R&R Insurance Blog

In early January 2020 the Department of Homeland Security issued the following urgent bulletin concerning retaliatory cyber-attacks: https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-january-4-2020

There are no specific direct threats yet but, as mentioned, there is a significantly elevated risk and high likelihood of a Cyber-attack by Iran (a state sponsor of terrorism) in retaliation to recent events. 

While it is not likely that our customers in Wisconsin will be directly targeted, it is highly likely customers will be impacted by the contingent cyber exposures of a state sponsored retaliatory cyber-attack.   The likely impact would be because the major cloud and network systems our customers depend on would be down:

• Denial of service attacks
• Network interruption
• Contingent business income and sales loss

This is why a true cyber policy that contains coverage for all of this is more important than ever!   

We are being proactive and want to help now before a loss occurs!  

• Get a quote today and it can be done with a few quick questions: click here to request a quote answering 7 simple questions
• A true cyber insurance policy is not as expensive as you might think and covers not only direct cyber-attacks but contingent exposures around systems your company depends on.   
• One of our top carriers also features a reimbursement for upfront cyber defense costs, up to $3,000, on IT risk mitigation to help make IT systems safer and mitigate risk.  

We urge you to please contact Jason Navarro (Director of Cyber Crime) and/or complete the 7 step questionnaire so we can help implement an adequate cyber-program with you.  

You most likely heard the news story recently where a Wisconsin School District was breached and scammed out of $660,000. Yet another example of a local cyber breach making national news.

Unfortunately, Public Sectors have become an easy and frequent target for cyber hackers. Here are a few reasons why:

1. Employees continue to be the easiest breach point. Cyber criminals only need one employee to slip up, fall for the scam, and unintentionally hand over the keys to an entire network of personal information. 
2. Less staff are present on a regular basis. The FBI and Law Enforcement have seen an increase in Public Sector groups being targeted when less staff are present, such as nights and weekends.    

Along with having the correct cyber insurance plan in place, R&R has tools and resources to help protect your business - big or small, public or private. We're able to create a custom program focused on 4 key steps:

1. Employee training (annually)
2. Internal IT security
3. Banking protocols for wiring money and financial transactions
4. Insurance to help keep the business up and running WHEN your organization experiences a cyber loss

Click here to learn more about properly protecting your business or to receive a free Cyber Insurance quote.

 

Large or small, all businesses are a target for cyber-attacks. Whether it’s a fraudulent email being sent from someone disguised as the COO, or an intercepted wire transfer - businesses must continue to be diligent in preventing these situations from occurring within their four walls.

With the help of experienced professionals, we’ve developed a list of tips to help your organization avoid fraud activity (such as forged checks or stolen cards) and business email compromise.

Payments & Checks

• Convert all paper based payments to electronic. Checks contain a company’s entire banking identity, so the more they can be avoided, the better.
• Keep checks in a locked drawer that only specific employees have access to.
  • If using signature stamps, keep these in a locked drawer as well - but separate from any checks.
• Monitor check orders and limit those who handle the checks.
• Review and update the signature cards at your bank annually (at a minimum).
• Never pre-sign checks – under any circumstance.
• Implement ACH filters and Positive Pay.
• Use dual authorization for ACH and wire transactions.
• Review transactions before they’re sent to the bank.

IT Systems

• Work with your IT department or vendor to ensure safeguards are in place.
• Flag all outside emails as “external.”
• Be aware of fraudulent emails (typos, poor grammar, inconsistencies in email addresses, etc.).
• Change passwords frequently and don’t have your internet browser “save passwords.”

Employee Processes

• Provide education to employees on fraud and fraud prevention.
• Have a social media policy in place to limit what is being used in the workplace and while connected to the company’s wi-fi network.
• Have a process in place for when employee involved with Accounting leave the organization.
  • Alert your bank of employees who’ve left that had banking responsibilities.
  • Change passwords that previous employees had access to.

For more information about having the right insurance in place to properly protect your business, contact a KnowledgeBroker at R&R Insurance or take the free cyber risk calculator below.

 

Sources:
Westbury Bank
Association for Financial Professionals
BVS Performance Solutions
JP Morgan Chase

Caution is often the reaction I get when discussing Cyber Insurance to construction executives in Wisconsin. From their perspective it would be a nice policy to have should the North Koreans focus their slave hacking force on a plumber in Sheboygan. The resulting ransom of 200 bitcoin for their $200 laptop seems a laughable prospect to a field that generally isn’t tech reliant. The truth, however, is that contractors are a growing target for hackers, but fear isn’t the only reason for a contractor to have Cyber Insurance.

So is greed.

Newly mandated contracts are forcing the conversation of Cyber Insurance between owners and contractors. On October 31, 2018 the American Institute of Architects (AIA) requires the use of their new 2017-revised agreement documents and to toss the old 2007 versions. Among the most standard forms are basic contract agreement between owners and contractors: A101, A102, and A103. All three of those forms have a new section dedicated to Cyber Insurance.

