cyber insurance

PROPERTY & CASUALTY NEWSLETTER: August 2018

gdpr resized.jpg

The General Data Protection Regulation (GDPR) is a European Union (EU) data protection law that applies to all individuals living in the EU and European Economic Area (EEA) but has big implications for U.S. companies doing business around the globe. The law aims to put EU residents in control of their personal data. It regulates how their data is collected, processed, stored, deleted, transferred and used. U.S. companies doing business in the EU and EEA had to comply with the regulation by May of this year or face stiff fines of up to 4 percent of annual global revenue or $20 million, whichever is higher. But many companies are struggling to reach the level of compliance required.

This law has implications for nearly every global industry like healthcare, legal, finance, insurance, and consulting. When it comes to targeting industries, finance has a bullseye on its back. Because of this, financial organizations have processes and technologies in place to detect and respond to any breaches, thanks to industry regulations like FINRA.

GDPR regulations bring a huge shift for US businesses in terms of post-breach notification requirements, potential issues with the insurability of GDPR fines, and the regulation of equal liability on data owners and data processors.

Data breaches and cyber attacks are the new normal and the risks are becoming more mainstream, massive attacks being reported daily, and all of the breaches usually include personal data.

The United States doesn’t have a federal law like the GDPR, but some states are putting similar regulations in place. New York’s is called the Department of Financial Services cybersecurity regulation (23 NYCRR part 500) and became law in March 2017. This law protects citizens and consumers by forcing businesses to have secure cyber systems in place to safeguard the confidentiality and availability of identification and financial information. If their system is breached, they need to be able to detect a breach and respond to it immediately to mitigate the breach. They also must report the event and begin a cyber audit to identify how the breach occurred.

IT departments around the globe were scurrying to meet the May 2018 GDPR deadline but many U.S. businesses remain non-compliant and have purchased cyber insurance to rely in case of a breach. Cyber insurance can help cushion the cost of a breach, including secondary costs like the expense of containing, communicating, investigating and remediating the hack. However, many insurance policies don’t cover fines from non-compliance to the GDPR principles. That why multiple layers of defense are needed. Such layers could include technical and organizational controls that protect the integrity and confidentiality of EU personal data.

To be compliant, some businesses will:

  • Discover and classify all personal data
  • Create a plan to close all identified protection control gaps
  • Devise and communicate a data privacy policy
  • Encrypt all personal EU data
  • Develop a processing policy
  • Partner with third-parties that process personal EU data on its behalf
  • Produce a process to test the effectiveness of data protection control
  • Enhance security controls: monitor, detect, respond and report all policy violations and external threats.

 

Adhering to compliance and standards-based framework can help businesses attract and retain more customers. By building trust with consumers, businesses can differentiate and grow in an ever more competitive global market.

If you have questions about this article or cyber insurance, contact a cyber insurance expert at The Plexus Groupe at 847-307-6100.

 

Cyber attacks don't just affect computer systems. Your machinery may also be at risk.

Machinery-picture-e1525287107933.jpg

Cyber attacks threaten the financial stability of a company. The steep, monetary burden of a cyber attack isn't exclusively tied to damaged digital assets, lost records, and the price of investigating and reporting a breach. Damage to an organization’s physical assets can be just as harmful.

The physical damage of a cyber attack typically occurs when a hacker accesses a computer system that controls equipment. Examples include technology-based controls in a manufacturing plant, refinery or electric generating plant. After a hacker gains access to an organization’s machinery, they control it.

These types of events can lead to major disruptions and costly damages. To safeguard physical assets, it’s critical for organizations to understand the types of businesses and assets that are exposed to these attacks.

What’s at Risk?

Let's compare a cyber attacks to a natural disaster or other industrial accident. Following these kinds of incidents, organizations can incur costs to repair and replace damaged equipment in addition to any lost revenue caused by the disruption.

Unlike natural disasters, however, cyber attacks that result in physical damage aren’t limited to a geographic location and can impact an entire network. This means damages caused by a breach can be widespread, affecting multiple sectors of the economy depending on the target.

