Cyber Liability – From Headlines to Reality

What you need to do protect your company from cyber threats

The vast majority of companies will be hacked! According to a Duke University/CFO Magazine Global Business Outlook Survey released last year, 80% of all U.S. companies and 60% of large companies will be successfully hacked. As we turn to a more digital age, criminals are getting smarter. Companies are faced with creating cost-effective strategies that deal with the new normal—constant cyber risk to the organization. Luis Aguilar, Commissioner, U.S. SEC, states, “Boards are responsible for overseeing how management implements cyber security programs…directors [are] on notice to proactively address the risks associated with cyber-attacks.” The average total cost of a breach, according to IBM’s 2017 Cost of Data Breach Study is now at $3.62M

According to Ana Tagvoryan, Partner, Blank Rome, “The first most important thing to think about is whether the executive has a well-trained team that is ready to address cybersecurity risks and data breach responses. Having an experienced team (whether in-house or external) to evaluate the security and response measures is crucial to identifying, avoiding, and mitigating risk. Second, the executive should secure cyber liability and data breach insurance policies that cover both direct costs associated with data breaches as well as costs associated with identity theft protection and lawsuits stemming from the breach.”

Top Three Trends Driving Security Risks

1. Ransomware

In light of the most recent and world’s largest ransomware attack “WannaCry,” companies are reminded how important it is to have tight cyber security measures in place. More than 200,000 computers in 150 countries were infected. The leading cause of a ransomware infection is a phishing email scam followed by a lack of employee awareness. Ransomware has evolved past today’s top defense solutions. Ninety-three percent of IT service providers report customers victimized despite Antivirus/AntiMalware software in place.

[To read more of Lars Rathje’s thought leadership click here]

2. Phishing/Social Engineering

The information these criminals are targeting can vary, but they are usually trying to trick you into giving them your passwords, bank information, or access to your computer to install malicious software. Agari conducted a survey in 2016 which states that 60% of corporations say they were, or have been, the victim of at least one targeted social engineering attack in the past year, and 65% of those who were attacked say that employees’ credentials were compromised as a result. In addition, financial accounts were breached in 17% of attacks.

3. Data Hacks

2016 was a record year for data hacks. According to the Identity Theft Resource Center, data breaches are up 40% from 2015. In July 2015, hackers broke into the UCLA Health System’s computer network, potentially gaining access to the personal information of 4.5 million patients. Target had an exposure of nearly $40M due to their 2013 data breach which ultimately led to the exit of its CEO. Sony’s data breach cost them $1B from lost business, various compensation costs, and new investments.

“The leading cause of a ransomware infection is a phishing email scam followed by a lack of employee awareness. Ransomware has evolved past today’s top defense solutions. Ninety-three percent of IT service providers report customers victimized despite Antivirus/AntiMalware software in place.

Customized Approach to Addressing These Cyber Threats

Your approach to implementing an effective cyber protection program needs to address specific risks associated with your business or industry. “A strong IT security and privacy program must include… security policy, procedures, and techniques as well as the various management, operational, and technical controls necessary and available to keep IT resources secure.” – Federal Communications Commission: Cyber Security Planning Guide

According to Anthony Soules, Director of Information Security at Amgen, the following five steps show how companies can protect themselves against cyber breaches and cyber-attacks.

  1. Understand the threat actor spectrum and what critical assets, or people, are at risk within your organization.
  2. Develop a strategy to combat these threats and protect your critical assets; use vendor technologies and tools to help enhance your cyber posture in accordance with your strategic direction. Implement strong and continuous technology rationalization practices to prevent the “Shiny Object Syndrome” – buying security products and services without first taking steps to validate against the problem statement.
  3. Ensure compliance with necessary regulations and leverage industry security frameworks to assist in managing risk while providing frictionless services to enable your business drivers.
  4. Implement a security metrics and analytics program to track your strategic progress, maturity, and efficacy. An ideal security metrics program provides various stakeholders a centralized view into key actions and activities spanning across tactical, operational, and strategic levels alike. All actions and activities being tracked should directly correspond to your organization’s strategic goals.
  5. Maintain continuous defense reviews to validate the relevancy of existing threats to your risk mix, technology investments, workforce posture, and overall strategic direction.

Not All Cyber Insurance Policies Are Created Equal

Risk transfer programs start with a thorough review of your risk by a broker with in-depth expertise in Cyber and Technology Errors and Omissions exposures. Cyber insurance policies are not standard, therefore extensive analysis of terms is important when evaluating different insurance proposals. Consider risk on three fronts.

[For more on Lockton Companie’s approach to Insurance click here]

The amount of Personal Identifiable Information (PII), Personal Health Information (PHI), and confidential corporate information for both your company and of others that is in your possession:

  1. The financial impact on your operations if a network is partially or totally degraded due to a breach of network security event
  2. The impact on your firm’s reputation if a breach is publicized.

A solid insurance program should provide coverage for all of this exposure, and more; and provide risk management resources to help mitigate risk upfront. Coverage varies depending upon the industry and the buyer’s transfer of risk philosophy. Important considerations: Does coverage extend to your specific exposure? Examples include addressing dependency upon a third party network (ex. cloud computing or utilization of an IT firm for network support). Consider also: Choice of counsel; business interruption coverage for loss of income arising from a network shutdown or degradation in operations; and “hammer clause” provisions requiring the insured to pay if you don’t agree to a settlement.

Special thanks to Chris Reese, V.P. of Lockton Cyber Practice Group, for her expertise and guidance to the team at Lockton.