your network or a theft of your employees’ or clients’ personally identifiable information.

Businesses are faced with increasing threats and cyber criminals are constantly working to devise new ways to infiltrate organizations’ databases and extract information or find some way to monetize their hacks.

Cyber insurance can help your business recover from these events, but as with all insurance, there are risks that are covered and those that aren’t – and you often will have a certain amount of time to file a claim once you’ve incurred damage.

Your claim may be denied if you file too late, don’t understand your coverage, don’t understand your exclusions or don’t get the insurance company involved early enough, according to the insurance news website PropertyCasualty 360.

In order to best ensure that your claim gets paid, you should do the following:


  1. File your claim on time

Most cyber policies are written on a “claims made” basis, meaning they will only cover claims that are made when the policy is in effect. If someone files a claim against your company after the policy expiration, it would likely be rejected.

Some policies may include language that allows claims to be made for a few months after the policy expires, but not all policies contain this language.

Also, if your organization experiences a cyber event that may eventually lead to a claim, it’s important that you notify your insurer during the policy period. This is really important because if you fail to alert the insurer about it early in the process, they may deny the claim.

You need to communicate to your staff (particularly any information technology personnel) that they need to alert management about any suspicious activity on your networks. Make sure that you create a policy for staff to report all suspicious activity so that it can be investigated further to see if it merits reporting it.


  1. Understand the depth of your coverage

Because cyber policies are a relatively new phenomenon and continuously evolving, coverage will often vary from insurer to insurer.

It’s important that when purchasing a policy that you sit down with us to discuss your exposures (such as if you store client credit card information on your servers). This can help us find the right coverage for your organization.

Coverage will vary depending on the type of business you are running, the technology you are using and what data or company intellectual property you want to protect.

Some policies will also require that you have specific protocols and software in place to reduce the chances of your data being hacked. For example, policies will require that the policyholder applies security patches, uses encryption technology and has a secure-socket layer to protect credit card data.

If you fail to have this in place when your policy is in effect, the insurer may reject your claim if your systems are breached.

Other areas that cyber policies will often differ on include:

  • Paying for any potential legal costs after a breach.
  • Paying for tools to remediate any exposure.


  1. Understand what’s not covered

All insurance policies have exclusions, and cyber policies are no different. There are many exclusions in cyber policies, but again, they vary from insurer to insurer. Examples of exclusions include:

  • If your data is compromised when sharing it with a vendor, such as a payroll provider.
  • If you have a system pipeline into a client’s network and the network is hacked.
  • Fraudulent entry into certain parts of your network systems.
  • Patent or copyright infringement.


Again, it’s crucial that you read your policy before signing and that you evaluate whether any existing or future contracts with vendors or clients fall outside the policy’s coverage area.


Two of the major areas of coverage you may want to look for in exclusions are:

  • Will the policy cover data that is stored outside of your network, either on the cloud or on a vendor’s network?
  • Will externally generated data be covered if a breach occurs within your system?


  1. Get the insurer involved early

When in doubt, reach out to us or the insurance carrier if you think you’ve had a breach. Even if it’s just asking questions or trying to clear up your uncertainty, it’s better to contact the insurance company so that the event rises to its radar.

It’s better to reach out early because it will give the insurer a chance to investigate the matter and determine if there has been any exposure.

This will give you peace of mind that you will be protected should the matter rise to the level of a genuine claim.

The worst thing you can do is to wait until after you’ve started receiving complaints from customers, vendors or regulators. At that point your insurer will have a much more difficult task on its hands.

Getting the insurer involved early will let it get ahead of the claim, which makes managing it easier – and it can limit the amount of fallout.

Five Reasons You Need a Cyber Liability Policy

The hacking threat is growing with each passing year. There are crooks out to steal data from companies, sometimes to turn around and sell personally identifiable information or credit card numbers to identity thieves and scammers.

Other cyber criminals are just out to create mayhem, shutting down websites and creating denial-of-service attacks that grind business operations to a halt.