Because of this, cyber attacks that cause physical damage are often dynamic and extensive. When an attack on critical infrastructure occurs, it not only affects business owners and operators, but suppliers, stakeholders and customers.

Who’s at Risk?

Cyber attacks that cause physical damage — including the targets, assailants, motives and means of the attack — are constantly evolving.

Incidents can occur in a variety of ways, including: phishing scams, internet exchange point attacks, breaches of unsecured devices and plots carried out by rogue employees.

Many experts deem power and energy sector organizations the most at risk. However, vulnerabilities also exist in utilities, telecommunications, oil and gas, petrochemicals, mining and manufacturing, and any other sectors where industrial control systems (ICSs) are used.

ICSs are open computer systems used to monitor and control physical processes as well as streamline operations and repairs. ICSs are not often designed with security as a primary consideration. This leaves them susceptible to attack. And, for many automated processes, attacks don’t even need to cause physical damage to result in significant disruption and losses.

The targets of cyber attacks vary greatly by industry, and the damage can be extensive due to the interconnected nature of ICSs.

Real-World Examples

Organizations are not always required to report cyber attacks, so they largely go unreported. However, here are a number of high-profile incidents that demonstrate how important it is to consider infrastructure cyber exposures:

→ Ukrainian power grid attack. This was a multisite attack that disconnected seven 110 kilovolt (kV) and three 35 kV substations. The attack resulted in a power outage for 80,000 people and lasted for three hours. The attackers caused substantial, prolonged disruption to the economy and general public utilizing a phishing scam.

→ Saudi Arabian computer attacks. Hackers destroyed thousands of computers across six organizations in the energy, manufacturing and aviation industries. A simple virus stole data and then computers were wiped and bricked. Not only did this mean critical business data was lost forever, but all of the damaged computers had to be replaced — a substantial fee for businesses of any size.

→ Petrochemical plant attack. This attack targeted a Saudi Arabian petrochemical plant. The unique attack wasn’t designed to steal data, but rather sabotage operations and trigger an explosion. The only thing that prevented an explosion was a mistake in the attackers’ computer code. Had the attack been successful, the plant would likely have been destroyed and many employees could have died. Experts are concerned that similar attacks could happen across the globe.

→ Hospital ventilation attack. In this incident, a hacker was able to control a hospital’s HVAC system using malware. This attack put the safety of staff, patients and medical supplies in jeopardy, as the hacker could control the temperature of the facilities.

Cyber attacks will likely become increasingly common, as technology advances and hackers become more creative. Even more concerning is that these kinds of attacks not only endanger a company’s data, reputation and finances, but human lives as well.

How Do I Protect My Organization?

Insurance coverage for cyber attacks is still in its infancy, and your organization may have gaps in protection. Even if your property insurance policy includes physical or nonphysical damage overages, you may not necessarily be covered from first- or third-party losses from cyber attacks.

The level of protection your company has depends largely on the structure of your policies. Therefore, it’s critical for businesses to do their due diligence and understand if their policies do the following:

→ Impose any limits on coverage, particularly as it relates to physical damage of tangible property.

→ Cover an attack and any resulting damages.

→ Provide contingent coverage for attacks that aren’t specifically targeted at the organization.

There are a number of steps businesses can take by themselves to protect their physical assets. In addition to implementing a cyber risk management plan, businesses should consider the following:

→ Keep all software up to date.

→ Back up files regularly.

→ Train employees on common cyber risks and what they should do if they notice anything suspicious.

→ Review your exposures and speak with your insurance broker to discuss policy options for transferring risk.

Contact Us

Have questions about today's newsletter or other commercial insurance matters? Contact a property and casualty client executive at The Plexus Groupe at 847-307-6100, or reach out via the Web.

Disclaimer and publishing credit: This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2018 Zywave, Inc. All rights reserved.

