R&R Insurance Blog

Learn to Recognize the Warning Signs and Prevent Cyber Crime

Think your business is reasonably safe from a cyber-attack? Think again. The threat is so widespread that there is an entire black market built to arm hackers with the tools they need to breach your systems.

The good news is that there are a number of steps your business can take to not only protect your employee and client data, but also to demonstrate the level of diligence that is critical to your customers and insurers. Click here to download our free e-book: Prepare Your Business For a Cyber-Attack.

In addition to the e-book I want to share with you the results of the NetDiligence 2014 Study of Cyber Claims. This is their fourth annual study about data breaches and the claim losses they sustain. In the study they analyzed 117 data breach insurance claims in a variety of business sectors. They estimate this represents 5-10% of all claims filed. Here are some of the highlights:

1. Personally Identifiable Information was the most frequently exposed data followed by Personal Health Information
2. Hackers were the most frequent cause of loss followed by staff mistakes.
3. Healthcare was the sector most frequently breached followed by financial services
4. Small revenue (under $2 billion) companies experience most incidents
5. The average claim payout was $733.109. The average for a large company was $2.9 million, for healthcare it was $1.3 million
6. The average cost per record cost was $956.21
7. The average cost for Response Costs was $366,484
8. The average cost of legal defense was $698,797
9. The average cost of legal settlement was $588,520
10. Breach response costs are 30% higher when no insurance is in place.

This study further emphasizes the risks and the key role that insurance can play.

The 2015 WI Cyber Security Summit will be held on October 28, 2015 at the Marquette University Alumni Memorial Union, Monaghan Ballroom, 1442 W. Wisconsin Ave, Milwaukee. The conference begins at 7:30 am. Registration will be available shortly at www.homelandsecurity.wi.gov. The conference is hosted by the State of Wisconsin and will include Cyber disruption response strategies, addressing cyber threats, recruiting & training the cyber security professional and networking with cyber security leaders.

Data Breaches and the FTC

As if businesses didn't have enough to worry about, on August 24, 2015 the U.S. Court of Appeals ruled in a unanimous decision that the Federal Trade Commission has the authority to bring actions against companies for failure to adequately protect consumer information from data breaches. The decision involves the case of Federal Trade Commission v. Wyndham Worldwide Corp, et al. Wyndham suffered a data breach in 2008 and 2009 when hackers gained access to their property management systems and stole information of more than 610,000 consumers. The Court ruled that the authority of the FTC resides under a section of a 1914 federal law that prohibits "unfair trade practices." The FTC claimed that Wyndham's computers "unreasonably and unnecessarily" exposed consumer data from the risk of theft.

Tracking a Bluetooth Skimmer Gang in Mexico
This is a really interesting article that outlines how the author found at least 19 different ATMs that had been hacked from the inside and retrofitted with tiny, sophisticated devices that store and transmit stolen card data and PINs wirelessly at various resorts in Mexico.

It’s happening more often and to more businesses, regardless of the size or type of business.

An email is received instructing the transfer of money. It appears legitimate—from the CEO, CFO, or trusted vendor with instructions to initiate a wire transfer. No red flags are raised. The money is wired but the email was fraudulent. Unsuspecting businesses are falling victims to what is essentially a modern day con job. According to the FBI, “companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes.” The Wall Street Journal reported on one such company, Mega Metals that lost $100,000. Mega Metals, Inc is a 30 year old company with 30 employees.

What should you do from a both a preventive and reactive standpoint?

The best scenario is one in which the attempted fraud is detected and stopped. Alert and educate your employees so that they can be on the lookout for these schemes. One of our carrier partners has published a risk management brochure, the Guide to Preventing Social Engineering Fraud, by Chubb Insurance. Here are some of their recommendations:

1. Never release confidential or sensitive information to someone you don’t know
2. Establish procedures to verify incoming checks and ensure clearance prior to transferring money by wire
3. Establish call-back procedures to clients and vendors for all outgoing fund transfers
4. Verify any changes to customer or vendor details
5. Be suspicious of unsolicited emails
6. Avoid responding to any offers made over the phone or via email
7. Be cautious in situations where a party refuses to provide basic contact information

If all of the loss prevention measures fail and your business becomes a fraud victim, is your business insured?

Even though most business policies contain an extension of coverage labeled “Crime Insurance” this is usually intended to provide a small limit of liability for Employee Dishonesty losses only. The good news is that insurance coverage is available from several carriers designed specifically to cover this type of loss.

These crimes are successful because they exploit human qualities of trust, helpfulness and fear to manipulate people. Even with proper precautions prevention may not be enough.

Download our free e-book, Understanding Cyber Liability Insurance, or contact a knowledge broker to ensure that coverage is in place should your business become a victim.

As outlined by Payments Source, unprepared merchants may be at risk for significant loss to their bottom line if they suffer a data breach.

