As a small business, am I really at risk of a cyber-attack? Why would a cybercriminal target me? We hear it far too often—client thinks they do not have exposure because they do not take credit card payments or they don’t have a website. There are many more ways a cyber event can happen.
The cyber insurance marketplace has seen several changes over the years as claims evolve and hackers get more sophisticated:
First-party cyber insurance coverages protect the insured for direct loss from a cyber event. These events can include ransomware, deception (social engineering, funds transfer fraud and telephone fraud), legal costs, forensic vendors, income loss, data restoration and reputational harm.
Third-party coverages include regulatory fines, damages and defense costs, payment card penalties, etc.
Your office manager comes into work on a normal day. They log into their computer and get the "skull and crossbones." The message states their computer has been encrypted and they need to send "X" dollars to have the data released. What do you do? With a cyber policy, you would immediately reach out to your carrier, make them aware of the incident and allow them to negotiate the release of the data.
You receive a call or an email from someone alleging to be your salt supplier. The hacker says that they have new banking information that needs to be updated. They proceed to give you a new routing and account number to update your records and send direct payments to. Your office staff updates the data given and proceeds to send the money to the hacker’s bank account. You are now out that money, and you still owe your supplier.
An example of this is that an email that looks authentic is received by an employee. The employee clicks the link within the email. This allows the hacker to get into your network, where they have access to your employees’ personally identifiable information (PII). A cyber insurance policy will help to close this network vulnerability, and will provide coverage for the regulatory fines as well as the identity monitoring requirements. It will also provide coverage for defense and damages that might have occurred due to this attack.
Take the necessary steps to protect your business data. A few steps to get started are locking down your network; making employees aware of what a phishing email could look like; setting up multifactor authentication on all electronic devices; and always verifying where you are sending money, before sending it.
Cyber incidents happen to businesses of all sizes. Meet with your IT provider, as well as your insurance agent. If you currently have a cyber insurance policy, take advantage of their offerings for training and consultation.
It is important to make sure that you are taking the necessary steps to protect your business data. A few steps to get started are locking down your network; making employees aware of what a phishing email could look like; setting up multifactor authentication on all electronic devices; and always verifying where you are sending money, before sending it.
With proper protocols in place, you will reduce the risk and help keep the costs down on cyber insurance.
PII AT RISK
According to the U.S. Department of Labor, personally identifiable information (PII) is "any representation of information that permits the identity of an individual to whom information applies to reasonably inferred by either direct or indirect means.
PII is information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).
Additionally, information permitting the physical or online contacting of a specific individual is the same as PII. This information can be maintained in either paper, electronic or other media." (Guidance on the Protection of Personal Identifiable Information, n.d.)Jay Long is director of commercial insurance for The Hilb Group of New England LLC dba Gerardi Insurance Services Inc. Contact him at jlong@hilbgroup.com.