Tag Archives: cybersecurity

Cyber security is the protection of sensitive cyber information.

Cyber Liability Insurance, Risk Management

Data Privacy Day

What is Data Privacy Day and why it’s important to your organization?

Data Privacy Day is January 28th. First, It honored the signing of convention 108 in 1981, next, it was the first permanent international treaty that is in control of the users’ personal data, then, Data privacy day occurs every year after the signing; the National Cyber Security Alliance (NCSA) pushes individuals and businesses to take part.

The National Cyber Security Alliance encourages individuals to take action and  “Own Your Privacy” by learning how to protect their important data online. Businesses are also encouraged to respect an individual’s privacy and also holding organizations responsible for keeping an individual’s information safe & ensuring fair data processing.

Businesses encouraged to “Respect Privacy”

Individual Data Privacy

Individuals are starting to feel like they are no longer in control of their own personal data.  They can learn about what kind of data they create online. For instance, how the data is being collected, shared, used and stored on the web.

Your personal data is valuable. Do you know what information you’re sharing with businesses? Sale history, IP address, your location; hence, these are a tremendous value to businesses. Make smart choices when sharing data with businesses that ask for personal data.

Keep track of what Apps are asking for access to your information. Apps ask for access when it comes to location, contact lists, photo album or connect to other apps. In other words, Be thoughtful on which apps ask for permission to personal data, when it is not required for some to do so with the services they offer. Many Apps, will ask for permission to data they don’t need for you to use their services

Manage Your Privacy Settings Across All Platforms. Check the privacy & security settings on the web and all apps. Afterward, set the privacy settings to your comfort level on how much you want to share & what.

Business Data Privacy

Businesses have to respect consumers’ privacy because it is a smart tactic for gaining trust and enhancing reputation/growth in the business. Here are some tips on respecting privacy as a business.

Protect the data you collect. An intentional/unintentional release of confidential information to an untrustworthy source leads to financial loss, a decrease in customer trust, and a loss in reputation. Make sure the private data that is being collected, is processed in a fair manner and is only to be collected for appropriate purposes.

Conduct a Cyber Risk assessment. Understand which privacy rules apply to your business and educate your employees to protect your personal information. At Metropolitan Risk we offer a comprehensive cyber risk assessment to help your organization create a strong cybersecurity plan

Maintain Data Transparency. Be open & honest on how you collect, share, and use private information from consumers’.  For instance, make sure to let your audience know that you take the proper steps in accomplishing & maintaining privacy.

Sustain oversight of what data your partners & vendors are using and how they manage it. If another partner provides services on behalf of your organization, you are also responsible for how these vendors/partners collect & use your customers’ personal data.

If you would like more information on how to keep your personal data safe and secure, contact one of our Risk Advisors today or call 914-357-8444.

 

Cyber Liability Insurance

Risk of a Common Password and Ways to Avoid it (Infographic Inside)

Using a common password leaves your organization at risk for cybercriminals to attack your account. Let’s add password protection as a major component in your organization’s cybersecurity plan.  The risk of a common password is tremendous, and you should avoid having one at all costs.


Did you know:

  • 4.7% of users have the password password;
  • 8.5% use as their password : password or 123456;
  • 9.8% use as their password : password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords used.
  • 40% have a password from the top 100 passwords used.
  • 79% have a password from the top 500 passwords used.
  • 91% have a password from the top 1000 passwords used.

 

What does this tell you? Think twice before you make “abcdef” your next password. According to a study from SecurityCoverage Inc., if a password contains just six lowercase letters, especially if it’s a common word or combination, a cyber-thief can figure it out in 10 minutes!

However making a six-character password that has numbers AND symbols boosts complexity enough that a skilled hacker would need 16 days to break it, the study found. A task that is most likely not worth doing for that hacker.

Some sites now require a password with at least 1 uppercase letter, one number. and maybe a symbol as well. This is a step in the right direction even if it makes remembering your password just a little tougher. A simple and easy to remember example of this would be “Money17$.”

The real security of course comes from those dreaded passwords that are generated for you. They contain a longer password, of at least 8 characters, with a random order of letters, numbers, and symbols. These are nearly impossible to remember. However, an eight-character password with random letters, numbers, and symbols will take 463 years to break according to the same study. Nine random characters will take a whopping 44,530 years.

“People are careless because they don’t understand the threat said Ed Barrett, VP of marketing for SecurityCoverage.” LinkedIn was compromised in June and had 6.5 million passwords leaked. Yahoo had 6 million passwords stolen as well.

