<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1602061480087256&amp;ev=PageView&amp;noscript=1">

R&R Insurance Blog

How to Survive a Cyber Attack/Data Breach

Posted by the knowledge brokers

Mon, Sep 12, 2016 @ 12:01 PM

RRI-Survive-Attack.gif

It is every IT manager, CISO, CFO and CEO’s worst nightmare. The FBI has notified you that a cyber attack of unknown origin and scope has been identified as occurring in your network; An employee advises that a mobile device that contains personally identifiable information is missing; a ransomware note suddenly appears on a desktop computer indicating that your system has been encrypted by outside actors demanding payment in bitcoin; an employee was tricked via a phishing email into sending a spreadsheet containing W-2 information on your employees to an outside source.

These are just a few of the real life examples of cyber attacks and data breaches that companies have faced. Experts agree that cyber security will always be defensive in nature and how a company responds to the situation can mean life or death to a business.

How prepared are you to respond ? Do you even know what constitutes a “data breach” and if the situation you are experiencing meets the definition and triggers a response? Under what circumstances are you required to notify individuals, vendors, business associates, and regulators? Do you have contractual relationships that require the other party to be notified and if so, under what circumstances is notification required?

It is crucial for all businesses to have a Breach Response Plan that is well thought out, flexible enough to adapt to various scenarios, and tested. The first step in the plan is the ability to determine if the circumstances trigger your response plan. How do you determine, for example, if the data breach encompasses unauthorized access or unauthorized acquisition of personally identifiable information? Are you familiar with the various laws in the jurisdictions that the affected individuals reside to be able to determine your next steps? Within the United States there are 47 different breach laws. In addition, each country has their own set of laws that must be followed. Regulatory bodies such as HIPAA, FTC, PCI, have different requirements as well. How do you plan on conducting an investigation and who are the participants, internally and externally?

At what point does law enforcement need to be notified? Or should law enforcement be notified? If law enforcement takes control of your system or confiscates your computers, what impact does that have on your operations? But without their assistance how can the attack be stopped?

One thing however is clear, without a plan the response will be PANIC! Decisions will need to be made quickly and under pressure. Similar to the fire drills and tornado drills that we all experienced in school, preparation is key.
The first step is to identify stakeholders. This is not an IT only issue. Develop a CIRT – Computer Incident Response Team. Determine what positions need to be included on the team not the individuals. Before the plan is implemented individuals may have changed or left the company.

Establish a command center/war room where the team can convene. Remember, every minute that it takes to respond costs you money.

What is your communication plan both internally and externally? It is important that your employees be trained that they are not to communication anything that they “think” they know. Until the facts are determined communication channels need to be controlled.

It is likely that an outside forensic IT investigation firm will need to be engaged in order to determine what has happened, how it happened, and what is the status. What firm will you engage and what is the cost?

Do you have legal counsel that is prepared to respond ? Are they experts in this area of the law and familiar with the various statutory and jurisdictional requirements? What is the scope of your engagement with the firm and their fee? Will they be in a position to be your liaison with law enforcement and regulators? Will these attorneys be able to prepare notification letters?

Included with notification are the costs of paper, postage, call center, website management, etc. Are you prepared to make these arrangements and absorb these expenses?

When it comes to communication, maintaining your reputation with your customers, vendors, employees and the public will be crucial. Will you be engaging with a Public relations firm to manage these communications? How will the media be managed when reporters request information?

How will the communication with regulators be handled. Various bodies have the authority to fine and penalize a business.

Do you have experience in negotiating with cyber extortionists? Will you be in a position to decide to pay or not pay a ransom demand? How familiar are you with bitcoin?

According to a recent survey by 451 Research, 30% of businesses indicated that they have a breach response plan and only 25% have cyber insurance. However, various studies indicate that the cost of a data breach ranges from $160 to $360 per record, depending on the industry and specifics of the breach.

