Category Archives: Cyber Liability Insurance

Cyber Liability Insurance, Employers Practice Liability Insurance, General Liability Insurance, Human Services Practice Group Content, Line of Insurance

Understanding Your Commercial General Liability Insurance Will Absolutely Save Your Business From Financial Ruin

Most businesses who purchase commercial general liability insurance have little understanding of how it’s structured and what is important. Instead they focus on the amount of limits offered per occurrence and the premium being charged for those commercial general liability insurance limits for their comparison when making their purchase decision. We are here to tell you those are the last 2 data points ( coverage limit & premium) to consider when evaluating your current liability insurance program. It’s a classic price vs cost conundrum.

Over the next few paragraphs we will break down for you the critical components you should use when evaluating your commercial general liability insurance program. The goal here is not to provide a Master’s Class in understanding all of the nuance with respect to commercial general liability insurance. Instead it’s really to get you to consider engaging a Risk Advisor by clicking here to do the evaluation for you. Often times a RISK ADVISOR will not charge you to do the evaluation .

If the RISK ADVISOR is good at what they do they will first understand how you make your money, who your customers are , where you operate, and importantly the contracts that create both upstream and downstream obligations for your company. Understand, your Commercial Insurance Program is always a trailer , it never leads. It reflects and finances potential future losses more efficiently that using your own operating capital. To properly design ANY commercial insurance program both the broker and the customer need to spend time discussing in detail the operational components and risk profile of the business. Contingent on how , where and who you make your money from will determine this critical exercise. it can be fairly simple to pretty complex. You do the heavy lift once , then tweak it yearly to adjust or iterate as your business evolves.

QUICK TIP : You can tell how good the Risk Advisor is by the questions they ask, the process they put forth to understand your business. If it’s ad-hoc, only takes a few minutes that’s a big red flag. Did they analyze your loss runs, contracts, licensing agreements, laws you may be subject to in operating your business, future goals?

We say insurance is always a trailer because the real purpose of insurance is to transfer a future potential “net income loss” (defined as income you would have had except for a particular event), from YOUR balance sheet to the insurance carriers balance sheet for the lowest premium possible. Here is the key phrase AS MUCH RISK AS POSSIBLE for the LOWEST PREMIUM available. More on that later and why that is so important.

Here is the primer I promised before I went off on a tangent to frame this EXPLAINER.

COMMERCIAL GENERAL LIABILITY INSURANCE : The best way to remember this section; there is a reason it’s called “GENERAL LIABILITY”.  The reason, its general (non-specific) , kind of plain vanilla , designed mainly to cover the general public. It is NOT designed to cover for losses involving hiring , firing , management practices for your employees. It is NOT designed to cover your customers for specific errors , omissions , designated professional practices as it relates to the duties you perform.

It’s the most generic form of commercial liability insurance available to a business to insulate them from future 3rd party losses.  Commercial General Liability Insurance is designed to cover losses you may be responsible to ,a 3rd party, typically the general public for a loss or injury they may have suffered. Think of a pedestrian that slips and falls outside your retail store. They litigate against you and the building owner. The building owner will have their own commercial general liability insurance as will you. Who pays will be determined by the details of the incident and your lease which covers your business obligations.

If you want to understand what your commercial  general liability insurance policy covers start with what it DOESN’T COVER by going right to the EXCLUSIONS section of the policy. There you will uncover  how potentially woefully inadequate the coverage truly can be.

Without getting too much into the weeds here let me highlight a few key risks & exposures you may have that will NOT be covered in your commercial general liability policy.

CLAIMS BETWEEN YOU & YOUR EMPLOYEES: 

  • Harassment : Could be sexual, could be gender based, could be you just have a bad egg in your midst that is a bully to their co-workers or subordinates. It’s take very little for an employee to file a harassment complaint with the Department of Labor in your State, which will trigger a very expensive Dept of Labor audit. Worse they could lawyer up as they know or have heard it’s an easy way to make a quick buck. They are right, most of these claims come to some financial settlement where your business pays the employee money instead of expensive litigation.
  • Wage & Hour : These are hugely expensive to a business. Primarily because the audits are invasive, word spreads to ex-employees who want to be on the gravy train, the cost to defend (Employment Attorneys) are expensive. Finally the settlement, if it’s determined that you did not properly pay overtime or other wage related claims.

Just google WAGE & HOUR lawsuits in your industry to read some of the horror stories. It won’t take long for you to determine that having an employment practices liability policy is essential for the continuity of your business.

