Insurance that covers loss of cyber information. There are thousands of different types of cyber insurance, making it near impossible to fully cover yourself from cyber attacks without managing risk by putting security of sensitive information.
Technology consultant firm Cognizant fell victim to cyber-attacks caused by a ransomware attack last April. The hack disrupted thousands of employees from accessing networks from their home during quarantine. Clients also disallowed Cognizant to use their networks in case of further breach, causing major revenue and clientele loss.
Cognizant losses total $50-$70 million in lost sales, higher premiums, and defense/legal costs. Without cyber insurance however, the losses would be catastrophic.
Cognizant had out extensive money into cyber insurance premiums with multiple carriers. Insurance insider reports this investment turned out to be a good decision as they earned $400 million in cash reserves from their carriers, another huge loss for carriers in the cyber market. Carriers have been hard with higher loss ratios and claims frequency in the cyber market recently.
What is the overarching message? Right now, allocating resources towards cyber protection is no longer recommended but required. Cyber insurance of some form is necessary to protect against ransomware attacks and saving your company millions. However, insurance is not the only resource that needs investment. There is no way to fully protect yourself against cyber attacks with just insurance. We recommend proper employee training, duel-factor password authentication, and data encryption software.
Stay ahead of the curve and protect your company’s invaluable data. Invest properly and do not be afraid to spend a little extra for full protection. The premiums upfront may prove cheaper in the long run.
Still have questions? Contact a risk advisor today at 914-357-8444 or visit our website here.
Buying Cyber Insurance Does Not Protect Your Organization From Hackers
Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances pieces of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks. Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (1).
With 43% of all cyberattacks targeting small businesses (2), and the attacks increasing by 73% since the pandemic we encourage your company to build out a cybersecurity plan. At Metropolitan Risk we called our initiative “Operation Lockdown” after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey.
How is your Company Vulnerable?
Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office. While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.
Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of my Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly.
Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. Cyber Insurance should NEVER BE PLAN A. Here’s more good news. If you’ve been hacked, the chances of you being hacked again are exponentially higher. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you!
This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does do is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally.
The last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we built a full-on Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.
Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red.
How do you eat an Elephant? Piece by piece. CLICK HERE to take the Cyber Assessment.
Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office.
How To Conduct An Organization-Wide Phishing Test:
Notify and train your employees on what phishing is:
If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff.
Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018.
During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices.
Engage all relevant departments and managers on why phishing is a threat to your organization
Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack.
Create an alias email account for your employees to report potential phishing scams.
An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network.
This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password.
Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks, which employees leaked information, the number of employees who reported a phishing email.
Analyze important key metrics
After running a phishing test, work with IT staff members and team managers to analyze key metrics.
Key Metrics to keep track:
The number of employees who click the link in the testing email
Number of employees who download a file from the unknown email address
The number of employees who report a phishing email to your IT staff or their manager.
Take Action With Employees Who Failed The Test
Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business. Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email.
Provide Your Entire Organization With Additional Information on Cybersecurity
All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day
Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt.
Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444.
Ransomware is a type of malware designed to deny access to a person’s computer unless they pay the hacker ransom. The NY Times reports that these attacks have grown over the past year with a 41 percent increase in 2019. Ransomware attacks are a growing problem, not only in the severity of the attack but the duration of time an organization is under attack. Also, the time lost from the point of the attack to the backup security.
Cybercrime continues to evolve with the changes in technology. Ransomware attacks have always targeted organizations with lax cybersecurity. Today cyber criminals can embed ransomware onto an organization’s server or website and the ransomware can lay dormant on a machine/server for months while collecting data on the organization.
Business owners should take the time to understand their coverage in their business interruption policies. Since ransomware attacks are becoming easier for cybercriminals to execute, business owners should look into fortifying their digital assets and make sure that they have Business Interruption Coverage in the event their business is attacked. It is scary to think that nothing can be done when faced with a cyberattack, but being prepared for the potential loss revenue/income during downtime due to an attack is just as important as preemptively assessing what cybersecurity measures your organization has in place.
