Tag Archives: forensics

Why Small Firms Need Cyber Coverage

There’s barely a week that goes by without some sort of cyber security incident — a system hack, a data breach, putting thousands if not millions of people’s personal information at risk. Although big corporations generate the most headlines, the reality is that small and mid-sized businesses are equally, if not more, vulnerable to cyber attacks.

Smaller organizations don’t have the resources to put up firewalls or deploy high-powered system monitoring software that larger firms can afford. Like the house on the block with an open window and no burglar alarm installed, these businesses are easy prey for hackers, and they’re getting hacked more often than you think.

According to IBM, small and mid-sized businesses are hit by 62% of all cyber attacks, at a rate of 4,000 per day. A more sobering statistic? Sixty percent of small businesses go out of business within six months of a breach.

As insurance professionals, we have the opportunity to change that outcome. Although we can’t deter the cyber thieves from striking, we can help our business customers protect themselves by effectively educating them on their risks and providing the cyber liability coverage they need.

See also: Why Buy Cyber and Privacy Liability. . .  

A Quick 411 on Cyber Liability Coverage

The good news is, there are 20 or more cyber liability carriers in the marketplace today, which keeps pricing low for budget-conscious business owners. Typically, every million dollars of protection, for a company that has never been hacked, runs about $2,500 per year. That’s well within most businesses’ budgets.

However, not all policies are created equal.

It’s critical for insurance professionals to spend time educating themselves on the details of what each policy offers before heading off to sell. This ensures that you offer the best solution to each of your customers and can adequately review any coverage they currently have for gaps.

Cyber liability policies should always include coverage for the following:

Notification Costs and Credit Monitoring

Most states require companies to inform anyone affected by the breach of personally identifiable information in a timely manner, and offer credit monitoring for the 12 months following the incident. Typically, businesses have to set up call centers to answer frequently asked questions, as well. A good cyber policy should cover all of these costs.

Cyber Extortion

According to the FBI, the incidence of ransomware attacks is on the rise. This attack typically begins when an employee clicks on a legitimate-looking email attachment. That one click releases malware that locks digital files until the company pays a ransom to release them. Unless the company pays the tens of thousands of dollars that hackers demand, businesses could lose proprietary information, product schematics, customer orders and other sensitive information. The right policy will help cover the cost of payments to extortionists, as that’s typically the only way to get the data back.

Business Interruption

If the company’s systems are compromised, hackers encrypt company software or overload Web servers to block legitimate orders, and business comes to a screeching halt. Think about the financial impact a day or a week down could have on a small e-commerce company, a CPA firm or manufacturing operation if they’re not adequately covered for the loss.

Public Relations

One hack can ruin a local business’s reputation in a heartbeat. If a breach occurs, that company has to hire an experienced public relations team to explain what they’re doing to protect the affected individuals and mitigate reputational risk associated with the breach.

Forensics Costs

Finally, and perhaps most significantly, a cyber liability policy should cover forensics — hiring computer technologists to come in and identify where and how the breach occurred, and how big the impact was. It’s important to note that this is typically the biggest cost associated with a breach, and the most frequently exhausted limit in cyber liability policies. So, it’s important to make sure the policy you recommend provides adequate coverage in this area.

Explaining Cyber Insurance to Your Customers

The most effective way to talk to your customers about cyber liability insurance is to show them their exposures. Typically, small and mid-sized businesses don’t think of themselves as being at risk. For example, a restaurant owner might believe that, by using a third-party payment card processor, her business is protected. The reality is: Her patrons don’t care who processes her transactions. They come to her restaurant, eat her food and hand her servers their credit cards. The place where people do business is going to get the blame — and be the one liable for the costs.

It’s not just retailers and restaurants that are at risk. Any company with personally identifiable information – Social Security numbers, health records or employee data – is exposed. With the average cost-per-compromised record averaging $221, the more records a company has, the more exposure it has. When you explain that one incident could cost a smaller business $50,000 or $100,000 to rectify, the value of paying a few thousand dollars a year for cyber liability insurance becomes very clear.

