Data Breaches: A Growing D&O Concern

A data breach can be a devastating event, affecting a company financially and damaging its reputation with customers. But as a director or officer at your company, you face litigation risks based on the decisions you make following a breach and on how you influence cyber security policies, as these are often considered board-level issues.

If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach.

Data Breach Threats
The biggest threat from a data breach is loss of information, whether it is information regarding your company’s finances or the personal identification information of your customers, such as Social Security numbers or credit card information.

Losing sensitive information belonging to your customers or company can have a devastating effect on your reputation. If the credit card information of your customers is stolen, your customers would need to cancel their cards and get new ones—an inconvenient process and one that can damage your company’s image in the eyes of customers.

Data Breach Response
Following a data breach, you may be legally required to notify certain people about it. For example, if your company is publicly traded, guidelines issued by the Securities and Exchange Commission (SEC) say you must report cyber security incidents to stockholders. The cost of notification after a breach is generally covered by a cyber liability policy. And depending on the number of people you need to notify, the cost can be quite high.

Notification should be taken very seriously, as the way a company responds to a data breach can lead to exposure and legal action beyond lawsuits from customers—the company could be subject to regulatory action from the Federal Trade Commission or the SEC.

Data Breaches and D&O Coverage
Insufficient cyber security that leaves your company vulnerable to a data breach can be seen by your customers or shareholders as negligence or a breach of duty. Your customers and shareholders may seek to hold you responsible for the damage, as the board is responsible for making decisions on behalf of the company. Because of this, you need protection in the form of a D&O policy.

In past legal cases following a data breach, directors and officers have been accused of:

  •  Failing to take reasonable steps to protect customers’ personal and financial information
  • Failing to implement controls to detect and prevent a data breach
  • Failing to report a breach in a timely manner

A cyber liability policy would not offer the legal protection needed by directors and officers after a data breach, whereas a D&O policy can.

A D&O policy provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, act of neglect or breach of duty.

Cyber Security Is Vital
A company’s directors and officers are expected to be involved in and knowledgeable about the company’s cyber security. It’s rapidly becoming a vital aspect of responsible business management and customer service.

The following are some techniques to improve the cyber security of your company:

  • Install a firewall—Companies with five or more computers should consider buying a network firewall to protect the network from being hacked.
  • Install security software—Anti-virus, anti-malware and anti-spyware should be installed on every computer in the network. All software should be up-to-date.
  • Encrypt data—All data, whether stored on a tablet, flash drive or laptop, should be encrypted.
  • Use a virtual private network (VPN)—A VPN allows employees to connect to the company’s network remotely without the need of a remote-access server. VPNs use advanced encryption and authentication protocols, providing a high level of security for your network.
  • Develop a data breach plan—Have a plan in place so when, not if, you experience a data breach, you can act quickly and minimize your loss.

Data Breach Risks Without D&O Insurance
After a data breach, claims from shareholders and customers will most likely be made. Since you can be held personally responsible for the acts of the company as a board member, your plans and decisions need to be protected.

Without D&O coverage, your personal assets are at stake and could be forfeited to cover legal costs. You can protect yourself with a D&O insurance policy. Talk to your insurer about this type of coverage and be sure your policy is tailored to cover any gaps.

Cyber Attacks: A Growing Business Interruption Threat

When you think about what usually causes a business interruption, natural disasters such as fires, earthquakes and floods probably come to mind first. These events can physically damage your property and equipment, making your workspace unusable for a time. The damages from Hurricane Katrina and Superstorm Sandy are great examples of how a natural disaster can put a halt to a business’ day-to-day operations. Many of those affected businesses remain closed to this day.

While natural disasters are still the main reason for an interruption, another cause is quickly moving up the ranks: cyber attacks. As businesses continue to rely on computers and digital storage of essential data, cyber attacks will continue to be a potential exposure. Read on to learn how a cyber attack could lead to a business interruption and what you can do to mitigate the risk.

How can a cyber attack cause a business interruption?
Hackers, thieves and other unauthorized individuals have become adept at exploiting weaknesses in a business’ computer system, whether through traditional hacking methods or social engineering. There are several types of attacks that could completely cripple your ability to perform normal business activities, including:

  • Malicious code that renders your website unusable
  • Distributed denial of service (DDoS) attacks that make your website inaccessible to employees and customers alike
  • Viruses, worms or other code that deletes critical information on a business’ hard drives and other hardware

It is quite easy to see how any of these events might leave your company scrambling to do business. Unfortunately, many smaller businesses don’t have the manpower available to detect the problem and work on fixing it, which only increases the length of an interruption.