Business Interruption Coverage
Business interruption coverage is only going to help your organization regain some of the financial loss that will occur with a security breach. It is a response to an incident that has occurred, not a proactive approach to stopping a breach from occurring. Without business interruption coverage your organization would not be able to report a claim to help rebuild your business’s lost data. Business interruption insurance covers any income lost due to a disaster, in this case, a disaster would be a ransomware attack or any other type of cyber attack.
A Proactive Approach
Recognizing weak spots in your organization’s cybersecurity is one way to proactively protect your organization from cyber-attacks. Digital has become the new normal. Taking a few extra steps will protect your business assets and save your organization by avoiding a cyber-attack. A few things for your organization to consider are:
Select trusted and reputable telecommunication & telework software for your organization. With more organizations moving to remote work, there has been an uptick in fake telework companies.
Keep an eye out for Business Email Compromise (BEC). This type of compromise can be associated with fake new clients & phishing schemes targeting your employee’s personal data like business logins and banking information.
Use multi-factor authentication when accessing organization sites, resources and files. We previously released an article with our suggestions to prevent SIM-Hacking. Click here to read the guide and learn more about multi-factor authentification.
Ensure all computers & mobile devices have up to date antivirus software installed. Keep all software up to date, including website plugins, browsers, and document readers.
Don’t open attachments or click links within emails received from unknown senders.
Cybersecurity Measures To Take
Another thing an organization does is make sure your employees have the training to recognize ways that criminals attack. Ransomware doesn’t just end up on a server. They place it there through downloaded files or phishing websites.
Train your employees to recognize the signs of a phishing attack. Regularly schedule phishing tests to test whether your employees are practicing safe internet behavior.
Still have questions? Still want more info? Take the proactive approach and contact a risk advisor or call 914-357-8444 to discuss how your organization can protect itself from a ransomware attack and ensure that your organization has business interruption coverage to protect yourself if an attack occurs.
Hackers will start with low-level employees first, making their way to executives’ accounts.
Hackers are constantly trying to find ways to hack into company accounts. They start off by sending trust-worthy emails to their employees, directing them to a scam website where they ask for them to input their username or password. Once the hacker is able to access the employee’s account, they are able to move towards sending phishing emails to higher-positioned employees, which can potentially compromise the company.
With this access, they are able to leverage the company’s domain and send emails to others. Scammers compile phishing attacks by jeopardizing small, vulnerable businesses and compromising their trust with business partners that they work with.
In phishing, it’s all about gaining the trust of the recipient, so that they click on it.
There is another phishing scheme that resurfaced called “typosquatting”, or URL hijacking. With this, attackers buy domains that are slightly misspelled of popular websites, like goggle.com or yuube.com. “Spear phishers”, another term for hackers, can sometimes put in various amounts of effort into targeting a specific person. Hackers try a number of different things like creating multiple misleading webpages/websites, create fake social media pages, or fake personal blogs to trick their targets. They create these fake sites that mimic the login screens of trusted services, to get information like email addresses & passwords.
Sophisticated hackers are willing to sell their services to specific organizations, individuals, or nation-state entities who want to steal information from someone. Some phishing providers offer networks of bots that produce fake websites, while others sell phishing toolkits to clients.
Signs you’ve received phishing emails and how to Spread Awareness:
Check the Web address! Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site:
Always confirm the sender’s email. Sometimes the sender email will look legitimate until you actually click on it. When clicking on the email, you will see if the sender is actually coming from the website stated as shown.
Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
“http://” vs. “https://” at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
Give a fake password. If you are not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to sign in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because the website rejected your fake password, don’t assume the site as legitimate.
Use a Web browser with anti-phishing detection. Internet Explorer, Google Chrome, & Web browsers other have free add-ons (or “plug-ins”) that can help you detect phishing sites.
For more information about Phishing & preventing a cyber-attack contact a Risk Advisor or call (914)-357-8444
Ordering a pizza, listening to music, getting a mortgage. All are examples of normal activities that have adapted with the emergence of computers. It is no wonder that insurance has also taken part in this advancement into the new era. However, this new, innovative idea that combines insurance with computers holds a name that the average person may find overwhelming and hard to understand: cyber insurance. On the surface, cyber insurance is very similar to most other insurance. Carriers take on your risk for a price in order to limit your losses in a case regarding cyberspace. However, since this is new, there are a lot of questions about coverage and how to purchase a plan.