The problem for your business is that if hackers walk away with your employees’ social security numbers, they can do serious damage to their credit lines – and in some cases even sell their identities.

The likelihood of any of the above scenarios affecting your company is growing year by year.

In any of the above cases, cyber liability insurance would pay for the costs of responding to an attack. And while you might think that insurance that protects you in case of a cyber attack is for only large companies, in recent years hackers have started targeting smaller companies in greater numbers than large ones.

If you haven’t thought about buying a policy, here are some reasons you should:

  1. It’s affordable  – Premiums for most small companies are usually $1,000 to $2,000, depending on your exposure. You can get coverage as high as $30 million and deductibles as low as $10,000, depending on your needs and what you’re willing to pay. Cyber liability insurance is still fairly new, and that means policies will vary from one to the other. In some cases you can even negotiate some parts of the coverage.
  2. Broad coverage – Most policies will pay for business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack. Policies will also cover any penalties you may incur from government agencies. Having such broad coverage will help you weather the storm and keep your business viable.
    Business interruption coverage can be especially important for a small business. That’s because they are typically not as diversified as larger companies and lack the same financial resources.
  3. You likely don’t have a risk manager on staff  – While most big companies have a department dedicated to reducing risks, most small and mid-sized firms don’t have that same luxury.  If you are buying a cyber liability policy, you can sometimes receive assistance like analysis of your firewalls as well as making sure you have social media policies in place to reduce the chances of being hacked.
    Your insurer may be willing to help with these areas because the better protected you are, the less likely you are to have a breach that could result in a claim.
  4. Outsourcing data hosting won’t save you – Even if you don’t host your data yourself, you’re still responsible for that data. So even if you are using a cloud storage solution for your data, you need to read the fine print of your contracts.
    The problem is that you can’t control how a cloud provider handles your data, but an insurance policy can protect you if your cloud provider errs.
  5.  Your business liability policy won’t cover you – Typically, a general liability policy specifically excludes losses incurred via the Internet. In other words, the cyber liability policy gives you protection you won’t have in other policies.

    Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can.
    Finally, we can help. You can work with us to integrate cyber liability with your general policy and employment liability policy. Talk to us and we can help you achieve seamless coverage.


The Anthem Breach and Employer Liability

By now you’ve surely read about the massive cyber breach at the second-largest health insurer in the country, Anthem Inc.

Hackers breached the insurer’s database with information on its 40 million customers and employees in the US. It’s still not clear just how much information the hackers got their hands on and if that data includes personally identifiable information that could be used for identity theft.

The hack illustrates not only the escalating threat of cyber attacks on the health care community, but also raises questions of employer liability if a company has purchased its group health policy from an insurer that is hacked.

Security experts say cyber criminals are increasingly targeting the health care industry. They say that many of these companies are easy pickings because they are using aging computer systems that don’t include the latest security features.

Anthem is not the first to be hit. Community Health Systems Inc. last year said Chinese hackers had broken into its computer network and stolen information on 4.5 million patients.

According to the Ponemon Institute, the percentage of health care organizations that have reported a criminal attack rose to 40% in 2013 from 20% in 2009.

The information that the hackers breached in Anthem’s case included current and former customers and employees.


What’s an employer to do? 

Whether an employer using Anthem as an insurer has a notice-of-breach obligation to its affected employees depends on a few factors.

The obligation to provide notice of a breach of “personally identifiable information,” (names, Social Security numbers, addresses and more) and “protected health information” – such as certain enrollment information and individually identifiable health information related to past, present or future medical care – is governed by both federal and state laws.

Because it holds troves of information on its enrollees, Anthem is primarily responsible for specific notification obligations and it has announced that it will inform affected individuals by e-mail or letter, or both.

Whether an employer using Anthem as an insurer has a notice obligation to its affected employees depends on a variety of factors.

The federal Health Insurance Portability and Accountability Act (HIPAA) imposes specific notice and disclosure obligations on health plans in the wake of a breach of protected health information.