Third-party interruptions can have a major effect on your business
You can still be affected even if it isn’t your business that experiences a cyber attack. Imagine what would happen if one of your vendors suffered an attack, resulting in a complete shutdown of its warehouse or website. Unfortunately, attacks on third parties are often out of your control. Such an event could have a profound effect on how much business you are able to do, and that would trickle down to your customers, who may rely on your products or services.

Ways to prevent a cyber attack from causing a business interruption
A common saying in the cyber security world is, “It’s not if you’ll be a victim of a data breach, but when.” While 100 percent protection is impossible, you can help lower your chance of business interruption due to a cyber attack by following these tips:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their functions, the data they store and process, and their importance to the organization.
  • Make sure all firewalls and routers are secure and kept up to date.
  • Implement a cyber security policy that educates employees about the dangers of computer intrusions and how to prevent them. Morris & Reynolds Insurance can help you draft a cyber security policy specifically tailored to your company.
  • Download and install software updates for your operating systems and applications as they become available.
  • Implement a strict password policy and have employees change system passwords every 90 days.
  • Limit employee access to company data and information, and limit authority to install software.
  • Make sure you are covered by a cyber liability insurance policy.

How can cyber liability coverage help?
Most traditional commercial general liability (CGL) policies will not cover business interruption losses due to a cyber event. Luckily, cyber liability coverage can fill that void.

Should your business be unable to perform normal business operations, a cyber liability policy can help pay for expenses related to an interruption. The coverage pays for:

  • Lost income due to the event
  • Profits that would have been earned had the event not occurred
  • Operating expenses, such as utilities, that must be paid even though business temporarily ceased
  • Rented or leased equipment

Cyber liability coverage also helps protect your business from the following events:

  • Data breaches, including costs for customer notification, some legal costs and credit monitoring for those affected
  • Damages to third-party systems, if, for example, an infected email from your servers crashes the system of a customer or vendor
  • Data or code loss due to a natural disaster or malicious activity. Physical destruction of equipment is covered under a different policy.
  • Cyber extortion, including ransomware, which is malicious code installed into a computer on your network that prevents you from accessing it until a ransom is paid

Even though business interruptions due to cyber attacks are relatively uncommon, being unprepared for one could prohibit you from doing business as usual. Contact Morris & Reynolds Insurance today to find out how we can help you avoid a business interruption.

Cyber Security

Every day, more than 1 million people become victims of cyber crime. Cyber criminals look for the weak spots and then attack, no matter how large or small the organization.

Every day, more than 1 million people become victims of cyber crime, according to a study by Symantec, a computer security software company. Businesses, both large and small, are increasingly reliant on the Internet for daily operations, creating attractive and potentially lucrative targets for cyber criminals.

With such heavy use of and reliance on computers and the Internet by both large and small organizations, protecting these resources has become increasingly important. Learning about cyber attacks and how to prevent them can help you protect your company from security breaches.

Cyber Attacks Compromise Your Company
Cyber attacks include many types of attempted or successful breaches of computer security. These threats come in different forms, including phishing, viruses, Trojans, key logging, spyware and spam. Once hackers have gained access to the computer system, they can accomplish any of several malicious goals, typically stealing information or financial assets, corrupting data or causing operational disruption or shut-down.

Both third parties and insiders can use a variety of techniques to carry out cyber attacks. These techniques range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at gaining network access.

Cyber attacks can result directly from deliberate actions of hackers, or attacks can be unintentionally facilitated by employees—for example, if they click on a malicious link.

A breach in cyber security can lead to unauthorized usage through tactics such as the following:

  • Installing spyware that allows the hacker to track Internet activity and steal information and passwords
  • Deceiving recipients of phishing emails into disclosing personal information
  • Tricking recipients of spam email into giving hackers access to the computer system
  • Installing viruses that allow hackers to steal, corrupt or delete information or even crash the entire system
  • Hijacking the company website and rerouting visitors to a fraudulent look-alike site and subsequently stealing personal information from clients or consumers

cyber_liability_header_img

Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, such as denial-of-service attacks on websites in which the site is overloaded by the attacker and legitimate users are then denied access.

The Vulnerable Become the Victims
The majority of cyber criminals are indiscriminate when choosing their victims. The Department of Homeland Security (DHS) asserts that cyber criminals will target vulnerable computer systems regardless of whether the systems belong to a Fortune 500 company, a small business or a home user.

Cyber criminals look for weak spots and attack there, no matter how large or small the organization. Small businesses, for instance, are becoming a more attractive target as many larger companies tighten their cyber security.