Cyber insurance can play an important role in this entire process. I say CAN because the scope of coverage, risk management services, and breach response vary greatly and significantly among the 60+ carriers that offer “cyber” insurance. The insurance is not an alternative to having a robust response plan but can complement and provide outside resources and vendor relationships. It is important to choose an insurance partner that can help you not only identify your risks and exposures, will provide you with a vital partnership in assessing and responding to situations as they arise.

 

 

Topics: Cyber Liability

Business Owners Beware: Network Attacks are not Covered by Standard Business Interruption/Income Insurance Policies

Posted by the knowledge brokers

Fri, Sep 09, 2016 @ 03:53 PM

RRI-Network-Security.gifWhat happens to your business in the aftermath of a disaster? That depends, in part, of the definition of disaster.

Most businesses are familiar with Business Interruption/Income Insurance. The first Business Interruption policy was issued by London Underwriters in 1939 and is designed to put the insured company back into the same financial position that which it would have enjoyed had the disaster not occurred. However, according to the American Insurance Association , the coverage is only triggered in three limited circumstances:

  • There is physical damage to the premises of such magnitude that the business must suspend its operations
  • There is physical damage to other property caused by a loss that would be covered under the company’s insurance policy, and that damage totally or partially prevents customers or employees from gaining access to the business
  • The government shuts down an area due to property damage caused by a peril covered by the company’s insurance policy that prevents customers or employees from gaining access to the premises

So what happens in the event of a cyber attack? Unfortunately, a Network attack is not considered a disaster and is not covered by the standard Business Interruption/Income insurance policy.
What constitutes a network attack? Consider the following:

  • The intentional and unauthorized gaining of access to or use of the insured’s network (computer hardware, software, firmware, electronic data stored on or within the network, connected by two or more computers including networks accessible through the internet, intranet, extranets, virtual private networks)
  • Receipt of targeted malicious code from an external source
  • A targeted denial of service attack

According to a report recently released by EMC Corporation for its Global Data Protection Index 2016, the average cost of a data loss and disruption is $913,958 per organization. In addition, the average costs of unplanned system downtime is $550,000 and the average length of downtime is 22 hours. Over 70% of study participants responded that they did not think that their organization would be able to fully recover their system or data.

How do you recoup data forensic expenses, costs to restore or replace digital assets, extra expenses, and the reduction in business income? Fortunately, insurance coverage can be obtained through a Cyber Insurance Policy. Unfortunately, coverage is not offered by all carriers, is frequently overlooked and not understood. This creates a significant risk to any business operations.

References:
American Insurance Association
EMC Corporation, Global Protection Index 2016
Allied World Insurance policy forms SRVS2 00002 and SRVS2 00052 00

Topics: Cyber Liability

Don't Forget the Importance of Data Breach Coverage

Posted by Kimberly Strand

Wed, Aug 24, 2016 @ 01:09 PM

More than ever in this day in age, we hear about major retailers having a breach of customers' personal information. By the time you realize one happened to your business, its often too late. Therefore, it is best to be aware and protected just in case. Do you know if your business covered for a Data Compromise?

iStock_48001872_LARGE_data_breach.jpgWhat is a Data Compromise?
  • A breach of a company’s network, in which customer information is stored, processed,  transmitted, etc. 

What do I need to do to make sure my business is covered?

  • Be sure to talk to your insurance agent about Data Breach Coverage today! When purchasing Data Breach Coverage you will want to make sure Response Expense AND Defense & Liability Coverage is included.

Response Expense can help provide service to help your business comply with state laws requiring notification, credit monitoring, and identity restoration.  Some items you want to confirm are included in your insurance provider’s response expense are as follows:         

  • Provides coverage for notification to customers who may have been affected by a data breach
  • Provides 12 months of credit monitoring after data breach
  • Forensic IT Review coverage to cover costs associated with hiring a third party computer expert to help determine the extent and origin of the data breach
  • Legal review to pay for costs of professional advise
  • Public relations coverage to pay services needed to retain goodwill with your customers

Defense and Liability Coverage will cover defense and settlement costs in the event a customer/s bring suit against your company.

 

If you have any questions about your current coverage or want to learn more about setting up a policy, contact a Knowledge Broker.

