Tag Archives: Cyber Liability Insurance

Insurance that covers the one liable for a loss of sensitive cyber information.

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Social Engineering: Meaning and Impact

Definition

Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.

Importance of Social Engineering

So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.

/p>

Impact of Social Engineering

Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.

An Example

The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.

In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.

The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.

Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.

Cyber Liability Insurance, Line of Insurance

12 Requirements For PCI-DSS Compliance

Online transactions have become commonplace for many companies across all lines of industry. With the rapid growth in acceptance of online payments, many companies underestimate or are not even aware of requirements to maintain Payment Card Information (PCI) Data Security Standard (DSS) compliance.

 

What is PCI-DSS?

 
Payment Card Information (PCI) Data Security Standard (DSS) is a security standard developed and maintained by the PCI Council. The PCI Security Standards Council (PCI SSC) is a global forum. Payment industry stakeholders develop and drive the adoption of data security standards and resources for safe payments worldwide. The primary purpose of PCI-DSS is the assist in securing the payment card network.

 
Photo courtesy of pcisecuritystandards.org
 
Having one’s own data stored is a necessity, but risky. Having third party data stored brings on a whole new aspect of risk which requires its own assessment and treatment. Data breaches are a regular occurrence to which we have become desensitized. Recognizing this, the need for PCI compliance has never been more paramount.

What are the 12 requirements of PCI DSS?

 
We know, hearing there are 12 requirements sounds daunting. First, dive into the list and you will find the company is complying with some of these without knowing it. Additionally, the tips below can serve as a starting point for a self-assessment.
 
 
  • Install and maintain a firewall configuration to protect cardholder data
 
  • Configure unique passwords and settings. Do not use vendor-supplied defaults for system passwords and other security parameters
 
  • Protect stored cardholder data
 
  • Encrypt transmission of cardholder data across open, public networks 
 
  • Use of anti-virus software or programs
 
  • Develop and maintain secure systems and applications
 
  • Restrict access to cardholder data by business need to know
 
  • Assign a unique ID to each person with computer access
 
  • Restrict physical access to cardholder data
 
  • Track all access to network resources and cardholder data
 
  • Test security systems and processes. Conduct vulnerability scans and penetration tests
 
  • Maintain a policy that addresses information security for all personnel. Constant documentation and risk assessment are a must!
 

What if Our Organization is Non-Compliant?

 
If your organization is in non-compliance with the PCI-DSS standards, you could be looking for trouble. Non-Compliance will be directed by your Payment Card Agreement (PCA) in force with the credit card company. Additionally, non-Compliance can result in penalties. Fines are imposed ranging from $5,000 to $100,000 per month by the Credit Card companies.
Next Steps
 
Meeting these requirements ensures your compliance. And also protects the company and its client base. Separate yourself from the competition. Give your clients peace of mind with the ability to stand behind PCI Compliant Practices. Contact one of our Risk Advisors to begin taking steps towards PCI DSS compliance and peace of mind.
Cyber Liability Insurance, Loss Control, Risk Management

What is Cyber Insurance and How Does it Work?

What is Cyber Insurance and How Does it Work?

With the vast majority of companies’ sensitive data being online, the vulnerability for data breaches is obvious, especially now that cybercriminals are becoming more tactical and clever with their hacking approach. These factors have played into the upbringing of cyber insurance, where companies can manage their risk by buying policies to cover potential losses from data breaches. However, there are many speed bumps that come with buying cyber insurance. These are the 6 main questions that come with buying cyber insurance.

  • How Do Companies Decide What They Want Covered?

Before companies fill out applications to buy cyber insurance, they first need to find where they need to be covered. To do this, they need to find where their highest risks of data breaches are located and how much they need to be covered in each part. Some companies use the likes of private, experienced network security specialists to figure out where they need to buy insurance.

What Prices do Brokers Charge for Cyber Insurance Premiums?

Usually, there are 3 or 4 main questions insurance companies ask potential insureds before pricing a cyber insurance premium:

First Question: Industry

  • What industry is your company in? Usually, insurers want to know what type of work your company does. This gives a clue to how much data you may be storing and how valuable that information may be. For example, an IT firm may have more quality and valuable information stored in their networks than a trucking company.

Profit

  • How much is your company’s annual revenue? More income from a company attracts more cyber-criminals to their information stored online.
    What kind of data do you have online and where? Insurers want to know where you are storing this data, and on how many different networks. Based on their judgment, the easier it is for cyber-criminals to extract this valuable information and more of it at once, the more the insurance premiums will cost.