See also: Cyber Attacks Shift to Small Businesses  

In addition to being affordable, cyber policies are quick and easy to get — if the business hasn’t been hacked before. For most carriers, it’s a one-page application that asks basic questions to find out if the company has a firewall, antivirus software and encryption, as well as its use of mobile devices. Typically, you can get a quote in an hour or less, issue the policy and be on your way. Just as important, your customers will know that you’re looking out for their best interests.

If I can leave you with one thought, it’s this: In this technology-reliant world, every business has a target on its proverbial back. If some form of cyber-attack hasn’t affected your customers yet, there’s a high probability that they’ll get hit in the near future. No business is too small, and no one is immune.

With the right cyber liability coverage, your business customers will be prepared for the inevitable breach — and have the protection they need to survive it.

Ransomware: Your Money or Your Data!

Your client, ABC Corp. is going about its business and then gets this message:

police

The above is a typical ransomware message, according to a recent Symantec Security Response report. What’s next? Pay the “ransom” and move on? Ransomware is a type of malware or malicious software that is designed to block access to a computer or computer system until a sum of money is paid. After executing ransomware, cyber criminals will lock down a specific computer or an entire system and then demand a ransom to unlock the system or release the data. This type of cyber crime is becoming more and more common for two reasons:

1. Cyber criminals are become increasingly organized and well-funded.

2. A novice hacker can easily purchase ransomware on the black market.

According to the FBI, this type of cyber crime is increasingly targeting companies and government agencies, as well as individuals. The most common way that criminals execute their evil mission is by sending attachments to an individual or various personnel at a company. The busy executive opens the file, sees nothing and continues with his work day. However, once the file has been opened, the malware has been executed, and Pandora has been unleashed from the box!

Now that the malware has been unleashed, a hacker can take over the company’s computer system or decide to steal or lock up key information. The criminals then make a “ransom”demand on the company. The ransom is usually requested in bitcoins, a digital currency also referred to as crypto-currency that is not backed by any bank or government but can be used on the Internet to trade for goods or services worldwide. One bitcoin is worth about $298 at the moment. Surprisingly, the amounts are generally not exorbitant (sometimes as nominal as $500 to $5,000 dollars). The company then has the choice to pay the sum or to hire a forensics expert to attempt to unlock the system.

The best way companies can attempt to guard against such cyber crime attacks is by educating employees on the prevalence and purpose of malware and the danger of opening suspicious attachments. Employees should be advised not to click on unfamiliar attachments and to advise IT in the event they have opened something that they suspect could have contained malware. Organizations should also consider backing up their data OFF the main network so that, if critical data is held hostage, they have a way to access most of what was kidnapped. Best practices also dictate that company systems (as well as individual personal devices) be patched and updated as soon as upgrades are available.

Finally, in the event you are a victim of a ransom attack, you would need to evaluate it constitutes a data breach incident. If the data hijacked is encrypted, notification is likely not necessary (as the data would be unreadable by the hacker). However, if the data was not encrypted, or you cannot prove to the authorities that it was, notification to clients or individuals is likely necessary.

Takeaway

Cyber extortion is more prevalent than most people realize because such events are not generally publicly reported. To protect against this risk, we recommend that companies employ best practices with respect to cyber security and that they consider purchasing a well-tailored cyber policy that contains cyber extortion coverage. Such coverage would provide assistance in the event a cyber extortion threat is made against the company, as well as finance the ransom amount in the event a payment is made.

Don’t Do It Yourself on Property Claims

It’s okay to get help!

Recently, we hired a business development professional. In learning our business model and marketing strategy, he asked, “Who is your biggest competitor?” We said: our customers — the “do-it-yourselfers.” This struck him as odd, but it is the absolute truth.

We are in the business of preparing property claims that usually involve physical damage and business interruption. This is a very specialized practice that is part accounting, part insurance and part art. However, the companies we approach often feel they are in the best position to handle this process and do not need outside assistance.

Why is that?

When a claim is reported, the insurance company will assign an adjuster to the claim — either an inside adjuster or an independent adjuster — sometimes both. The adjuster is hired by and paid for by the insurance company to make sure the claim fits within terms and conditions of the insurance contract. The adjuster will rely on specialists of his own — usually forensic accountants and forensic engineers. The specialists allow the adjuster to focus on his job of interpreting the coverage, reporting back to the insurance company and negotiating settlement on behalf of the insurance company. The specialists are there to verify the details of the claim that is presented to them by the policyholder. The insurance adjuster alone cannot and does not take on all of the responsibilities. The adjusters are the experts at this process — it is their business and they do it every day — but they still get specialized help.