In cases where Anthem is acting as an insurer, and the employer does not maintain or transmit protected health information, the notice and disclosure obligation is Anthem’s. Anthem’s notice efforts now underway appear to reflect the company’s understanding that it has the obligation.

If a health plan is fully insured by Anthem, the employer may not actually acquire, maintain or transmit the plan’s protected health information.

Generally, it is the insurer’s responsibility to notify affected individuals. That said, health plans and their business associates may agree upon who will actually supply the notice.

The federal Department of Health and Human Services, which oversees federal enforcement of HIPAA, encourages plans and their business associates to consider which of the two is in the best position to provide notice to affected individuals.


Financial consequences for employers

Cyber-security experts say the cost of responding to a breach of this magnitude can range from $100 to $230 per affected individual. In the case of Anthem’s breach, based on statements by the insurer, it will bear the costs of notification.

If an employer does incur costs from a breach, it may or may not be reimbursed by insurance.

Direct costs, such as notification, legal, public relations, call center, or credit/identity monitoring cost, would likely be covered if the employer has a cyber-liability insurance policy, especially if it is determined that the employer is legally obligated to respond to the breach.

If a lawsuit or other claim is filed against the employer for damages related to the Anthem breach, the privacy liability insuring agreement in the employer’s cyber policy may provide coverage for defense costs and damages associated with the claim.

Other policies, such as directors and officers and general liability coverage, may also provide some cover. But that would be determined by the policy language and any exclusions the policy has.

If you ever do experience a claim in this regard, you should contact us to help you determine which policy could be tapped for coverage.

cyber bomb

Business Lessons from the Sony Pictures Attack

ON THE hacking scale, the attack on Sony Pictures’ computer systems is pretty much the worst-case scenario for any business.
The amount of data breached is shocking: scripts were leaked and as-yet unreleased movies were also stolen and loaded up to pirate movie download sites.
Social Security numbers and details for a trove of big stars, including superstars like Sylvester Stallone, were also published online, in addition to Social Security numbers of 47,000 current and former Sony Pictures employees.

Furthermore, many employees’ computers were compromised, with all of the data stolen before the malicious software the hackers installed wiped entire hard drives clean.
The financial damage could easily reach into the hundreds of millions of dollars. And while it’s surmised that the North Korean government was behind the hack, the attack illustrates what could become the future of corporate warfare.

Imagine companies hiring overseas gangs to infiltrate a competitor’s data bases.

Sound far-fetched? You shouldn’t bet on it. The Sony hack has set a new bar for cyber espionage and sabotage.

Anyone who runs a business – whether it’s a mom-and-pop shop or a multinational behemoth like Sony – needs to pay close attention to what happened, and begin to take data security seriously.

Though even the FBI has said that few companies – as little as 10% – could have prevented an attack like the one that targeted Sony, much of the damage could perhaps have been avoided had the company had better data-security protocols in place.

Claiming helplessness in the face of a big hack is not a good strategy.  A breach is often an enterprise-level problem.
Sony’s teachable moment is that security has to start at the top and must be part of a company’s corporate culture.

Mindful culture
Any time a hack is perpetrated, company leaders can wind up in the spotlight, whether their personal e-mails were leaked or not. Management must learn to demonstrate a level of sophistication, nuance, sensitivity and respect when communicating internally.

Also, the Sony hack shows that many managers are too flippant in their e-mail exchanges, which can often including harsh criticisms of others. It could even be argued that the lack of respect exhibited in e-mails shows up elsewhere in companies – such as a lackadaisical attitude towards data security that puts personally identifiable information of employees at risk.

To be sure, few companies put under the microscope like Sony would come out looking clean. Is it unreasonable to ask for spotless behavior throughout your organization? Of course it is. Given the reality, however, it’s wise to assume you’ll eventually be hacked. So be good… or at the very least consider picking up the phone if you have something to say that you wouldn’t want to be broadcast on the evening news.

Take care of your assets
In the case of Sony, films were stolen, as were a lot of other assets, including scripts, budgets and even contract negotiations. How can this be prevented?