These are just (2) quick examples. There are far more, like discrimination. Bottom line you MUST transfer this risk to an insurance carrier for a premium as it’s too expensive to retain.

CLAIMS INVOLVING DIFFERENT TYPES OF SERVICES YOU PERFORM:

Examples here would be services that are technical and requiring licensing, specific training e.t.c. A specific example here might be a home healthcare agency that provides at home services for the elderly. If in their daily routine it’s asserted the home health aide fails in their duties or is negligent, a patient falls breaking their hip, the home healthcare agency may be held liable if they were negligent in their duties resulting in a significant injury. Even if you feel you were not negligent, the cost to defend yourself going to the matt on the suit will be crazy expensive , even if you win. Unless the Home Healthcare Agency purchased PROFESSIONAL LIABILITY INSURANCE  , they are funding this very expensive loss themselves. The cost to defend such an event is easily 6 figures, say nothing of the settlement.

Many non-profits perform services for their “clients” that require specialized services that are typically excluded on a commercial general liability insurance policy . They may provide elder care, youth services, counseling, legal services, placement services e.t.c. Much care needs to be taken to properly understand your risk and exposures to loss , then decide if you want to transfer that risk or exposure to  insurance carrier for a premium.

Often with non-profits we conduct a simple contract for services audit to understand what services they have been retained to deliver. Then we audit the professional liability policy to check if that exposure was contemplated . In a recent services audit for a local non-profit we determined that the  non-profIt , who was providing job placement services for disadvantaged youth , did NOT have the correct coverage for those services. Their Professional Liability policy did not include molestation coverage which could be critical if they placed that youth in a situation that led to an “event”. Just the assertion of the event could wipe out years of operating budget.

In the above example they did purchase Professional Liability coverage however without that audit , understanding their true exposure to loss , there was the potential for catastrophic failure if someone pointed a finger. Too often , without an audit these non-profits or other business organizations learn of the deficiency after they get the claim denied, making their education very expensive.

CLAIMS DUE TO AN ERROR OR OMMISSION :

In many service organizations, failure to perform a certain job function may result in damages to either your customer or the general public. An example might be a construction firm that improperly installed weep holes in the masonry facade of a building. Water built up behind the masonry wall going undetected for a period of time, ultimately resulting in the façade collapsing onto the street below. This actually happen to one of our clients.

Since they purchased Construction Errors & Omission insurance from us the loss defended and the damages covered. Mostly the re-purchase of new materials  and  labor to install the material  as well. Architectural fees, scaffolding, permits e.t.c. were also covered. The cash provided to investigate, defend and ultimately finance the repair was all paid from the construction errors & omissions policy. This had the affect of allowing the business to keep it’s cash flow, budgets and profits in tact. Errors & Omissions Liability Insurance is available to most service businesses, not just construction.

CLAIMS DUE TO A DATA BREACH :

This one can be fairly complex, with lots of potential for errors. Imagine you get an email from a Hacker stating that unless you pay them a ransom, they are going to slowly release all of your customers private information out into the web. Further they will tell your customers where they got the information and that you refused to pay the ransom which is why all their data is exposed. Imagine your a divorce attorney, a child psychologist, a financial advisor.

There are many examples I can give whereby your customers data or your customers systems are hacked due to a virus that may or may not have come from your network. The mere fact someone may point a finger at your company and make the assertion the hack started from an email your company sent is going to be a 6 figure event.  Further they can be very, very expensive to defend. In States like NY where they passed the SHIELD ACT the fines alone from a State or Federal government can put you out of business as the fines are well into the 6 figures.

In this situation you need a standalone Cyber Liability Insurance policy.

QUICK TIP : NEVER think you have coverage for Cyber liability just because your carrier added an endorsement onto your policy with a $ 1 mil limit stating they are covering  you for a cyber liability event.  Those endorsements fall woefully short of giving you proper coverage. They are hollowed out coverage forms that give the false impression you have coverage. This will only come to light when you file the claim , resulting in a denial.

CLAIMS DUE TO A FAILURE TO COMPLY WITH GOVERNMENTAL RULES & REGS: 

Sadly most companies aren’t aware that as a private company you have exposure to loss from rules , regs, codes that create obligations for your company for failure to comply. In this situation a Directors & Officers policy will help provide defense and in some cases help pay for the fines, or settlement due to these code infractions.

