We have all heard it’s not a matter of if your organization will face a data breach, but when. Why? People. Many people with bad intentions across the globe are looking for ways to get rich quick by defrauding organizations. Meanwhile, an organization’s most valuable assets, its people, fall prey to these bad actors.
Information and Related Costs at Risk
What are these bad actors interested in? Almost everything. A recent study of insurance claims for incidents indicates the following data was at risk
● Payment Card Industry (PCI) - 14%
● Protected Health Information (PHI) - 15%
● Critical files - 15%
● Personally Identifiable Information (PII) - 26%
● All others - 30%
As reflected, personal information such as social security numbers, birth dates, bank account information, credit card information and addresses tend to be highly sought after. Identity theft of individuals and businesses is the goal for the bad actors.
The average breach cost was $604,000. These costs were spent on crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services consisted of forensics, credit monitoring, notifications, legal guidance/breach coaches, and other related expenses.
A sample data breach calculator is available online through eRiskHub for you to perform your own calculation of a potential breach to your company’s data.
Industries at Risk
Small businesses and large businesses are all at risk. These bad actors see the value in attacking small companies with thousands of dollars available just as much as penetrating a large businesses with millions of dollars. The insurance claims study identified businesses with revenue under $50 million to be the targets 49% of the time. Companies with less than $2 billion in revenue accounted for 85% of the insurance claims.
The following industries reported the most incidents for insurance claim purposes:
● Professional services - 20%
● Healthcare - 17%
● Financial services - 12%
● All others - 12%
● Retail - 10%
● Education - 7%
● Nonprofit - 6%
● Technology - 6%
● Manufacturing - 4%
● Hospitality - 3%
● Public entities - 3%
Data Breach Mitigation Tools
These criminals have stepped up their phishing, spoofing and social engineering game making it more difficult to detect fraud from reality. Through nefarious business email addresses posing as business owners to ransomware, these bad actors are working hard to deceive others. External threats are trying to penetrate your organization on a daily basis. Their plan? Compromise your people and your computer networks. Knowing this, you should be considering how to mitigate your cyber risks.
Many organizations of various sizes have been considering the following mitigation tools over the past several years:
● Pre-breach consultation
● Cybersecurity awareness training for employees
● Cyber crime insurance coverage
Proactive cybersecurity assessments are important in identify weaknesses and opportunities to strengthen your organization’s weakest links. In addition, it’s helpful for organizations to have a formal incident response plan in place should an incident occur. Why? Because when an incident occurs, you don’t want to have a third party come in blind. Being responsive to an incident is critical and clearly documented plans help skip the information technology background needed.
Doing something with mitigating cyber liability risks is better than doing nothing. In a perfect world, your organization would implement and execute proactive and reactive cybersecurity plans. However, resource limitations are a factor and organizations must consider insurance products to offset accepted risks.
Cyber Coverage Insurance
Odds are, if you have cyber coverage insurance, you may not know what is and isn’t covered. For example, do you have cyber liability business interruption coverage? In a 2018 survey of cyber insurance market trends, businesses are most interested in purchasing cyber business interruption insurance. Business interruption insurance covers the loss of income as a result of a disaster such as a data breach. It is important to note that not all cyber insurances include coverage for related business interruption.
The same can be said for extra expense coverage. This is commercial property insurance coverage allows for covering additional expenses incurred above and beyond normal operating expenses. This type of coverage is critical when an incident occurs as your organization will incur additional investigative, legal and crisis management expenses.
Other cyber specific coverages can include:
● Funds transfer/social engineering
● Cyber extortion/ransomware
● Regulatory fines/penalties
● System failure coverage
● Data restoration
● Reputational harm
● Cyber-related bodily injury and/or property damage
● Internet media liability
You will also want to ensure your errors and omissions insurance covers data breaches to protect you from third party lawsuits.
In addition to what your cyber insurance may or may not cover, you will want to have discussions with your insurance contact regarding:
● Potential reduction in the premiums you pay for cyber insurance by having pre-breach consultations performed to assess your cybersecurity posture;
● Listing your preferred third party of choice to be your incident response provider should an incident occur; and
● Listing your preferred attorney with specialized cyber law knowledge.
By further understanding your insurance coverage, possible premium reductions and having your incident team assembled, your organization will be positioned to immediately address an incident.
Businesses Purchasing Cyber Coverage Insurance
The 2018 survey of cyber insurance market trends identified small (less than $50 million in revenue) to medium size businesses ($50 million to $1 billion in revenue) were driving the growth of cyber insurance. The following industries represented the majority of the new purchasers of cyber insurance:
● Healthcare - 42%
● Manufacturing/Industrials - 40%
● Financial Services/Insurance - 38%
● Retail/Point of Sale - 24%
● Government and Nonprofit - 18%
● Energy/Utilities - 18%
● Education - 16%
● Other - 8%
Drivers for Purchasing Cyber Coverage Insurance
Motivation for purchasing cyber coverage insurance is like fashion, buyers make decisions based on what they see in the news. The 2018 survey found news of cyber-related losses being the number one drive of businesses purchasing cyber insurance. Other motivating factors included experiences of cyber-related losses and requirements by third parties such as a customer.
Holistic Approach to Mitigating Data Breaches
Your business produces and runs off data. It’s imperative that you keep this information secure. The goal of your organization should be to identify, implement, and execute methods to protect this data at all times. This strategy should include proactive, reactive and insurance to mitigate the inevitable.
No comments:
Post a Comment