Are You Prepared to Deal With a Cyber or Other Business Data Breach When Your Number’s Up?
By Scott Reid, National Director of Cyber Insurance for Gallagher Affinity Insurance Services
There does not appear to be any business or industry that is immune from making headlines as the next victim of a cyber-attack or data breach. The massive breach of Equifax is only the latest in a long string of data breaches that includes a reported 95 percent of the Fortune 500 companies in America. Government agencies, like the IRS, the CIA, the Defense Department, the Federal Office of Personnel Management (OPM) and even the White House, have all been hacked or had data compromised. But the real story is that for every large business that makes headlines, there are thousands of small to mid-sized businesses, including those owned by NAWBO members, that have experienced a data breach of some kind that never became a news story. Small businesses have become attractive targets because they maintain the same type of confidential information for their customers and employees, but they don’t have the same high-profile security measures in place like larger companies. Most are easy prey.
With more than 2 billion records lost or stolen in 2017, the sheer volume and diversity of attacks are both staggering and frightening. Making things worse, the various ways data breaches are happening continues to grow. For example, data breaches are not isolated to the hacking of a computer or server. A data breach encompasses any way that information is lost, stolen or inadvertently disclosed, including laptop theft, lost USB memory sticks or portable drives, a lost mobile phone containing confidential client data, an e-mail mistakenly sent with confidential information to the wrong person, as well as the theft or improper disposal of paper documents. These all constitute a “data breach.”
Given the multitude of means that your business data can be compromised, it can become overwhelming, especially to the small and mid-sized business enterprise. If the largest of the large corporations, as well as the massive infrastructure of the Federal Government, can’t keep their data safe, how is a NAWBO member business supposed to deal with this threat?
The First Step
The first step is to acknowledge your business is at risk. No matter your size and no matter what type of data you maintain, your customer and employee data can be targeted, and it must be protected. In today’s business climate, your clients, your employees and increasingly state and federal regulators all expect you to be able to safeguard confidential and private information. This is no longer something NAWBO members can ignore; it’s a fundamental part of managing and growing a successful business.
Information security risks should be viewed no differently than how your business addresses other risks. Your company maintains Workers Compensation Insurance to protect your employees from on-the-job injuries. But you also take the steps necessary to prevent employees from getting hurt in the first place, through training and safety programs. Your business property is insured against damage, fire and theft. But you also take reasonable steps to protect your assets and prevent catastrophic damages. Cyber and data breach risks should be addressed in the same manner.
The good news is that even a little preparation and prevention can go a long way. Performing an independent, third-party risk assessment can help your business identify potential threats to your business and see where you are out of compliance with federal, state and industry requirements for information security. After the initial assessment, protocols should be put in place to make sure proper security measures are implemented and followed at all times. Ongoing monitoring and testing of the key areas identified during your risk assessment are crucial to your security success. Having an independent outside review of your overall security plan is important, even if you have a strong internal or outsourced IT department, as it can help identify weaknesses and areas of compliance in need of improvement.
Every business and organization should have a well thought out information security plan, including the proper policies and procedures that protect against data breaches and also ensure compliance with data security requirements. Having a formalized security plan is the second part of a three-part strategy.
You will also need a breach response plan in place to help you deal with the aftermath, so that when you have even a small breach incident or event, you will know what to do to minimize the damage to your business and your reputation. Your business will need to respond quickly to contain the loss, notify the people or businesses affected, provide them with identity theft coverage and be prepared to pay for other damages and regulatory fines associated with the breach.
Having Cyber and Data Breach Insurance in place is the third part of the strategy, and can provide the advantage of knowing who to call at the time of the breach, as breach response services are offered as part of the insurance coverage.
The Role of Cyber and Data Breach Liability Insurance
Cyber and Data Breach Liability Insurance provides the critical coverage necessary to help protect NAWBO businesses of all sizes from the high costs of a cyber or other type of data breach-related incident. It helps your business avoid costly fines and penalties that can be levied on a company following a breach. Cyber Insurance will not protect you against an attack, but will allow you to survive one.
The insurance provides coverage for first-party expenses such as: breach response, credit notifications, forensic analysis, public relations consultants, cyber extortion payments, business interruption costs for loss of income and restoration costs. Additionally, the policy covers third-party expenses like violation of privacy laws, multimedia liability, regulatory fines, compensatory payments, PCI assessments and legal defense costs, as well as covers the costs of potential future lawsuits and settlements.
Insurance can’t eliminate a data breach or be a replacement for data security, but it can provide a backstop of financial relief. Cyber and Data Breach Liability Insurance helps tame the significant financial hardship of a cyber-attack and/or data breach by offering coverage to help you with the associated costs of an event. The response costs associated with minimizing the damage of a data breach or cyber-attack can be extensive and can even put a company out of business.
NAWBO Is Here to Help
As if running a small to mid-sized business today was not hard enough, the constant threat of a cyber-attack on your business, or experiencing some other form of data loss, only adds to the difficulty of trying to succeed. As such, NAWBO National is now offering its members exclusive access to a diverse suite of Cyber and Data Breach Solutions, including threat and risk assessments, ongoing monitoring and compliance options and the increasingly necessary Cyber and Data Breach Liability Insurance. More information can be found on the Member Benefits section of the NAWBO website or at this link. As a member, you can see your actual rates (which start as low as $199 a year for cyber insurance) by simply answering a few short, online questions about your business. Each of the programs can be implemented online and put into effect within minutes.
Every business is at risk. But a cyber-attack or data breach on your business doesn’t have to be lethal…not with some basic preparation, planning and insurance coverage.
Real Cyber Insurance Claims Submitted By Members In the Last 30 Days:
Consulting Firm in Wisconsin
Manager accepted position with competitor. Upon learning of this, the firm immediately terminated the manager. Investigation of computer and e-mail discovered that the former employee stole “hundreds of pages of proprietary forms, internal documents and a spreadsheet with client names, internal file numbers, notes and a copy of the firms “Rules and Guidelines.” Costs incurred will include computer forensics, digital intelligence and attorney fees.
Plumbing Supply Company in Kentucky
This company was the victim of a ransomware attack that disabled all workstations and completely debilitated the company and their ability to transact business over a 10-day period. Costs incurred include lost business income, digital forensics, incident response services, public relations and attorney fees.
Contractor in Ohio
Phishing e-mail was sent to the accounting office of this company requesting invoice payment. A wire transfer for more than $20,000 was fraudulently sent to a company that did not exist. Costs incurred include the $20,000 lost, attorney fees and computer forensics to be sure there was no malware hidden in the system.
Law Firm in Idaho
The firm was the victim of a “Cyber Incident” when an employee’s laptop, belonging to the firm, was stolen from a vehicle. Legal counsel was retained as well as a computer forensics team to determine the scope of the breach. In addition to the above, costs were incurred notifying all clients as well as investing in marketing to smooth the public perception of the incident and rebuild trust in the firm.
ABOUT THE AUTHOR
Scott Reid is the National Director of Cyber Insurance for Gallagher Affinity Insurance Services, which specializes in providing insurance programs to associations and trade groups like NAWBO. He is also the Executive Director of the Cyber and Data Security Alliance, a coalition of U.S.-based businesses working to combat the rise of foreign cyber-attacks against American businesses. He is also a member of the National InfraGard Partnership, an association of persons who represent businesses, academic institutions, the FBI as well as state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile cyber acts against the U.S.