Topics: data breach, Cyber Liability

How Insurance Can Protect Corporate Bank Accounts

Posted by the knowledge brokers

Thu, Jul 14, 2016 @ 01:57 PM

iStock_66176239_XXXLARGE.jpgIt wasn’t long ago that once we deposited money received for goods and services into our bank account, we were able to sleep comfortably knowing that our money was safe.  After all, vaults and the security surrounding them were so secure that breaking into was left to the imagination of Hollywood producers.  But with the dawn of the technology age has also come the era of cyber heists with unknown and unseen actors hacking into computers and fooling people into parting with their hard earned cash.

There a number of ways that a business can insure for these risks.  But, as is common in the world of insurance, coverage is dependent on a number of factors including how the crime was perpetrated. 

Adding to the confusion is the term “cyber” which leads to misunderstanding that all crime committed with a computer is covered in the same way.  It is not. 

Crime policies have been available in the market for years.  Most insureds are more familiar with the term Employee Dishonesty and ERISA bond which are only part of what can be covered by a Crime policy.  I want to address two additional insuring agreements that are available on Crime policy and the new Social Engineering Fraud agreement that is available from some carriers. 

The first of these is Computer Fraud.  This part of the crime policy is intended to coverage a loss when the instruction received by the financial institution to transfer money from one account into another or to a location outside of the premises,  is fraudulent.  Typically the customer would have no knowledge that money has been transferred from their account until they review their account or statement.

The next is Electronic Funds Transfer.  As is the case with the Computer fraud , this agreement requires that an electronic , telegraphic, cable, teletype or telephone instruction be fraudulently sent to the financial institution directing the transfer of money from the account. 

The important part of both of these definitions, for purposes of this article is the instruction is fraudulent.

That is different from Social Engineering Fraud.  In this scheme, the account holder (financial institution customer) is tricked into believing that the transaction that they, the customer,  are sending to the financial institution to transfer money is legitimate.  In other words, the instruction being sent to the financial institution is correct.  This type of fraud is increasingly common.  Bad actors are drafting emails to trick people into believing that they are being instructed to transfer money from their account usually by someone in authority at their company.   

In considering this insurance it is important to understand how these terms are defined in the policy rather than assume that all things computer related and cyber mean the same in every instance. 

R&R Insurance Cyber Liability eBook

Topics: bank fraud, Cyber Liability

A Common Computer Scam Tricks My Dad

Posted by Scott Shaver

Tue, Jun 28, 2016 @ 08:02 AM

iStock_58498148_XLARGE.jpgAbout 9 months ago, my dad called me concerned about a message that he had gotten on his computer at home. My dad and his wife are both retired and live up in a small town in northern Wisconsin.

The message on the screen said that he had a virus on his computer and it provided a phone number to call to get it fixed. How convenient. Turns out he wasn’t as concerned about the message as he was about what he did after he got the message.

By the time my dad had reached out to me, he had already called the number on the message and had paid to have a “tech” on the other end of the line diagnose what was wrong with his computer. My dad was calling to get my thoughts on whether or not he had done the right thing. Turns out he had not.

Click here to learn more about how this scam works and hopefully avoid it happening to you or a family member.

Cyber-attacks at work and at home are a growing trend and all indications are that they will continue to grow in numbers and methods. Be sure that you are doing all that you can to protect yourself and your business.

For additional resources on cyber security, click here to download our Cyber e-Book.

Topics: Cyber Liability

State of the Phish: What Are Phishing Attacks & How to Avoid Them

Posted by the knowledge brokers

Thu, Jun 23, 2016 @ 03:28 PM

Phishing.jpgDo you know what a phishing attack is and how to recognize them? Are you training you training your employees?

Wombat Security recently published a report on the State of Phishing attacks. The report highlights that phishing attacks are increasing, becoming more sophisticated and varied in their approach to tricking potential victims. These come in the form of emails, phone calls, SMS messaging and USB attacks.