Current Systems

  • How much security does your company have installed to protect your sensitive data? What kind of security protocols do you have in place other than insurance to protect your security? How much training do your employees have from professionals to keep phishing scams and ransomware at bay? These types of questions are frequently on insurance applications as the insurers can gauge two things. How seriously a company takes cyber-security? How much are companies willing to put into top-notch cyber-security in terms of people, money, time, and resources?

  • What Type of Claims/Cyber Attacks do Insurers Usually Keep Out of Policies?

Typically, insurance companies will not cover thighs such as preventable security breaches, cyber-attacks due to negligence to maintain proper cybersecurity, an employee mistake with sensitive information, or any attack from an employee within the company. Other than that, there are other policies that may or may not be excluded, it is up to the individual broker for how much, if at all, they want to cover that policy.

  • So if the Company/Insured is Liable for any Breach, they Will Not be Covered?

In some cases, this is true, but not in every situation. An insurer may not cover an employee mishandling sensitive information, but the insurer may cover a simple mistake. This may include losing a device with information on it or losing information due a phishing scam. Every situation is different, and that is why insurers investigate every claim thoroughly. This is especially in cyber security as there may not be any physical evidence.

  • Speaking of Liability, What Constitutes First-party Liability vs. Third-Party Liability?

The difference between the two is who actually loses the data and who is actually responsible for the losses. In first party-liability policy, the insured is covered for any data breach they are liable for within their open company. To make it simple, if a company had their own sensitive information stolen and had a first-party liability policy, they would be covered. This is different from third-party liability, which is coverage for an insured that is liable for the data breach of information kept by another person or company. For example, if an IT company makes their money by creating private networks and software and encryption programs to protect their client’s private information, they may buy third-party liability. In this case, if their client has their data hacked, the IT company is liable. But third-party liability may cover them.

  • Not All Companies Know They’ve Been Hacked Instantly. When do Companies say that Their Coverage for a Specific Claim has Expired?

This is up to the insurers to determine when they feel it is within the proper scope of time after the insureds REALIZED the hack. This is important because it is not when the hack or attack actually occurs, since it may take a small-market company over 200 days to realize their systems are compromised. Insurers go by when the insurers have figured out they had lost sensitive data and information, and the timeline begins on that date. Insurers know that the first thing on companies minds is not to file a claim. Companies want to figure out the exact damages, enforce accountability, and re-secure/change the data security program first. Then, many companies will file a claim within a reasonable time frame. Most insurance brokers say about 6 months before carriers hand down warnings and coverage for that claim expires.

To Conclude

With cyber-attacks increasing significantly in the last 2 years through Ransomware and Business Email Compromises (BEC), having your data not only protected but insured is crucial in today’s modern corporate environment. Hopefully, these tips have helped with the frequently asked questions about the confusing intricacies of cyber insurance.

 

For more information about Cyber Liability Insurance contact a Risk Advisor or call 914-357-8444.

General Liability Insurance, Other

Conducting An Organization Wide Phishing Test

Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office. 

How To Conduct An Organization-Wide Phishing Test: 

Notify and train your employees on what phishing is:

If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff. 

Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018. 

During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices. 

 

READ MORE: Phishing Attacks Can Jeopardize A Business Of Any Size

 

Engage all relevant departments and managers on why phishing is a threat to your organization

Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack. 

Create an alias email account for your employees to report potential phishing scams.

An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network. 

This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password. 

READ MORE: What You Can Do To Protect Your Business From Cyber Security Threats

 

Plan your phishing test

Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks,  which employees leaked information, the number of employees who reported a phishing email. 

 

 

 

Analyze important key metrics  

After running a phishing test, work with IT staff members and team managers to analyze key metrics. 

Key Metrics to keep track: 

  • The number of employees who click the link in the testing email
  • Number of employees who download a file from the unknown email address
  • The number of employees who report a phishing email to your IT staff or their manager. 

Take Action With Employees Who Failed The Test

Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business.  Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email. 

Provide Your Entire Organization With Additional Information on Cybersecurity 

All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day 

 

READ MORE: Ransomware is Evolving: Has Your Business Interruption Coverage? 


Retest Your Organization 

Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt. 

 

 

Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444. 

Resources

2019 Data Breach Investigation Report by Verizon

 

Cyber Liability Insurance, Line of Insurance, Loss Control, Practice Groups, Risk Management

Business Interruption and Ransomware

Ransomware is a type of malware designed to deny access to a person’s computer unless they pay the hacker ransom. The NY Times reports that these attacks have grown over the past year with a 41 percent increase in 2019. Ransomware attacks are a growing problem, not only in the severity of the attack but the duration of time an organization is under attack. Also, the time lost from the point of the attack to the backup security.