QUICK TIP : ON PRICING FOR ANY TYPE OF COMMERCIAL LIABILITY INSURANCE POLICY :

Pricing is predicated upon a “BASIS” ; a unit of measurement that the carrier determines best reflects their actuarial tables to determine the probability of a future loss. This is how they arrive at a premium. Some carriers are flexible with the “Basis” , others are not. They use one type of basis for determining the premiums they charge. You should determine up front what is the best possible “BASIS” for your company to yield the lowest possible premium.

Examples of “BASIS” would be :

  • Payroll
  • Sales
  • Units
  • Square Footage
  • Contracts

Contingent on the basis chosen the carrier applies a formula to the chosen basis to arrive at the premiums charged. A huge variable in that formula is your company’s loss pic (loss picture). This is the ratio of historical premiums charged versus claims paid out. Essentially , how much profit has your account generated over the previous 5 years based on incurred loss. For more on LOSS PICS , CLICK HERE.

We plan on doing a future piece just on pricing of Commercial General Liability Insurance as it’s way too much to tackle here.

A final thought  there are many risks and exposures that a typical commercial general liability insurance policy will disclaim. We cannot stress enough that a thorough evaluation with a qualified RISK ADVISOR of how you do business, where you make your money, how you make your money, from who you make your money is the ONLY way to properly insure the risk.

You cannot properly transfer risk or finance risk that hasn’t been indemnified. Further, unless you stress test your insurance program BEFORE a loss occurs you are setting yourself up for a very expensive lesson.

 

Cyber Liability Insurance, Risk Management, Risk Transfer

New York Department of Financial Services Warns Businesses Who Use “Instant Quote” Software of Targeted Cyber Attacks

The New York Department of Financial Services (DFS) has issued a cybersecurity fraud alert to all of its regulated entities, describing a “systemic and aggressive” campaign to steal consumers’ private data.

The DFS has reported from several regulated entities of successful or attempted data theft from websites that provide instant quotes to the end-user.  All entities using instant quote software on their public-facing websites are vulnerable to this type of data theft attack. These attackers appear to be using the stolen data to apply for pandemic and unemployment benefits.

According to this alert, all regulated entities with instant quote websites should immediately review their websites for evidence of hacking. Reports have shown that even when consumer data is redacted, cybercriminals have proven they can easily recover the full unredacted information.

Reports have confirmed several methods that criminals successfully (or attempted) to use to steal consumer data from auto quote websites:

  • Taking unredacted information from the Auto Quote Websites’ HTML (Hypertext Markup Language) that was not displayed on the rendered page, but was visible in the code.
  • Using developer debug tools to intercept & decode unredacted consumer information.
  • Manipulating the technology to access parts of a public-facing website to view where the unredacted data is stored.
  • Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
  • Requesting a quote and receiving an agent’s contact information to use social engineering to elicit information from the agent.

The DFS has requested prompt reporting of any attempts to steal consumer information from public-facing websites. Reports of unsuccessful attacks have previously been used to identify the techniques used by attackers. This helps the DFS respond quickly to new threats and continue to help protect consumers and the financial services industry.

Any DFS-regulated entity with a website that uses this type of technology should immediately review the following indicators:

  • Data analytics and website traffic metrics for spikes of quote requests. An unusual spike in abandoned quotes occurring in a short time frame was one of the key indicators of this type of attack. On a broader scope, regulated entities should look for an increase in consumer submissions that terminate as soon as consumer data is revealed.
  • Server logs for evidence of unauthorized access to private information. After your IT team has reviewed your web traffic, have them review your server logs for that period. When examining the logs of customer sessions, security teams should check to see if there has been any site manipulation using web developer tools.

These are just two suggestions by the DFS. There are a number of other ways cybercriminals can access information. Regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.

The DFS has suggested the following steps for entities that are using Instant Quote websites to collect information:

  • Conduct a thorough review of website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and Hypertext Markup Language (HTML) configurations.
  • Review public-facing websites for browser web developer tool functionalities. Verify and limit the access so that users cannot adjust, deface or manipulate the website content using web developer tools.
  • Review and confirm that its redaction software for consumer information is properly implemented throughout the entire transmission of the data.
  • Ensure that privacy protections are up to date and effectively protect the data by reviewing which applications use the data, who has the authorization to view the data, and most importantly where is the data stored
  • Search and scrub public code repositories for proprietary code.
  • Block any IP addresses of suspected unauthorized users and consider a Quote limit per user session or IP address.