Included in this report are some of the common messages that are being utilized so beware when they appear in your inbox.
  • Delivery Status Notification
  • Full mailbox notification
  • Spam quarantines
  • Benefits enrollment messages
  • Invoices
  • Confidential HR documents
  • Shipping confirmations
  • Wire transfers
  • Insurance notification
  • Auto insurance renewal
  • Frequent flier accounts
  • Bonus miles
  • Photo tagging
  • Frozen accounts,
  • Big-box store memberships
  • Social networking
  • Gift cards

The aftermath of phishing attacks can be devasting to an organization, whether through loss of employee productivity, damage to reputation, or money lost.

At R&R we strive to continually educate our business partners on various Cyber risks. Download our Cyber e-Book for more information on protecting your business.

Topics: phishing, Cyber Liability

Is Your Business at Risk? Cyber Security Questionnaire

Posted by the knowledge brokers

Thu, May 26, 2016 @ 10:13 AM

Cyber-Security.jpgEvery business has an exposure and risk of becoming a cyber crime victim. While most businesses are familiar with insuring for traditional risks, there are a range of exposures that your business may need to be protected from. The following questionnaire provides in depth insight into risks you may not have previously contemplated.

Do you accept credit card payments? 

If yes, any merchant or organization, regardless of size or  number of transactions, that accepts, transmits or stores any cardholder data is required to be PCI (Payment Credit Card Industry) compliant. This includes any debit, credit, and prepaid cards branded with one of the 5 associated/brand logos  that participant in PCI SSC—American Express, Discover, JCB, Mastercard, Visa International.  Using a third party processor does not exclude a company from PCI compliance.  Check your merchant services agreement which outlines your exposure.

 

Do you process payroll? 

If yes, you are responsible for the safekeeping of this data even if outsourcing to a payroll data company.

 

Does your business utilize computers/software to run any part of operations?    

If yes, what is the potential loss of income should the system be non-operational?

 

Do you offer any employee benefits to your employees? (health insurance/life insurance/ disability)?

If yes, you have Personally identifiable information on your employees, spouses and children that you are required to protect, whether in paper or electronic  format.

 

Does your company offer a wellness plan?

If yes, according to the Office for Civil Rights (enforcement body for HIPAA), providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means and those data must be protected under HIPAA.  The HIPAA Safety Rule requires that all covered entities to implement technical, administrative and physical safeguards to prevent protected health information from being viewed or accessed by unauthorized individuals.  Fines of more than $50,000 can be assess for each violation up to $1.5 million per calendar year.  Even companies that are not covered entities may be subject to HIPAA rules should PHI be breached.

 

Does your company allow employees to connect mobile storage devices to office computers?

If yes, malware and virus can infect your system via these devices.  If you have a policy that prohibits these activities, are you certain that all your employees follow the policy all of the time?

 

Have you ever received an email that appears to come from a known party directing you to transfer money? 

If yes, this is an example of a phishing scheme. 

 

Do you allow access to your system to outside parties using a VPN?

If yes, open portals are gateways into your system and are being utilized by hackers.

 

Do you conduct business over the internet or through your website?

 If yes, what impact would your business experience if it was no longer operational?


Do you provide for an EFT option to either accept payments from your vendors or to pay your vendors?

If yes, you have personally identifying information for either individuals or businesses – i.e. bank account information.

 

Do you require employment applications?

If yes, you have personally identifiable information.  Where is this information kept?  What do you do with applicant information for individuals that you do not ultimately employ?

 

Do you store, process, transmit any personally identifiable personal or health information for employees, customers, patients, students, companies, vendors, etc?

If yes, you have a legal obligation to protect that information. 

 

Contact us for additional information, or download our cyber liablity e-book to learn more about properly protecting the business you've worked so hard to build.

Topics: Cyber Liability

Criminal Hackers Targeting Payroll Data

Posted by the knowledge brokers

Tue, Mar 29, 2016 @ 03:51 PM

iStock_000062973913_Medium.jpgSince the beginning of the year there have been numerous reports of data breaches where criminals are gaining access to personal W-2, tax and payroll information by either hacking into on-line payroll systems or tricking employees into allowing access to this information.