 

Cybercrime continues to evolve with the changes in technology. Ransomware attacks have always targeted organizations with lax cybersecurity. Today cyber criminals can embed ransomware onto an organization’s server or website and the ransomware can lay dormant on a machine/server for months while collecting data on the organization.  

 

Business owners should take the time to understand their coverage in their business interruption policies. Since ransomware attacks are becoming easier for cybercriminals to execute, business owners should look into fortifying their digital assets and make sure that they have Business Interruption Coverage in the event their business is attacked. It is scary to think that nothing can be done when faced with a cyberattack, but being prepared for the potential loss revenue/income during downtime due to an attack is just as important as preemptively assessing what cybersecurity measures your organization has in place. 

 

Business Interruption Coverage

Business interruption coverage is only going to help your organization regain some of the financial loss that will occur with a security breach. It is a response to an incident that has occurred, not a proactive approach to stopping a breach from occurring.  Without business interruption coverage your organization would not be able to report a claim to help rebuild your business’s lost data. Business interruption insurance covers any income lost due to a disaster, in this case, a disaster would be a ransomware attack or any other type of cyber attack. 

A Proactive Approach

Recognizing weak spots in your organization’s cybersecurity is one way to proactively protect your organization from cyber-attacks. Digital has become the new normal. Taking a few extra steps will protect your business assets and save your organization by avoiding a cyber-attack. A few things for your organization to consider are:

  • Select trusted and reputable telecommunication & telework software for your organization. With more organizations moving to remote work, there has been an uptick in fake telework companies.
  • Keep an eye out for Business Email Compromise (BEC). This type of compromise can be associated with fake new clients & phishing schemes targeting your employee’s personal data like business logins and banking information.
  • Use multi-factor authentication when accessing organization sites, resources and files. We previously released an article with our suggestions to prevent SIM-Hacking. Click here to read the guide and learn more about multi-factor authentification.
  • Ensure all computers & mobile devices have up to date antivirus software installed. Keep all software up to date, including website plugins, browsers, and document readers.
  • Don’t open attachments or click links within emails received from unknown senders.

 

Cybersecurity Measures To Take

Another thing an organization does is make sure your employees have the training to recognize ways that criminals attack. Ransomware doesn’t just end up on a server. They place it there through downloaded files or phishing websites.

Train your employees to recognize the signs of a phishing attack. Regularly schedule phishing tests to test whether your employees are practicing safe internet behavior. 

 

Still have questions? Still want more info? Take the proactive approach and contact a risk advisor or call 914-357-8444 to discuss how your organization can protect itself from a ransomware attack and ensure that your organization has business interruption coverage to protect yourself if an attack occurs. 

Cyber Liability Insurance

Phishing Attacks: Know the Signs!

Beware of Phishing!!!

Hackers will start with low-level employees first, making their way to executives’ accounts.

Hackers are constantly trying to find ways to hack into company accounts. They start off by sending trust-worthy emails to their employees, directing them to a scam website where they ask for them to input their username or password. Once the hacker is able to access the employee’s account, they are able to move towards sending phishing emails to higher-positioned employees, which can potentially compromise the company. 

With this access, they are able to leverage the company’s domain and send emails to others. Scammers compile phishing attacks by jeopardizing small, vulnerable businesses and compromising their trust with business partners that they work with. 

 

In phishing, it’s all about gaining the trust of the recipient, so that they click on it. 

 

There is another phishing scheme that resurfaced called “typosquatting”, or URL hijacking. With this, attackers buy domains that are slightly misspelled of popular websites, like goggle.com or yuube.com. “Spear phishers”, another term for hackers, can sometimes put in various amounts of effort into targeting a specific person. Hackers try a number of different things like creating multiple misleading webpages/websites, create fake social media pages, or fake personal blogs to trick their targets. They create these fake sites that mimic the login screens of trusted services, to get information like email addresses & passwords. 

Sophisticated hackers are willing to sell their services to specific organizations, individuals, or nation-state entities who want to steal information from someone. Some phishing providers offer networks of bots that produce fake websites, while others sell phishing toolkits to clients. 

 

Signs you’ve received phishing emails and how to Spread Awareness:

Check the Web address! Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site: 

  • Always confirm the sender’s email. Sometimes the sender email will look legitimate until you actually click on it. When clicking on the email, you will see if the sender is actually coming from the website stated as shown. 
  • Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
  • “http://” vs. “https://”  at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
  • Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
  • Give a fake password. If you are not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to sign in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because the website rejected your fake password, don’t assume the site as legitimate.
  • Use a Web browser with anti-phishing detection. Internet Explorer, Google Chrome, & Web browsers other have free add-ons (or “plug-ins”) that can help you detect phishing sites.

 

For more information about Phishing & preventing a cyber-attack contact a Risk Advisor or call (914)-357-8444