Any questions regarding the alert from the NY Department of Financial Service should contact their department directly, at CyberAlert@dfs.ny.gov

 

If you have any questions regarding your own cybersecurity. Contact one of our Risk Advisors at 914-357-8444 or visit our Contact Us page to schedule a 10-minute meeting.

 

Cyber Liability Insurance, Risk Management

Social Engineering:A Growing Cybersecurity Risk

Social Engineering

This past summer we wrote an article about the dangers of social engineering and how to prepare your organization for a socially engineered cyber attack. To reiterate: Social Engineering is the use of fraud to manipulate individuals from their personal information. This means driver’s licenses, passports, medical records, and bank information, are all examples of records that can be accessible to social engineers to steal information from you.

Why you and your organization should be aware of Social Engineering 

Social engineering can impact your personal data as well as your business’s data. These cybercriminals rely on the ability to manipulate individuals rather than hacking computer systems to invade a target’s account. Hackers know not to go through any protected systems because humans are much easier to break down. Hackers find out any small piece of information and take advantage of human weaknesses to gain access to personal information. Thus, playing an important role in individuals educating themselves on these cyber risks and their extreme dangers to your confidential information.

Attack methods

Social engineering has three types of styles and methods in using psychological tricks to steal your personal information.

Physical Social Engineering Attacks

Starting with Physical social engineering, hackers attack by dumpster diving or tailgating, trashcans, open access to the property and office receptions are also examples of the typical vectors associated with physical social engineering.

Technical Attacks

Technical social engineering attacks by password hacking and online profiling and the typical vectors include malware, unsecured network systems, and social media.

Socio-Technical engineering

Socio-Technical engineering attacks by phishing and watering holes, the typical vectors include emails, social media posts and compromised websites.

Social media

Social profiling is one of the easiest ways in hacking someone’s account in gaining information from that person to use against them and steal their identity. The problem and potential impacts grew from the popularity of social media platforms; social media users are a gift to social engineers since all their official records are online. For example, A social media post “I hate my job” can attract hackers. The post will be noticed and the hacker will get personally target the individual.  The criminal will pose as a bogus recruitment consultant will extract personal information as a trusted source. These social engineers have worked profile by profile to build targeted social profiles; through analysis of information, social media posts, pictures, or any holidays/birthdays.

Where are cybercriminals investing?

To understand more about cybercriminals and social engineering, the use of phishing techniques is now very well-established in cybercrime. New techniques are coming out every day when it comes to cyber threats. These techniques include social profiling, fake voices, deep fake voices, and mouth mapping. The growing performance of computer systems have made mimicking specific voices possible. The majority of investment goes into, “voice conversion” and “text-to-voice.” Voice conversion involves two voices (the source and the target) and the application of software to convert one voice to another. text-to-voice conversion allows a mimicked voice to say whatever the user of that software submits via text.

Researchers expect full voice conversion and text-to-voice to be available services on mobile phones and create mimicked voices in about 3-5 years; this will conclude into serious economic/political consequences of cybercrime. Mouth mapping is another technique that is becoming popular in cybercrime; this includes, complementing existing fake voice technologies and is well suited to political and journalist targets. This technique is also applicable to social media and web conferencing.

A solution to Social Engineering

Social engineering is a crucial component of any written policy on cyber liability protection relating to individuals and companies.  With this in mind, make sure you and your organization have cybersecurity awareness training to recognize the specifics of cybercrime and social engineering; bits of pieces of information given to hackers from different user’s accounts without the users even being aware of it. Putting into place, risk management, frameworks, security strategies, and analytics tools will consider the threat.

At Metropolitan Risk, we offer a comprehensive Cyber Risk Assessment to ensure that businesses are protecting themselves from cyber attacks with the best resources possible. Click here if you are still looking for more info or you have any questions. We have a team of Risk Management specialists who are here to help!

Cyber Liability Insurance

Email Attachment File Types That Can Potentially Contain Malware

With more departments working remotely, an email from the IT department asking for remote access to your computer isn’t an unreasonable find in your inbox. Cybercriminals know this.

Malware in the form of an email attachment is the easiest way a cybercriminal can attack an organization. Using Social Engineering, cybercriminals can pose as job candidates easily convincing HR departments to open files like “resumes.docx” without considering that a link or file may actually be Ransomware or Keylogging software.

With more organizations operating remotely, an email from the “IT Department” asking employees to update an organization’s software through an email attachment isn’t a far reach, especially in a time where fewer employees are commuting to the office and digital communications are at an all-time high.