All merchants that accept, transmit, or store credit card holder data are subject to the Payment Card Industry Data Security Standard (PCI DSS). These security requirements were launched on September 7, 2006 to ensure that merchants maintained a secure environment for data. Any and all merchants that have a Merchant ID (MID) are subject to these regulations.

A new revision to these security standards takes affect at the end of June 2015. In short, merchants will need to change the common SSL (Secure Socket Layer) protocol to a more secure version of TLS (Transport Layer Security). E-commerce merchants will need to configure Web servers to work with TLS and turn off support for SSL, while brick-and-mortar businesses may need to update their payment applications.

For those merchants that are unprepared there is a significant risk for fines and penalties if they were to suffer a data breach. A security engineer for Trustwave Security told Payments Source that the fines and penalties could range between $100,000 and $500,000. In addition, penalties may include breach expenses ranging from $50,000 and $100,000, a $50 re-issuance fee per compromised card, and a $2 per customer for credit monitoring. These penalties are in addition to a wide variety of expenses to comply with breach notification laws.

While cyber and data breach insurance policies will include coverage for breach notification expenses, credit monitoring, and ID theft repair, many (but not all) policies provide coverage for PCI fines and penalties. At R&R, we can customize a policy to fit the needs of your organization. Contact a knowledge broker to make sure you are prepared.

In case you haven’t heard of this, it is the latest trend in the theft of money that is NOT covered by either a Crime Policy or a Cyber Policy. Here is a description of how it works.

The accounts payable clerk receives an email from the company president directing him/her to transfer money to an account in China. Since the company regularly transacts business in China and the email came from the president, the clerk proceeds with the transaction. However, it turns out that the email was never sent by the president. Another example is that the company has a contract with ABC janitorial service. The accounts payable clerk receives an email from ABC indicating that they have changed their banking relationship and to direct all future payments to a different bank (including routing numbers/account number, etc.). Time goes by and ABC contacts the company and inquires why their account is 3 months past due. Turns out that ABC never sent the email changing the banking information.

These instances are not covered under a commercial crime as the policy was designed to cover theft perpetuated without the insured’s knowledge or through unauthorized access or fraudulent funds transfer by an imposter. There is no hacking, virus, unauthorized access to the network, etc. that would trigger any cyber coverage. These are examples of gullible employees who fail to follow procedures or assume that because they received an email it has to be true. A new version of “The Sting.”

For information on how to protect your business, contact a knowledge broker at R&R Insurance.

The second annual State of Wisconsin Cyber Security Summit was held at Marquette University on October 8, 2014 (see photo on right). The Summit brought together national and international cyber security experts to discuss how the threat of cyber attacks can be reduced. According to Maj. Gen. Don Dunbar, adjutant general of the Wisconsin National Guard and the senior state official for cyber-security issues:

“The impact of a modern emergency will have physical effects, cyber effects, or both. A cyber attack could be just as deadly and costly as a severe storm or major tornado. Cyber criminals could severely degrade basic services that we rely on such as power, water and communication systems,” said Maj. Gen. Dunbar. “That’s why Governor Walker ordered the expansion of the State of Wisconsin Emergency Response Plan to include an annex focusing on the state’s response to cyber attacks and has authorized the adoption of the cyber hygiene campaign.”

Steps of Cyber Hygiene

1. Count: know what is connected to and running on your network.
2. Configure: implement key security settings to help protect your system
3. Control: limit and manage administrative privileges and security protocols; limit and manage those who have admin privileges to change, bypass or override your security settings
4. Patch: regularly update all apps, software, and operating systems
5. Repeat: regularize the top priorities to form a solid foundation of cyber-security

Other key notes from the conference:

• In order to stop cyber crime we need to change behaviors. You can’t build a firewall for stupidity. Passwords are too easy to crack into. The weakest link in cyber security are individuals i.e clicking on links or attachments in emails; writing down passwords.
• The problem with mobile devices is that the majority have no encryption, no password, and no time outs. 637,000 laptops are stolen every year at 106 US airports. The majority are never claimed.
• Beware of wireless networks. For example, 90% of the wireless access points at Chicago O’Hare airport are rogue.

Business need to be aware that if they have sensitive data on a network they are a target regardless of the size of your operation. It takes criminals minutes and seconds to access your system and may take weeks and months for you to detect the intrusion. The Chinese are the biggest threat. In the old days a compromised machine can be taken off line. Now taking it off line moves the virus further into the system and requires forensics to locate and contain.

Since 2005, there have been 4,404 data breaches publicly reported which encompasses 930,642,064 known records (the scope of some breaches are unknown at this point), according to privacyrights.org a nonprofit clearing house.

Included in this total are the 56 million records compromised over a 5 month period in the breach reported by Home Depot last month. Not included at this point are the 76 million households affected by a breach at JPMorgan Chase, the nation’s largest bank on October 2, 2014.