Cyber Policies
Cyber attacks can cripple a company as so much of a business is done through computers these days. For that reason, it is imperative that companies become acquainted with cyber insurance, as it will cover against these devastating hits. Cyber insurance mitigates the risk involved with doing online business which allows for companies to take part in a new growth area while still being protected against the heightened risks involved with doing business online. It is also important to understand what each policy covers as there are some pretty complex rules that carriers follow when determining their exposure to certain events.
With a whole new category of insurance in place, it is important for businesses to understand what exactly is incorporated into their cost of insurance premiums, so they can take the resulting steps to reduce these costs as much as possible. A few factors that affect a cyber insurance premium are annual revenue, industry, and network security. So although cyber insurance will be an additional cost incurred for a company, there are ways to reduce this cost while still reaping the benefits of diminished risk surrounding cyberspace. Even with this additional cost, it still makes sense to take advantage of this new insurance. Hacking can disrupt business dramatically while causing costs to skyrockets and the company’s reputation to plummet.
FAQs
What needs to be covered?
It is important to understand what the biggest risk areas are. After determining the largest risk areas based on potential reputation damage, restoration costs, and reimbursement from regulatory fines, it would be logical to cover as much as possible starting with the largest risk areas.
What are the different types of cyber liability insurance?
Cyber liability insurance falls into two main categories: first-party and third-party. First-party insurance covers the holder’s direct losses from cyberattacks while third-party insurance covers companies that allowed a client network to experience a data breach. Some things that first-party insurance would cover include data theft, compensation for lost income, costs of notifying customers, and the cost of repairing a company’s reputation. An example of third-party coverage would be the following. A company made a website for another company and hacker took over the website. The creating company might receive legal fees and compensation for settlements or damages in court cases.
Exclusions of cyber incidents from coverage?
There are a few issues that most providers don’t include in coverage. Some of these include cyber issues resulting from failure to maintain a minimum level of cybersecurity, the careless mishandling of sensitive information, and malicious acts by employees. All of these examples should be avoidable through careful management and decision making.
In the case that it’s the company’s fault, do insurers still pay?
The short answer is that it depends on the situation and policy. Depending on what the coverage agreement is, insurers may still cover issues that are the company’s fault.
How long does a company have to report the breach?
Insurance companies like for companies to report the breach when practical. They understand it might take time as a company’s first priority may be to fix the problem. They also know they may need to provide clarity to all affected. However, the insurance company might become concerned if the issue is reported a long time after it is discovered as that might come off as fishy and affect the settlement deal.
Pricing of cyber insurance?
The main factor in pricing cyber insurance is the company’s annual revenue, as more revenue correlates to higher risk exposure. In addition to revenue, insurance companies also look at industry type. It is important how much network security there is in order to price insurance premiums.
For more information book time with Risk Advisorsor call 914-357-8444
In a business world taking advantage of all that new and advanced technology has to offer, it might be easy to forget the vulnerability associated with displaying so much private and valuable information on accessible sites. As with all types of risk, data information leakage will drive up your company’s costs due to the actual loss in value of leaked information or a failure to meet data protection requirements mandated by the state. Companies that use online resources can reduce this inevitable increase in their unfunded exposure by utilizing cyber liability insurance.
One of the primary costs concerning data breaches is notifying affected users of a hacked online resource. The cost of maintaining a data breach notification system can be very high and has only increased since the escalation of hacking in recent years. Without cyber liability insurance, a company is liable for all of the costs associated with creating and maintaining a breach alert system.
One might ask why this system is necessary? 46 out of 50 states have mandatory requirements for data breach notification (Contact a Risk Advisor for information into your state’s particular mandates). Furthermore, a notification system markets your company as reliable, so that your customers and everyone whom you work with can trust the online resources that you provide. Cyber liability insurance can cover a significant amount of the expenses associated with maintaining an alert system and can help your company reinvest those saved dollars into other business operations.