The relevant language begins in the from at section A.2.5.1. This segment encourages the owner to purchase Cyber Security Insurance for any loss or data breach should such an event happen on the job. This represents an opportunity for a contractor to sell the fact that they have 3^rd party Cyber Insurance and can cover such a breach. Alternatively this could be a threat should the contractor have no Cyber Insurance and potentially lose out on a bid to a competitor who has said coverage.

Why was Cyber Insurance language inserted in this part of the contract? The AIA believes there is a growing threat of electronic data loss to owners after several real world examples surfaced where negligent contractors were at fault.

In 2013 an HVAC contractor in Pennsylvania was working at a Target retail store. An employee of the HVAC contractor opened a virus laced email. This email stole the identification and password of the contractor and was able to infiltrate Target’s vendor portal. From there the criminals were able to gain access to Target’s internal network. The result was the 5^th largest cyber-attack in history and 70 million compromised credit cards.

Beyond encouraging owners to attain Cyber Insurance, Forms A101-3 present easy opportunities for owners to require Cyber Insurance from contractors. Further along in the contracts (section A.3.3.2.6) the owner is given a segment to fill in additional coverages a contractors is required to possess on the job. In the real world we are starting to see contracts requiring a Cyber policy– often with high limits too.

More than just a threat, Cyber Insurance represents an opportunity for contractors. Having a policy ahead of a big job not only protects your company in case of a breach, but also gives the sales or marketing department extra ammunition to make the winning offer. 

Not all Cyber policies are the same. There is a major difference between a first and third party coverage. Contact an agent to work out the best Cyber policy for your business.

Cyber criminals, for the purposes of extortion, can threaten to shut down computer systems or erase data, infect a company with a virus, publish private information or personally identifiable information on customers or employees, institute a denial-of-service attack or take over social media. There are numerous examples of these attacks happening day in and day out, to businesses of all sizes.

Travelers has provided the following checklist to help protect businesses from cyber crime:

1. Know your data. A company cannot fully know how much is at risk until they understand the nature and the amount of data they have.

2. Create file back-ups, data back-ups and back-ups bandwidth abilities. This will help a company to retain its information in the event that extortion occurs.

3. Train employees to recognize spear phishing. All employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business.

4. Do background checks on employees. Background checking employees can help identify whether they have criminal pasts.

5. Limit administrative capabilities for systems and social footprint. The less employees with access to sensitive information, the better.

6. Ensure systems have appropriate firewall and antivirus technology. After the appropriate software is in place, evaluate the security settings on software, browser and email programs. In doing so, select system options that will meet your business needs without increasing risk.

7. Have data breach prevention tools, including intrusion detection. Ensure employees are actually monitoring the detection tools. It is important to not only try to prevent a breach, but to make sure that if a breach occurs, the company is aware as soon as possible. Time is of the essence.

8. Update security software patches in a timely manner. Regularly maintaining security protections on your operating system is vital to them being effective over time.

9. Include DDoS security capabilities. It is important to have the ability to avoid or absorb attacks meant to overwhelm or degrade your systems.

10. Put a plan in place to manage a data breach. If a breach occurs, there should be a clear protocol outlining which employees are part of the incident response team and their roles and responsibilities.

11. Protect your business with insurance coverage designed to address cyber risks. Cyber insurance coverage typically provides protection for costs associated with data breaches and extortion events. The right insurance program will also provide access to skilled professionals to manage the event from start to finish.

Attend our upcoming Cyber Seminar to learn more about protecting your business.

 

Do you know what the following people have in common?

Amy Pascal, Greg Steinhafel, Frank Blake, Richard Smith, Noel Biderman

All were CEOs of companies that lost their jobs following a data breach/hacking of their respective companies.

• Amy Pascal was CEO of Sony Pictures.  The company settled a class action lawsuit for $15 million
• Greg Steinhafel was CEO of Target.  They settled class action lawsuits for $50 million
• Frank Blake was CEO of Home Depot.  The company paid $27.25 million to banks, $134 million to Visa, MC and more banks, $19 million in class action settlements
• Richard Smith was CEO of Equifax.  Suits are still pending at time of publishing
• Noel Biderman was CEO of Ashley Madison. They paid $11.2 million to settle claims

The expense of dealing with a data breach can add up quickly.  Take, for example, a hospital that experienced a breach of 40,000 records.  The price tag was $450,000 for credit monitoring and ID Theft insurance, $175,000 in notification and call center expenses, $25,000 forensics costs and $90,000 in legal costs, and $500,000 in regulatory fines.

In another instance, a former hospital employee downloaded 102,000 patient records.  The expenses amounted to $1.4 million in credit monitoring & call center, $500,000 in notification expenses, $500,000 legal expenses, $250,000 forensics, $1.5 million in legal expenses and $750,000 in regulatory fines.