Another important consideration, don’t use the “show typing function” as you type your passwords. Many hackers don’t bother hacking at all but rather infect your employees’ computers with a virus that shows their keystrokes, thus the passwords.

The fact is you can either use strong complex passwords and have trouble remembering them or use simple, weak passwords and suffer from the risk of being hacked. We are not recommending a password of “nif$g*u3ng64dsf7” like a security expert would love as we understand the frustrations and hassle of remembering 20 passwords. We are advising that the next time you make a new password, especially for an important account, that you add some complexity to it. Go back to your most important accounts, like your bank account, and add a few numbers. It will greatly help in reducing your risk.

For a FREE comprehensive Cybersecurity evaluation, CLICK HERE.

Cyber Liability Insurance, Marketplace News

Cyber Security Awareness Month

October is Cyber Security Awareness Month! 

 


Cybersecurity is one of the fastest-growing concerns for businesses as many opportunities for growth within an organization have developed into fully remote positions.  To Celebrate Cybersecurity awareness month We suggest having these conversations with your team:

 

Cybersecurity management starts with training your organization to recognize potential cyber threats.  This year’s theme for Cybersecurity awareness month is Do Your Part. #BeCyberSmart 

Follow our social media accounts for our updates throughout the month. If you need more information on cybersecurity or cyber liability insurance, contact a risk advisor at 914-357-8444. Remember, do your part. #BeCyberSmart.

 

Claims Management, Cyber Liability Insurance, Loss Control, Risk Management

Cognizant Gets $400 Million Payout After Cyber Attacks

Technology consultant firm Cognizant fell victim to cyber-attacks caused by a ransomware attack last April. The hack disrupted thousands of employees from accessing networks from their home during quarantine. Clients also disallowed Cognizant to use their networks in case of further breach, causing major revenue and clientele loss.

Cognizant losses total $50-$70 million in lost sales, higher premiums, and defense/legal costs. Without cyber insurance however, the losses would be catastrophic.

Cognizant had out extensive money into cyber insurance premiums with multiple carriers. Insurance insider reports this investment turned out to be a good decision as they earned $400 million in cash reserves from their carriers, another huge loss for carriers in the cyber market. Carriers have been hard with higher loss ratios and claims frequency in the cyber market recently.

What is the overarching message? Right now, allocating resources towards cyber protection is no longer recommended but required. Cyber insurance of some form is necessary to protect against ransomware attacks and saving your company millions. However, insurance is not the only resource that needs investment. There is no way to fully protect yourself against cyber attacks with just insurance. We recommend proper employee training, duel-factor password authentication, and data encryption software.

Stay ahead of the curve and protect your company’s invaluable data. Invest properly and do not be afraid to spend a little extra for full protection. The premiums upfront may prove cheaper in the long run.

Still have questions? Contact a risk advisor today at 914-357-8444 or visit our website here.

Cyber Liability Insurance, Loss Control, Risk Management

What is Cyber Insurance and How Does it Work?

What is Cyber Insurance and How Does it Work?

With the vast majority of companies’ sensitive data being online, the vulnerability for data breaches is obvious, especially now that cybercriminals are becoming more tactical and clever with their hacking approach. These factors have played into the upbringing of cyber insurance, where companies can manage their risk by buying policies to cover potential losses from data breaches. However, there are many speed bumps that come with buying cyber insurance. These are the 6 main questions that come with buying cyber insurance.

  • How Do Companies Decide What They Want Covered?

Before companies fill out applications to buy cyber insurance, they first need to find where they need to be covered. To do this, they need to find where their highest risks of data breaches are located and how much they need to be covered in each part. Some companies use the likes of private, experienced network security specialists to figure out where they need to buy insurance.

What Prices do Brokers Charge for Cyber Insurance Premiums?

Usually, there are 3 or 4 main questions insurance companies ask potential insureds before pricing a cyber insurance premium:

First Question: Industry

  • What industry is your company in? Usually, insurers want to know what type of work your company does. This gives a clue to how much data you may be storing and how valuable that information may be. For example, an IT firm may have more quality and valuable information stored in their networks than a trucking company.

Profit

  • How much is your company’s annual revenue? More income from a company attracts more cyber-criminals to their information stored online.
    What kind of data do you have online and where? Insurers want to know where you are storing this data, and on how many different networks. Based on their judgment, the easier it is for cyber-criminals to extract this valuable information and more of it at once, the more the insurance premiums will cost.