While it is these large cases that make headlines, a recent study conducted by the Ponemon Institute found that more than half of small- and mid-sized businesses experienced a data breach and nearly three-quarters can’t restore their data. While businesses like Home Depot, Target, and JPMorgan Chase will weather this storm, 60% of small businesses close their doors within half a year of being victimized by cybercrime. According testimony at the House Subcommittee hearing on Health and Technology, the one thing that hurts businesses more than anything else is using poor passwords.

Help prevent a cyber attack at your organization:

1. Passwords should be at least 12 digits long, include capital and lower case letters, and have a number or two
2. Businesses need to utilize encryption of all sensitive and regulated data
3. Make sure your network is compliant: anti-virus, anti-malware, firewalls, that the firmware on your firewall is up to date, and patches to your operating system are current
4. Conduct periodic network scans
5. Have policies on security and the use of data and mobile devices. Train your employees on following these policies.

According to Home Depot, criminals used unique, custom-built software that had not been seen in previous attacks and was designed to evade detection. In an article by Insurance Journal, approximately 40% of the cost will be covered by insurance. This is the future that businesses need to prepare for regardless of the size of your company.

I attended the recent 2013 State of WI Homeland Security Cyber Conference. The overall message from the day: it is not IF you will suffer a breach but WHEN you will suffer a breach. I'm to passing along a few notes:

• Back in 2012 the State of South Carolina suffered a breach that exposed 3.8 million taxpayers, 1.9 million dependents, 700,000 businesses and 3.3 million bank accounts. The Breach occurred because an employee inadvertently opened a pfishing email. This error cost the state over $20 million—all because of an email. The State didn’t realize that they had been attacked until notified by law enforcement.
• Lockhead Martin had discovered an attack of their network that came in the form of emails sent to employees that had attended a conference by sending emails that appeared to send follow up slides and information to the conference attendees.

The FBI reported that the landscape for cyber crimes is changing to state sponsored attacks, i.e. countries trying to steal US companies R&D trade secrets from the private sector. Attacks are advanced and aggressive.

• As individuals we should be aware that our greatest vulnerability is using credit/debit cards at places such as gas pumps, bus rides, remote vendors, etc. Companies that accept credit cards and are PCI compliant need to realize that this compliance is a baseline minimum.
• The biggest threat to networks are the employees: "Think before you click" / "Beware before you share" should be the mantra. Businesses need to promote a culture of security awareness.
• Private companies are urged to join InfraGuard which is a way to communicate with the FBI regarding threats and for the FBI to communicate back to businesses. www.infragard.org

No matter what precautions a company takes, you will never get ahead of a hacker.

The speakers included representatives from Utility Companies, Banking, Security Consulting, FBI, SC Dept of Revenue, and The State of Wisconsin National Guard/Homeland Security.

See the conversation on Twitter by searching #WICyber.

While cyber insurance policies have been available in the market for years, I find that confusion still reigns as to what these policies cover. This confusion is warranted. The number of different policies available for cyber liability coverage along with an increasing number of endorsements that can be added to policies makes data breach coverage harder and harder to understand.

Here are the 7 Key elements to cyber liability coverage that you should look for in a cyber liability policy:

1. Forensic Expenses:
   You have determined that data has been compromised and need to investigate what happened, how it happened, and what information was accessed. The expenses to hire an outside forensic team for discovery is covered.
2. Legal Expenses:
   You will need legal representation in order to determine the scope of the federal and state notification requirement breaches. You will also need legal counsel to defend you in the event a suit is filed against you.
3. Notification Expenses:
   These expenses can include postage, paper, printing, call centers, etc.
4. Regulatory Fines and Penalties:
   What more can I say? The government will want, and get, their pound of flesh.
5. Credit Monitoring and ID Theft Repair:
   While not legally required, it is generally agreed that offering these services to the affected parties will reduce potential legal liability and is considered the right thing to do.
6. Public Relations Expenses:
   The manner in which the breach is reported to the media is crucial to restoring your reputation and maintaining your clients, vendors, business associates, partners, and patients.
7. Liability and Defense Costs:
   It's not uncommon for class action lawsuits to be filed against you following a breach. You will need legal representation which can be of your own choice or appointed by the carrier. Either way, coverage is available for these costs.

Most policies will include some coverage for all of these components. The limits, deductibles, coverage triggers, and scope of coverage can vary greatly from one carrier to the next. At R&R we believe that securing the right policy for your business is a process. We can help you understand your risks and exposures and craft a policy that meets your expectations.

Related articles:
Average Cost of Corporate Data Breach is $7.2 Million
Transfer Your Cyber Liability Exposure

For more information on how to protect your company against the cost of a data breach or anything regarding cyber liability, contact a knowledgebroker.