Emails from cybercriminals posing as trusted sources are a common phishing scheme that can cost organizations. Some schemes are socially engineered to pose as a coworker asking to send gift cards, others are hackers sending malware via attachment.

What is Malware?

Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system. Malware can lay dormant on an organization’s systems for months before activating. In some cases, this malware can be linked to software that isn’t hurting anything on the network but is just gathering information for cybercriminals.

Files That Are Commonly Attached To Email 

These are the most common types of files attached to an email.  If you receive an email from an unknown sender, email the sender back before opening any attachments.

  • .Txt Files that end in .Txt are typically safe to open. There have been instances in the past where cybercriminals have sent out mass emails that appear to be .txt files, but really have an additional extension that was no displayed by most email programs. As soon as users opened what they thought was a .txt file, the other extension ran instead.
  • .PDF PDFs are also considered safe to open. However, there have been known cases of security gaps in programs that open.PDF files. Even though these files are typically safe top open. Verify that the sender is someone trustworthy before you open the attachment.
  • .doc/.docx/.xls/xlsx/.ppt/.pptx Microsoft Office Documents of all types are very commonly manipulated to contain malware. Microsoft Office created .docx to help mitigate the number of macro viruses that could be attached to files that ended in .doc. If you receive a file that ends in .doc ask the sender to resend the file as a .pdf
  • .jpg this extension is often used to camouflage executable programs. If the full file extension does not show on your email program you could face challenges or malware.
  • Compressed Files .zip/.rar can have malware embedded in them that is released as soon as the file is opened. These files should not be opened from any unknown senders.
  • Executable Files- Most email providers now filter for this file type and block emails with these files attached to them. Executable files can contain anything from legitimate software updates to actual malware.
At Metropolitan Risk, we offer a full cyber evaluation to help your organization recognize its digital strengths and weaknesses. Click here to request a Cyber Evaluation or call 914-357-8444 to speak with a Risk Advisor.
Cyber Liability Insurance, Risk Management

Data Privacy Day

What is Data Privacy Day and why it’s important to your organization?

Data Privacy Day is January 28th. First, It honored the signing of convention 108 in 1981, next, it was the first permanent international treaty that is in control of the users’ personal data, then, Data privacy day occurs every year after the signing; the National Cyber Security Alliance (NCSA) pushes individuals and businesses to take part.

The National Cyber Security Alliance encourages individuals to take action and  “Own Your Privacy” by learning how to protect their important data online. Businesses are also encouraged to respect an individual’s privacy and also holding organizations responsible for keeping an individual’s information safe & ensuring fair data processing.

Businesses encouraged to “Respect Privacy”

Individual Data Privacy

Individuals are starting to feel like they are no longer in control of their own personal data.  They can learn about what kind of data they create online. For instance, how the data is being collected, shared, used and stored on the web.

Your personal data is valuable. Do you know what information you’re sharing with businesses? Sale history, IP address, your location; hence, these are a tremendous value to businesses. Make smart choices when sharing data with businesses that ask for personal data.

Keep track of what Apps are asking for access to your information. Apps ask for access when it comes to location, contact lists, photo album or connect to other apps. In other words, Be thoughtful on which apps ask for permission to personal data, when it is not required for some to do so with the services they offer. Many Apps, will ask for permission to data they don’t need for you to use their services

Manage Your Privacy Settings Across All Platforms. Check the privacy & security settings on the web and all apps. Afterward, set the privacy settings to your comfort level on how much you want to share & what.

Business Data Privacy

Businesses have to respect consumers’ privacy because it is a smart tactic for gaining trust and enhancing reputation/growth in the business. Here are some tips on respecting privacy as a business.

Protect the data you collect. An intentional/unintentional release of confidential information to an untrustworthy source leads to financial loss, a decrease in customer trust, and a loss in reputation. Make sure the private data that is being collected, is processed in a fair manner and is only to be collected for appropriate purposes.

Conduct a Cyber Risk assessment. Understand which privacy rules apply to your business and educate your employees to protect your personal information. At Metropolitan Risk we offer a comprehensive cyber risk assessment to help your organization create a strong cybersecurity plan

Maintain Data Transparency. Be open & honest on how you collect, share, and use private information from consumers’.  For instance, make sure to let your audience know that you take the proper steps in accomplishing & maintaining privacy.