The first step for companies is to truly take ownership of their assets. Ownership is a state of mind that requires upkeep and vigilance to protect what’s yours. Ownership creates security. Ultimately, this starts with corporate leadership, since fostering a sense of ownership among employees is a trickle-down process.

Maintain a strong culture
A strong corporate culture is constantly evolving. It stays ahead of the curve through clear leadership and a culture where employees feel invested in their work, i.e., they take ownership of the tasks assigned to them. A state of readiness through a culture that puts security first is the only way an attack can be properly contained and managed.

The reality is that any company – whether it’s the size of Sony Pictures or a local online retailer – can be put out of commission in such a spectacular and specific way.

Other tips:
Back up your data – The backup should include the operating system, application software, and data on a machine. Multiple backups should exist in different locations.

Network monitoring – The annual “Verizion Data Breach Investigations Report” consistently points out the need for organizations to monitor security systems. It recommends the use of software that can identify suspicious patterns that could signal an attack in progress.

Antivirus not good enough – The group behind the Sony attack reportedly used destructive malware, wiping the hard drive and the boot loader, making systems virtually unrecoverable. A new class of advanced threat detection and breach detection solutions is available and can inspect both network traffic and endpoint systems for subtle signs of an infection.

Password management – Employees should be trained to use strong passwords. Passwords for different accounts should be different. When possible, single sign-on should be implemented to avoid password fatigue. IT policies should dictate how often employees change passwords and enforce stronger password creation.


Rising Danger of Hacks Spurs Need for Comprehensive Strategies

The “root cause” of the credit and debit card data breach at Target Corp. last year was the company’s lack of a chief information security officer (CISO).

That’s according to a former Target manager who made the comment during a talk at the “Work-Bench Enterprise Security Summit,” according to press reports.

The news came in the same week that the Ponemon Institute released a new study, which found that 43% of enterprises experienced a data breach in 2013 – up from 33% in 2012.

The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased to an average of $201 per record – or $5.9 million per breach. Those costs are up from $188 per record in 2012, and $5.4 million per breach.

The lesson from these two news items is that no business can afford a lackadaisical attitude towards cyber security, as hackers and other cyber threats are targeting small and large businesses alike. And while CISOs are out of reach for most companies because of the cost, there are outside consultants in the market who can review your plans and develop a strong security plan for your organization.

The primary reason for the increase in the cost of a breach is the loss customers incur following the data breach due to the additional expenses required to preserve the organization’s brand and reputation. In fact, the average rate of customer turnover or churn increased by 15% since the previous year in Ponemon’s study.


The study found that data losses were mainly caused by:

  • Malicious or criminal attacks (44% of companies reported this as the reason for their breach). These were the most expensive breaches, at $246 per record.
  • Employee negligence (31% of organizations). This factor typically cost the organization $160 per record.
  • System glitches (25% of organizations). This factor cost organizations an average of $171 per record.


Fighting the threat

While most companies are not the size of Target and cannot afford to have a CISO on staff, you can still learn from Target’s mistakes. Karl Mattson, who worked at Target from 2008 until 2013 – most recently as manager of cyber and global intelligence – said that the lack of a security culture was Target’s undoing.

Besides not having a solid infrastructure in place to prevent the breach, Target also responded poorly. When the company’s intrusion-detection software discovered the suspicious activity and alerted Target’s IT staff, the company did not take immediate action, he said.

However, many companies are turning to virtual CISO engagements. These are security executives for hire, and they will help develop a security roadmap for their clients.

They will typically conduct reviews of your information security, breach response plans, sensitive data, database, and more.

After the reviews, they will usually produce a report with recommendations for improvements in your policies, security framework, security culture, and more. They will also help you implement the recommended strategies – and they are typically on call in case of a breach.

Finally, whatever route you take to protect your data, you need the final backstop: A cyber liability policy. This will help cover the costs of a myriad of expenses such as data recovery, breach notification, remediation and more.


cyber thief