Three ways cyber insurance can save the day for businesses

  Three recent news items highlight the importance of cyber insurance and show how the coverage can make a major difference for businesses:

News Item No. 1: Confidential customer data accidentally shared: According to The New York Times, a lawyer for a firm serving as outside counsel for a financial company mistakenly sent confidential personal financial information on at least 50,000 financial advisory clients to another attorney. The client data included Social Security numbers.

How cyber coverage can help your business in a similar situation: Accidents happen, the cyber liability policy covers the unintentional/accidental release of data.

News Item No. 2: Ransomware inflicts financial pain on hospital: A New York hospital estimates a ransomware attack on its computer systems cost almost $10 million, per The Buffalo News, with some of the expense due to “the loss of business during [system] down time.”

How cyber coverage can help your business in a similar situation: Commonly offered in cyber policies, business interruption coverage kicks in when a cyber incident, such as an attack, halts operations. The payout can help reduce the impact of a costly operations shutdown.

News Item No. 3: Small businesses hurt by cyber attack on shipping firm: In late June, the NotPetya ransomware attack affected many businesses worldwide, including a major European shipping firm. According to the BBC, the trickle-down effect of delayed shipments on smaller businesses in the United Kingdom has been “debilitating,” the Federation of Small Businesses said.

How cyber coverage can help your business in a similar situation: Worried about an external logistics issue hurting your ability to buy or sell your products? Adding a cyber dependent interruption endorsement or a contingent business interruption endorsement to your cyber policy might make sense for your firm.

Let Plexus lend a hand

For more information on The Plexus Groupe’s cyber risk management solutions or an overview of the protection cyber coverage can provide, contact Client Executive Willie Lindsey at 847-307-6163 or wlindsey@plexusgroupe.com. You can also contact us via the Web.

When cyber attacks make a mess, cyber insurance can make all the difference

  There is a cost to cyber liability insurance.

But it might be time to think of cyber coverage as not just a line-item expense, but as a cost-savings measure.

Quite simply, cyber attacks can be very expensive to clean up.

In a recent study of 160 cybersecurity incidents from 2012-2015, cyber risk assessment experts NetDiligence found the median insurance claim was for nearly $77,000, with the “typical” claim landing between $30,000 and $263,000 in value.

The NetDiligence 2015 Cyber Claims Study also found the following:

-- The median expense for legal defense was nearly $75,000.

-- The median expense for “Crisis Services,” including ID and credit monitoring, was about $60,000.

-- A median cyber breach resulted in 2,300 lost records.

-- The median cost per record lost in a cyber breach was $13.

The need for cyber insurance

The numbers above tell a story about cyber crime.

But how does it affect your business?

Quite simply, all businesses possess some sort of employee data. And no matter your business, employee data will be attractive to cyber criminals — hackers looking to make a score on the black market.

Still, hacking can be a hard topic for businesses to grasp. It may even seem outlandish, the idea of some shadowy figures hunched over laptops, diabolically plotting to steal your data.

But the numbers suggest hacking is more than just an abstract threat. To wit: criminal activity was responsible for more cyber insurance claims in NetDiligence’s study than any other cause. Nearly a third of the loss claims stemmed from hacking.

However, cyber risks aren’t just confined to hackers trying to snatch your data. Internal threats can’t be discounted, either, as the NetDiligence study showed. About one-third of claims had some sort of “insider involvement” component, according to the survey. And “rogue employees” were responsible for 11 percent of the cyber claims studied.

Cyber insurance, however, can cover losses inflicted by workers gone rogue. Cyber insurance can also cover the costs related to a breach led by outside threats, including legal fees and ID monitoring. In some ways, cyber insurance can be the firewall behind the firewall for your business.

Let Plexus help.

Every business faces cyber risk. You might not see it, but it is there, and it is here to stay. We’ll give you the clear data you need to make the right decisions, including a detailed, company-specific cost estimate of a breach of your firm’s data. Contact a Plexus client service team member at 847-307-6100 for a consultation, or contact us via the Web. Let's have a conversation.

plexus