Sustain oversight of what data your partners & vendors are using and how they manage it. If another partner provides services on behalf of your organization, you are also responsible for how these vendors/partners collect & use your customers’ personal data.

If you would like more information on how to keep your personal data safe and secure, contact one of our Risk Advisors today or call 914-357-8444.

 

Cyber Liability Insurance

Risk of a Common Password and Ways to Avoid it (Infographic Inside)

Using a common password leaves your organization at risk for cybercriminals to attack your account. Let’s add password protection as a major component in your organization’s cybersecurity plan.  The risk of a common password is tremendous, and you should avoid having one at all costs.


Did you know:

  • 4.7% of users have the password password;
  • 8.5% use as their password : password or 123456;
  • 9.8% use as their password : password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords used.
  • 40% have a password from the top 100 passwords used.
  • 79% have a password from the top 500 passwords used.
  • 91% have a password from the top 1000 passwords used.

 

What does this tell you? Think twice before you make “abcdef” your next password. According to a study from SecurityCoverage Inc., if a password contains just six lowercase letters, especially if it’s a common word or combination, a cyber-thief can figure it out in 10 minutes!

However making a six-character password that has numbers AND symbols boosts complexity enough that a skilled hacker would need 16 days to break it, the study found. A task that is most likely not worth doing for that hacker.

Some sites now require a password with at least 1 uppercase letter, one number. and maybe a symbol as well. This is a step in the right direction even if it makes remembering your password just a little tougher. A simple and easy to remember example of this would be “Money17$.”

The real security of course comes from those dreaded passwords that are generated for you. They contain a longer password, of at least 8 characters, with a random order of letters, numbers, and symbols. These are nearly impossible to remember. However, an eight-character password with random letters, numbers, and symbols will take 463 years to break according to the same study. Nine random characters will take a whopping 44,530 years.

“People are careless because they don’t understand the threat said Ed Barrett, VP of marketing for SecurityCoverage.” LinkedIn was compromised in June and had 6.5 million passwords leaked. Yahoo had 6 million passwords stolen as well.

Another important consideration, don’t use the “show typing function” as you type your passwords. Many hackers don’t bother hacking at all but rather infect your employees’ computers with a virus that shows their keystrokes, thus the passwords.

The fact is you can either use strong complex passwords and have trouble remembering them or use simple, weak passwords and suffer from the risk of being hacked. We are not recommending a password of “nif$g*u3ng64dsf7” like a security expert would love as we understand the frustrations and hassle of remembering 20 passwords. We are advising that the next time you make a new password, especially for an important account, that you add some complexity to it. Go back to your most important accounts, like your bank account, and add a few numbers. It will greatly help in reducing your risk.

For a FREE comprehensive Cybersecurity evaluation, CLICK HERE.

Cyber Liability Insurance, Loss Control, Risk Financing, Risk Management

Buying Cyber Insurance Does Not Protect Your Organization From Hackers

Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances some, not all components of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks.  Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (2)

With 43% of all cyberattacks targeting small businesses (1), and the attacks increasing by 73% since the pandemic we encourage your company to build out “Operation Lockdown”. That’s what we called it at Metropolitan Risk after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey. 

Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office.  While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.

 

Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of mine Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly and find a softer target. 

Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. It should NEVER BE PLAN A. Here’s more good news. Once you have been hacked the chances of you being hacked again goes up exponentially. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you! 

 

This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally. The case study is only available to current Metropolitan Risk clients or potential prospects. 

 

Last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we actually built a Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.

 

Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our Cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red. 

 

How do you eat an Elephant? Piece by piece. CLICK HERE to sign up for our Cyber Assessment. 

 

Cyber Liability Insurance, Marketplace News

Cyber Security Awareness Month

October is Cyber Security Awareness Month! 

 


Cybersecurity is one of the fastest-growing concerns for businesses as many opportunities for growth within an organization have developed into fully remote positions.  To Celebrate Cybersecurity awareness month We suggest having these conversations with your team:

 

Cybersecurity management starts with training your organization to recognize potential cyber threats.  This year’s theme for Cybersecurity awareness month is Do Your Part. #BeCyberSmart 

Follow our social media accounts for our updates throughout the month. If you need more information on cybersecurity or cyber liability insurance, contact a risk advisor at 914-357-8444. Remember, do your part. #BeCyberSmart.

 

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Social Engineering: Meaning and Impact

Definition

Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.

Importance of Social Engineering

So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.

/p>

Impact of Social Engineering

Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.

An Example

The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.

In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.

The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.

Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.