Many companies were impacted by the Petya/NotPetya malware in 2017.  Consider a full day without phones, six days without email, nearly two weeks without complete access to documents, and  $700,000 in lost billings.  That’s what happened when this malware hit a global law firm.  What lessons did they learn?  With ransomware, detection comes too late; everyone has a plan until you get punched in the face; no firm is immune. Globally the malware cost $1.5 billion, including companies such as  FedEx which posted a $200 million loss and Maersk  which posted a $300 million loss, to name just a few.

All companies are at risk regardless of size, industry, or location.  How do you offset the staggering amounts that a cyber event can cost your company?  Invest in risk management, cyber security, and cyber insurance.

 

One of the challenges that businesses have in protecting themselves from cyber attacks is keeping up with patching vulnerabilities.  In 2017 we saw in both the WannaCry  and the Petya/NotPetya events how quickly malware can spread globally through un-patched, unsupported software.

This week, major computer design flaws have been identified.  Here is a good explanation from KnowBe4, Inc. of the issue:

"Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click."

This impacts not only corporate computers and desktops, but also smartphones and internet servers.   Intel, Amazon, Google, Apple, Microsoft, Firefox have either released fixes or will be soon.  

Not only do you need to address this issue, but be prepared in the event that your business is attacked before you can install the fixes.   And, do you have an insurance policy to protect your business?

Each year National Cyber Security Awareness month is held in October.  As such, many events are held around the country bringing together experts from government, industry and security to share information and enhance the dialogue around cyber risks.

The resounding theme?

Cyber is a risk to be managed not a risk that can be prevented.

Cyber crime is a threat to all industries, governments and businesses. There is no perfect solution and we will be in constant battle against those that seek to extort monies, disrupt our infrastructure, cause damage to our businesses and harm individuals.  Equifax had a cyber security budget of $250 million over 3 years to enhance cyber security  and a team of 225 professionals across the globe and still suffered a breach affecting 145.5 million people. Small business and non-profits are at greater risk as they have neither the funds nor personnel to effectively manage the ever evolving threat landscape.

Cyber extortion became a $1 billion industry for criminals in 2016. According to Rod Rosenstein, Deputy Attorney General for the Dept of Justice, there are 100,000 extortion demands made every day around the globe. 

Business leaders must learn to approach cyber risk as they do other aspects of their business such as safety and compliance. Cyber is a serious and inevitable risk your business will confront. Have you determined what level of risk is acceptable?  There will be financial consequences. It is a grave mistake to think that it will not happen to you.

From Stuxnet in 2010 to WannaCry and Petya/NotPetya in 2017 malicious code can be targeted at a specific Industrial Control System to malicious code being spread to hundreds of thousands of computers around the globe within hours, unsuspecting companies have felt the impact. Companies have incurred losses involving having to replace computer hardware to loss of income in excess of $200 million. 

R&R urges all companies to be #cyberaware and focus on cyber risk management especially during the month of Cyber Security Awareness.   

 

New technologies are being incorporated into almost all aspects of business, and companies are heavily relying on its continuous functionality for everyday operations. No matter what the industry, a byproduct of this Digital Transformation is cyber risk. As more companies turn to digital automation, often times they overlook the fact that they are also opening up their processes to new cyber risks and vulnerabilities.

Here is one example of how a manufacturing company is run on digital technology:

• The production line is fully automated.
  • How much product to produce
  • What are the peak production times (hours/days)
  • How many orders they need to process, when shipments are made
  • Just one hour of down time on their production line would cost the business a large amount of money
• All employees have key cards to enter and leave the premises. Their sales people communicate via their network connections.

This example shows that cyber risk goes farther than just protecting personal information. It’s crucial to keep in mind that any device that can send or receive information via the internet provides an entrance for hackers to breach data, lockdown systems, and disrupt operations, costing you time, money, and security.

In order to keep all aspects of your company safe, it is better to be proactive than reactive when choosing cyber security and cyber insurance. Contact a Knowledgebroker for a free analysis of your cyber insurance policy so you can be better prepared if an attack were to happen.

2017 Data Breach Forecast Report from Experian:

"Of the potential sources for a breach, electronic health records (EHR) are likely to be primary target for attackers. The portable nature of his information and the number of different entities and end-points that need access to them mean the potential for them to touch a vulnerable computer system is high. While there may be significant protections in place to secure them in transit, it only takes one compromised or outdated system to lead to exposure. Further as more healthcare institutions deploy new mobile applications, it's possible that they will introduce new vulnerabilities that will also be attractive targets for attackers."

"Ransomware attacks may also move from just locking systems to outright stealing information to either sell or leverage for identity theft. Additionally, with the recent Office of Civil Rights (OCR) guidance classifying ransomware attacks as requiring consumer notification, we are likely to hear about a larger number of these types of cases when compared to other sectors".

Think your organization is immune?  Think again:

• Global malware attack hits Wisconsin health care providers
• 43K affected in Wisconsin data breach
• 93,000 patient records exposed by Pennsylvania provider
• Vendor error causes major patient record leak at New York hospital
• ...and the list goes on

What is your plan when the inevitable happens to your organization?

Contact your knoweldgebroker for a free analysis of your cyber insurance policy and disaster recovery plan.