Current Systems

  • How much security does your company have installed to protect your sensitive data? What kind of security protocols do you have in place other than insurance to protect your security? How much training do your employees have from professionals to keep phishing scams and ransomware at bay? These types of questions are frequently on insurance applications as the insurers can gauge two things. How seriously a company takes cyber-security? How much are companies willing to put into top-notch cyber-security in terms of people, money, time, and resources?

  • What Type of Claims/Cyber Attacks do Insurers Usually Keep Out of Policies?

Typically, insurance companies will not cover thighs such as preventable security breaches, cyber-attacks due to negligence to maintain proper cybersecurity, an employee mistake with sensitive information, or any attack from an employee within the company. Other than that, there are other policies that may or may not be excluded, it is up to the individual broker for how much, if at all, they want to cover that policy.

  • So if the Company/Insured is Liable for any Breach, they Will Not be Covered?

In some cases, this is true, but not in every situation. An insurer may not cover an employee mishandling sensitive information, but the insurer may cover a simple mistake. This may include losing a device with information on it or losing information due a phishing scam. Every situation is different, and that is why insurers investigate every claim thoroughly. This is especially in cyber security as there may not be any physical evidence.

  • Speaking of Liability, What Constitutes First-party Liability vs. Third-Party Liability?

The difference between the two is who actually loses the data and who is actually responsible for the losses. In first party-liability policy, the insured is covered for any data breach they are liable for within their open company. To make it simple, if a company had their own sensitive information stolen and had a first-party liability policy, they would be covered. This is different from third-party liability, which is coverage for an insured that is liable for the data breach of information kept by another person or company. For example, if an IT company makes their money by creating private networks and software and encryption programs to protect their client’s private information, they may buy third-party liability. In this case, if their client has their data hacked, the IT company is liable. But third-party liability may cover them.

  • Not All Companies Know They’ve Been Hacked Instantly. When do Companies say that Their Coverage for a Specific Claim has Expired?

This is up to the insurers to determine when they feel it is within the proper scope of time after the insureds REALIZED the hack. This is important because it is not when the hack or attack actually occurs, since it may take a small-market company over 200 days to realize their systems are compromised. Insurers go by when the insurers have figured out they had lost sensitive data and information, and the timeline begins on that date. Insurers know that the first thing on companies minds is not to file a claim. Companies want to figure out the exact damages, enforce accountability, and re-secure/change the data security program first. Then, many companies will file a claim within a reasonable time frame. Most insurance brokers say about 6 months before carriers hand down warnings and coverage for that claim expires.

To Conclude

With cyber-attacks increasing significantly in the last 2 years through Ransomware and Business Email Compromises (BEC), having your data not only protected but insured is crucial in today’s modern corporate environment. Hopefully, these tips have helped with the frequently asked questions about the confusing intricacies of cyber insurance.

 

For more information about Cyber Liability Insurance contact a Risk Advisor or call 914-357-8444.

General Liability Insurance, HR Challenges, Line of Insurance, Practice Groups, Risk Management

Cybersecurity Program Checklist Help

Cyber liability insurance is a trailer to a strong cybersecurity program. The insurance portion helps your organization recover costs associated with the negative effects of a successful cyber attack. Cyber liability insurance cannot prevent you from experiencing loss. A strong cybersecurity program can help mitigate some of the potential losses by making your organization a difficult cyber target.

Cybercriminals are looking for targets with minimum cybersecurity on their systems. If your organization trains your employees to recognize potential foul cyber activity and focuses on an organization-wide goal of cybersafety, you are on the right path to a strong cybersecurity program.

Managing Devices

Device management can seem like such a small part of a strong cybersecurity program, but according to NetStandard 1 in every 3 employees do not lock their work computers when they go to lunch or leave for work (1). This leaves the computers open for every device that accesses your organization’s files. Documents can also be an access point for cybercriminals. An effective device management program encourages your employees to lock down their devices with passwords and to use better when working in public workspaces.

Password Authentication Protection

We’ve previously highlighted the importance of using multi-factor password authentication. Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. All accounts at your organization should be outfitted with a multifactor authentication process. This added layer of cybersecurity can save your organization

Email, Webpages & Social Media

Cybersecurity is more than protecting your passwords and devices. A strong cybersecurity program includes using smart practices while reading emails, entering data into unfamiliar websites, and safe social media practices. Phishing scams are one of the most common ways cybercriminals gain access to company information. These criminals pose as a safe and familiar entity and request the victim to allow them access to the account they are trying to take over.