So if the insurer handles claims this way, why would the insured not get expert help?

Think of the “do-it-yourselfer” project at home. Let’s say you’re pretty handy around the house, so you look at that bathroom that needs remodeling and decide, “I’ll do it myself this weekend.” Technically, you CAN do it yourself — you can take your crowbar and sawzall and do the demolition; you can handle laying the tile; and, with a little research, you could figure out the plumbing. The first weekend you go out to buy the extra tools you need and some supplies, and you get to work. Maybe the demo will go easily, but if you’ve ever tackled a home project, you know nothing is as easy as it seems, and it always takes more time than expected.

If you make it through the demo, you spend the rest of the weekend figuring out your strategy for the new bathroom. Because you have a day job, each evening that next week you try to make progress, but by the end of the week you are bleary-eyed from the stress of this unfamiliar work and the late nights of trial and error. The next weekend, you cannot get back to the work, because you have family activities. When the vanity arrives, you realize it does not quite fit the way it should. Next, you realize you need more tools. Your weekend project turns into months of disarray. If you stay the course, months later you’ll have a functional bathroom, but there are usually a few steps that you decide you’ll have to get to eventually. At this point, you’re getting busier at work, and you just don’t have the bandwidth to get back to the myriad of subsequent bathroom issues, so you consider bringing in an expert to bail you out.

Preparing a claim is very similar, if you do it yourself. In addition to saving time, stress and compromising the results, your claim preparation expert has the tools of the trade, the skills and the experience to achieve an accurate and timely recovery. In contrast to the home improvement example, though, your claim preparer’s fees should be covered, in part or in full, by your property policy. So, if you’re not saving time or money by doing it yourself, and an expert will get you a better result, why would you not engage a professional claim preparer?

That question seems like a no-brainer, yet so many still take the DIY approach to property claims.

To sum up, it is okay to ask for help. The policyholder is not expected to be able to “do it yourself.” That is why you have professional fees coverage. The insurance company assigns its experts to adjust and audit your claims, and they’ll be better-equipped to meet their objectives than you will if you take the DIY approach. They are the insurers experts, so it is advisable for you to bring in your experts to represent your interests.

Here are a few suggestions of what to look for in a firm to prepare your claims.

  1. A loss accounting specialist, because insurance accounting is a unique trade. Typically, the firm will identify itself as forensic accountants.
  2. Experience with the types of property claims you have, in your industry or similar ones, and with at least 10 years in the field.
  3. Independence. This will ensure the firm is on your side with no conflicts of interest. Avoid allowing your insurer’s accountants to calculate your losses. The same hold for any other party that may have a conflict.
  4. A firm that qualifies for professional fees coverage. The fees should be based on an hourly rating scale, not on contingencies. Property policies will have specific exclusions, such as public adjusters and broker affiliated services.
  5. A firm that is respected by insurers, adjusters and brokers. Your accountants should not threaten your relationships to achieve the result.

If you see the benefit of engaging a team to prepare your property and business interruption claims, do your due diligence ahead of a loss. Interview any qualifying candidates and make your choice. The firm should be involved in your claim from the very beginning.

If you take this advice, your claims will go much smoother, and the claim will be free of leaks and loose tiles.

Privacy Enforcement In The Healthcare Arena​

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation’s website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute’s 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization’s ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

  • Am I prepared to show that I took the proper steps before a data breach occurred?
  • Do I have an effective incident response plan in place when there is a problem?
  • Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
  • Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don’t have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization’s issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider’s control. When it comes to the handling of an organization’s reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company’s own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor’s professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

  • 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
  • 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
  • Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
  • 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
  • 1st Party Privacy
    • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
    • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
    • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
    • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim’s credit rating following an actual identity theft.
    • Crisis Management — Public Relations expense coverage to protect the image of the organization.
  • Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

1 A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. (For more information, see hhs.gov.)