On March 8, 2016 Ozaukee County reported that their payroll and tax portal “Greenshades” had been breached and the personal information of approximately 200 employees was compromised. According to the Greenshades website, they are experiencing an abnormal increase in identity thieves using personal information to log into the company’s system to access personal tax information.

Sequoia Union High School reported on February 3, 2016 that an unauthorized third party gained access to an office computer and accessed information on employees and retirees as a result of a phishing incident.

On February 24, 2016 Central Concrete Supply Co., Inc., Right Away Redy Mix, Inc, and Rock Transport, Inc. became aware of a data breach in which they believe a third party gained access to copies of 2015 W-2 income and tax withholding statements. The information was stolen through a sophisticated social engineering scheme in which an outside party posing as another person convinced a Central Concrete Supply employee to provide copies of documents by email.

In another breach, Turner Construction Company reported that certain person information was disclosed in an email to an unauthorized recipient. As a result, other persons may have obtained personal identifying information including name, social security number, name of each state in which wages or taxes were reported for the affected residents, and federal, state, local and Medicare earnings and tax withholding data.

Earlier this year a former records clerk at Tampa General Hospital was arrested for theft when it was learned that she accessed personal identifying information of patients and used that information to file $671,022 in fraudulent tax returns.

As these cases exemplify, criminals are targeting all types of businesses in order to gain access to the personal information of employees.  It appears that they have shifted their focus from credit card data to the personal employee information that all businesses have. Whether that information is outsourced to a payroll firm or retained internally, they are using sophisticated social engineering and phishing schemes to trick unsuspecting employees to provide access to this information.

Topics: Cyber Liability

Questions to Ask Your Bank Regarding Fraud

Posted by the knowledge brokers

Wed, Nov 11, 2015 @ 09:56 AM

MoneyWhen it comes to our banking relationships many businesses and individuals are lulled into believing that their funds are totally secure. While all banks accounts are insured by the FDIC, many do not realize that the FDIC insurance only covers bank failures and does not apply in the case of theft by fraud. Since fraud, in particular social engineering fraud, is costing businesses billions of dollars, it is vital to understand what your bank’s position is regarding the safety of your money.

Is there any protection that your bank is providing in the event of fraud?

Here are some questions that business owners should be asking their bankers:

  • Is the bank insuring our funds in the event that our user name/password is stolen and used to transfer money out of our account?
  • Does the bank offer any protection in the event that our employee is tricked into transferring money out of our account?
  • If our corporate credit/debit card is lost or stolen is there a limit on any amounts charged that we are responsible for?
  • What are the bank’s responsibilities in the event that a bank employee is tricked into believing that they are talking to our authorized representative and a funds transfer is allowed to be completed?
  • How secure are our funds in the event that the bank itself is hacked into?

In addition be sure to address all types of accounts that you may have, checking, savings, money market, retirement accounts, trusts etc. It is better to have this conversation with your bank prior to money disappearing from your account.

R&R Insurance Cyber Liability eBook

Topics: Cyber Liability, bank fraud, Business Insurance

The Real Cost of Medical Identity Theft

Posted by the knowledge brokers

Wed, Nov 11, 2015 @ 09:48 AM

Stethescope-MedicalLast night TMJ4 aired a story that hits home to residents of Wisconsin. A Monroe woman was sentenced to using the identity of a Puerto Rican woman whose medical ID she bought on the black market for $1500. She used this false identity to have a liver transplant and incur over $200,000 worth of medical bills. The story also talks about a Kenosha couple who ran into problems when applying for a home loan due to unpaid medical bills that were caused by someone using the wife's medical ID.

The theft of medical information is very lucrative for criminals and target all healthcare providers as holders of this vital information.

As a healthcare provider you can be insured but the extent to which insurance applies is complex. We can review your program and advise you where you may be at risk.

Topics: Cyber Liability, Healthcare, identity fraud, identity theft scam, identity theft, identity theft coverage, Business Insurance