If you have any additional concerns regarding your cybersecurity program and cyber liability coverage contact a Risk Advisor at 914-357-8444

Other

Ransomware and other cyber security threats – what you can do.

The recent outbreak of the Wannacry ransomware brought renewed attention to the importance of a well-crafted cybersecurity strategy.  Every company should have a strategy in place regardless of its size.  If you don’t have one yet, there is no time like the present to begin.  We previously published an article detailing some key-focus points that should be addressed when developing an organizational-wide cybersecurity strategy.

In this article, we drill down into a handful of steps that can be taken now to begin securing your company’s network and data.  This is not meant to be an all-encompassing guide.  This is only a starting point.   These steps should already be familiar for those that have already implemented a cybersecurity plan.  However, the most comprehensive plans are worthless if they are not being executed.

 

1. Make sure all OS & software updates/patches have been applied.

Microsoft and other software developers such as Adobe and Oracle release updates and patches on a regular basis to improve usability and, more importantly, address security issues.  Secure your computer systems by taking the time to install these updates.  Turn on automatic updates whenever possible.  Set reminders for yourself to check for and install any updates and patches.  If you forget once, it is easier to forget again and before you know it months have gone by.

If you are running a PC with a version of Windows earlier than 10, be sure to install any updates and then run the tool to check for available updates again.  In many cases, certain updates will not be available until other updates have already been installed.

2. Migrate to a Current Operating System.

Organizations are keeping their existing computers longer than they once did.  There can be any number of reasons for this – the computers are “fast enough” to serve the needs of the company, the cost to replace the machines may be too high, or perhaps you need them to support a piece of legacy software that cannot run on new computers.  These are all valid reasons but as an OS matures fewer security patches are issued.  Eventually, the developer will cease all support.  Most newer operating systems will run on older hardware.  However, if your hardware cannot support the latest operating system, it may be time for an upgrade as well.

3. Install Antivirus Software.

This should be a no brainer.  Many people think they’ll never be a target for an attack and as such don’t bother.  For those of you out there thinking you’re “too small” to be a target, here is a sobering statistic: 85% of targets are small businesses.  Do your research.  There are some good options out there, many of which are free.   Make sure protection is installed on all computers.  Run scans on a regular basis.  Check for and install updates on a regular basis.  Antivirus software cannot do its job if it doesn’t know what to protect you from.

4. Password Administration.

More than 50% of people use the same password for all of their logins. Remembering one password is far easier than having a different one for each and every service.  This makes compromising access to your corporate systems much easier.  Employees should be required to use complex passwords. You can also request passwords to be changed on a regular basis.

5. Set User Access Permissions.

Employees only need access to the data required to do their job.  Do they need access to certain sensitive information? Do they need permission to install programs?  Narrow an employee’s access and permission only to what is needed.  This will better protect your systems should their login be compromised.

6. Backup Your Data.

You may need to restore lost or corrupted data should you be hit with ransomware or your systems are disrupted by another type of attack.  Backing up your data to an external hard drive that is always connected to your computer or network isn’t enough. That data can become compromised as well if your backup is connected to the same computer or network that suffers an attack.  Hard drives are relatively inexpensive these days.  Keep multiple backups off-site and swap them out on a regular basis.  It is far easier and less costly to recreate or update a few files than to have to try to recreate years’ worth of data.  Another option is to use a cloud-based backup service.  Your data is stored off-site and most (but not all) of the burden of protection is transferred to your storage vendors such as Amazon Drive or Carbonite.

7. Transition All Your Data to the Cloud.

This step is a little more advanced than the others.  As we discussed in point 6, having your data in the cloud takes a lot of the burden of protecting that data off you and transfers it to your storage vendor.  You are reducing the impact ransomware can have by not storing critical information on your computer or network.  Keep in mind, however, cloud storage can still be vulnerable to ransomware if you upload an infected file.  That is why it is imperative you look for a vendor that can retain multiple versions of files if you decide to go the cloud storage route.  You can restore a previous clean version with minimal effort should a file become infected.