Simple Steps to Stay Secure
The DHS, which issues bulletins and alerts that provide information on potential cyber threats, has issued more than 5,000 alerts and advisories in a single year. With cyber attacks posing such a prominent threat to your business, it is essential to create a plan to deal with this problem. Implementing and adhering to basic preventive and safety procedures will help protect your company from cyber threats.

Following are suggestions from a Federal Communications Commission roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cyber criminals. These suggestions include guidelines for the company as well as possible rules and procedures that can be shared with employees.

Security Tips for the Company

  • Install, use and regularly update anti-virus and anti-spyware software on all computers.
  • Download and install software updates for your operating systems and applications as they become available; if possible, choose the automatic update option.
  • Change the manufacturer’s default passwords on all software.
  • Use a firewall for your Internet connection.
  • Regularly make backup copies of important business data.
  • Control who can physically access your computers and other network components.
  • Secure any Wi-Fi networks.
  • Require individual user accounts for each employee.
  • Limit employee access to data and information, and limit authority for software installation.
  • Monitor, log and analyze all attempted and successful attacks on systems and networks.

Security Tips for Employees

  • Use strong passwords (a combination of uppercase and lowercase letters, numbers and special characters), change them regularly and never them share with anyone.
  • Protect private information by not disclosing it unless necessary, and always verify the source if asked to input sensitive data for a website or email.
  • Don’t open suspicious links and emails; an indication that the site is safe is if the URL begins with https://.
  •  Scan all external devices, such as USB flash drives, for viruses and malicious software (malware) before using the device.

Most importantly, stay informed about cyber security and continue to discuss Internet safety with employees.

Don’t Let it Happen to Your Company
According to the DHS, 96 percent of cyber security breaches could have been avoided with simple or intermediate controls. Strengthening passwords, installing anti-virus software and not opening suspicious emails and links are the first steps toward cyber security.

Begin implementing cyber-safety procedures today to protect your company, clients and employees from the invisible but costly threat of cyber attacks.

More Information
For more information on Cyber Liability coverage, contact Morris & Reynolds Insurance at 305.238.1000, or visit our website’s Cyber Liability page.

Cyber Security for Small Businesses

computers_data_header_img

High-profile cyber attacks on companies such as Target and Sears have raised awareness of the growing threat of cyber crime. Recent surveys conducted by the Small Business Authority, Symantec and the National Cyber security Alliance suggest that many small business owners are still operating under a false sense of cyber security.

The statistics of these studies are grim: The vast majority of U.S. small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40 percent do not have their data backed up in more than one location.

Don’t Equate Small with Safe
Despite significant cyber security exposures, 85 percent of small business owners believe their company is safe from hackers, viruses, malware or a data breach. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks. In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 40 percent of attacks are against organizations with fewer than 500 employees.

Outside sources like hackers aren’t the only way your company can be attacked—often, smaller companies have a family-like atmosphere and put too much trust in their employees. This can lead to complacency, which is exactly what a disgruntled or recently fired employee needs to execute an attack on the business.

Attacks Could Destroy Your Business
As large companies continue to get serious about data security, small businesses are becoming increasingly attractive targets—and the results are often devastating for small business owners.

According to Symantec, the average annual cost of cyber attacks to small and medium-sized businesses was nearly $200,000 in 2010. Most small businesses don’t have that kind of money lying around, and as a result, nearly 60 percent of the small businesses victimized by a cyber attack close permanently within six months of the attack. Many of these businesses put off making necessary improvements to their cyber security protocols until it was too late because they feared the costs would be prohibitive.

10 Ways to Prevent Cyber Attacks
Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber attack.

  1. Train employees in cyber security principles.
  2. Install, use and regularly update antivirus and antispyware software on every computer used in your business.
  3. Use a firewall for your Internet connection.
  4. Download and install software updates for your operating systems and applications as they become available.
  5. Make backup copies of important business data and information.
  6. Control physical access to your computers and network components.
  7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace make sure it is secure and hidden.
  8. Require individual user accounts for each employee.
  9. Limit employee access to data and information, and limit authority to install software.
  10. Regularly change passwords.

In addition to the listed tips, the Federal Communications Commission (FCC) provides a tool for small businesses that can create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. It can be found at www.fcc.gov/cyberplanner.

Your Emerging Technology Partner
A data breach could cripple your small business, costing you thousands or millions of dollars in lost sales and/or damages. Contact Morris & Reynolds Insurance at 305.238.1000 today or visit our website’s Cyber Liability page. We have the tools necessary to ensure you have the proper coverage to protect your company against losses from cyber attacks.