It’s no secret that cybersecurity incidents are on the rise globally. If you look at the fallout from politically linked attacks like the war in Ukraine and the building tensions in Taiwan, it may feel like cyber criminals have moved on to bigger targets, but businesses are getting caught in the crossfire.
Just recently cyber criminals hacked file transfer portal MOVEit which impacted more than 400 organizations including major corporations and large and small colleges and universities globally. Analysts estimate that more than 23 million people may have had their personal data compromised as a result of the hack.
What many do not understand is that the responsibility for this compromise still falls on the entity that collected the information, regardless of where it was stored when stolen. Due to the complexity of cloud-based systems, companies can be at risk even if they are not the target of the initial cyberattack. This was true in the case of the MOVEit attack. Many organizations were impacted because organizations they worked with or provided data to used MOVEit for file transfer.
Many companies have turned to insurance as a hedge against financial loss but when it comes to cyber incidents, companies are turning to their cyber insurance companies for more than just insurance. They turn to them for best practices that they can proactively implement to prevent a loss. They are also leaning on the insurance company to help them quickly respond to a cyber incident. While in the past this was primarily focused on obligations regarding notifications to customers and legal obligations, it has shifted to include business disruption concerns, privacy considerations and security remediation.
Cyber risk has long been a key department in big organizations; however, it is becoming more relevant for companies of every size. To proactively protect your business from cyberattacks you need to understand the cyber landscape today and why this is changing.
Is a data breach still your primary concern?
Chief Security Officer (CSO) magazine recently interviewed me for a story as they sought to demystify the cyber insurance landscape including the difference between data breach insurance and cyber liability insurance. It is sometimes a difficult distinction for those outside of the industry to make.
In a typical data breach, someone gains unauthorized access to an individual’s private data (usually defined by state law) that is left in your care. Most states have passed laws that require an organization to respond to a theft of data. This response varies by state, but generally includes notification, credit monitoring and other services to protect the individual’s identity. An important distinction is that a data breach generally refers to the theft of an individual’s information, not corporate data. Like many things, a corporation has different protections than an individual, therefore a company’s obligation changes if the stolen data relates to individuals or a corporation.
Cyber liability is when your company is accused (usually via a lawsuit) of causing damages to an outside party as a direct result of a cyber incident. A cyber incident can happen if you or your employees aid in the spread of a malicious virus or the infiltration of another organization’s network, or if it’s determined you weren’t doing enough to protect data in your possession. Regardless of the cause, the damages would be presented as a lawsuit or allegation of wrongdoing.
Simply put, a data breach is about losing information that you are responsible for, and cyber liability is about causing a cyber incident for an outside party.
Business Continuity
One type of loss related to cyber incidents that we typically don’t hear about is a loss due to business disruption, and yet it is the iceberg below the water. We use technology to be faster, more efficient and more organized. However, in doing so, we have created a choke point (or choke points) that allows for extortion to be effective. You’ve likely heard of ransomware.
Cyber criminals know that the inability to use technology affects everyone and how much depends on your specific industry and operation. In hyper-competitive markets, sales are lost in an instant if a website goes down, a shipment is delayed or employees working remotely are not able to connect to the network. The criminals are looking to take advantage of a business’s desperation to access their data and get back to normal.
This is not a new risk but was not a major consideration for cyber coverage a few years back. More sophisticated carriers were adding this coverage, but most in the market were still focused on loss of private data. Many that have not changed their policies still are and offer little practical coverage.
Cyber risk is extremely nuanced due to the differences between organizations. However, it is important to reflect on the most likely disruptors for an organization before deciding how to purchase a cyber insurance policy. Doing so can impact how to structure the policy, and the training and infrastructure required to limit the fallout from a cyber incident.
The cyber world is complex and constantly evolving. It’s imperative to proactively protect your organization from these hidden risks. We know that deciphering insurance policies can sometimes be confusing, so reach out to one of our strategic risk advisors to not only help you ensure you’re properly protected but that strategic measures are in place to reduce the risk of a cyber incident from occurring in the first place.