8. Discuss Cyber Liability Insurance with a Risk Advisor.

You can do everything to protect your computer network and data. The reality is no system is perfect.  Cyber liability can’t stop you from having a ransomware attack or data breach.   It will help to cover the costs of investigating the breach.  It will help you in the defense of claims from the attack & potential data loss.  Many policies may also include cyber extortion costs to address a ransomware attack.

Cyber liability tends to be written on the basis that at least some basic security controls are in place. It is easy to say you are performing these steps on an application.  However, if a claim results which could have been prevented by following these steps, it may not be covered.

Contact one of our Risk Advisors today by clicking here to learn more about cyber liability and how it can help your company.

Other, Risk Management

Cyber Security Regulation

New York State is implementing a new Cyber Security Regulation effective March 1st, 2017.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Gov. Andrew Cuomo said February 16, 2017 in a statement.

Today’s marketplace continues to transition towards the way of the key stroke. It seems you can’t conduct a business transaction without a multitude of emails, electronically signed documents, or a cloud storing the most vital of information. These amenities have streamlined the means in which we conduct business, but have they left our information exposed? New York state seems to think so, and thus, has passed what appears to be the “first-in-nation” cyber security regulation.

Governor Cuomo continue in his above statement “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes.”

The finalized cyber security regulation, which takes effect March 1, 2017, sets mandated standards for financial institutions (including treasurers and insurers) to continue the on-going battle with risk of cyber-attacks.

The regulation requires “regulated companies” to implement a cyber security plan, including requirements for a program that is adequately funded, staffed, overseen by qualified management, and reported periodically to the most senior governing body of the organization. Additionally, the new regulation calls on banks to scrutinize security at third-party vendors which are providing them services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

“Throughout the regulatory review period, we emphasized how critical it is for insurers to have the ability to tailor and implement their cyber-security programs in a risk-based manner,” Alison Cooper, Albany, New York-based Northeast region vice president for the American Insurance Association, said in a statement. “While some challenges remain, overall the final cyber security regulation provides greater flexibility so insurers are able to better adapt to an evolving threat landscape.”

“With this landmark regulation, (the department) is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” Department of Financial Services Superintendent Maria Vullo said in a statement. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks.”

At this point you’re probably thinking to yourself  “We’re not a bank, and we’re not a large corporation. So how does this affect my business?”

Directly it doesn’t, YET!  However  this new regulation should be viewed as a notice to all businesses, regardless of industry: cyber-attacks are an ever-increasing risk, and a potentially devastating exposure if left unacknowledged. It seems as though we’re constantly reading about the large corporations being hacked, leaving the small and mid-sized business owner to think “This can’t happen to us. Why would we be attacked?” The truth is, it can and it does happen to small and mid-sized businesses. Unfortunately, unlike the Home Depots and Targets of the world, one cyber-attack could be enough to force a business to close its doors.

Now is the time to evaluate your risk.  Do you have a contingency plan in force if an employee accidentally opens a link from a person they thought they knew, only to find out it’s ransomware? Is there an action plan in force in the event hackers use your company email to send out spam or a virus to your contacts? Do employees know the steps to take if somehow all of your clients’ or employees’ data are stolen? Worse if one of these events occurred what would be the cost implications to your business? IF you would like to take a deeper dive into this issue contact a Risk Advisor today by CLICKING HERE. They can help you take steps to protect your business that cost nothing. Further you can transfer the cost implications of many of these challenges to an insurance carrier through the purchase of a cyber liability policy. The world has become much more complicated and it continues to do so with the passing of each month. We are here to help.

 

Risk Management

Protecting Your Business Bank Account From Hacking Theft

A client of mine dealt with a near hacking theft. Luckily the attempt was unsuccessful. He smartly had the conversation with his bank on what would have occurred anyway. This major bank’s shocking response? Not good. They started backpedaling. Turns out my client would have had to litigate or at the very least have a big delay in being reimbursed. As a small business I knew I didn’t have the resources to litigate against the banks. Turns out It’s up to us to protect ourselves in this situation. Here’s what I did:

1. Purchased a crime insurance policy. The one I purchased cost 1% of the asset base I was protecting. Seemed to be a fair price. 

2. Secured my banking account from theft. I was told to use one computer to access the bank account and not to have it as part of the network. 

3. If possible use a MAC as they are far less susceptible to a trojan horse as most of them are Microsoft based code. 

4. Setup a separate account. If there is a lot of cash in reserve do not transfer online. Do it manually. 

Watch the video below for the full story. Also, make sure to contact us if you’re interested in the specific crime policy that we purchased.