Cyber Liability: Are You Feeling Lucky? by Sandra Lovett-Tillman
Security breaches such as physical, network, system security and data breaches can happen to any company, regardless of industry or size. Recently, we’ve seen breaches at the U.S. Office of Personnel Management, Target, Anthem, Sony, Home Depot and JPMorgan Chase. A thought-provoking rendering of the “World’s biggest data breaches through hacks through October, 2015” can be viewed below. The scope of these data breaches has touched not only businesses, but countless individuals whose data has been breached throughout the world. Visualizations – World’s Biggest Data Breaches via Hacks, Courtesy of David McCandless at InformationIsBeautiful.net
Financial institutions are often in possession of and responsible for sensitive information including personal identifying information, which makes them prime candidates for those looking to acquire such data.
As a small business working with financial institutions, legal firms and commercial entities looking to evaluate potential borrowers or investigate the financial position of individuals or companies for recovery purposes, we have had to look for additional ways to protect our business as well as our clients’ interests. One such area has been to ensure that we have appropriate insurance for our business.
In years past, it was sufficient for a business to have a General Liability policy, an E & O policy and a Workman’s Comp policy; however as a service provider, part of our current due diligence is to now carry a Cyber Liability policy. Consider the following three views on the topic from PwC, Cavignac & Associates and Insureon.
“Although Cyber insurance does not, by itself, protect a business from data breaches, it does typically cover both damage and liability stemming from attacks that could damage, corrupt or disclose specific classes of data or technical infrastructure – risks that are typically excluded from traditional commercial liability coverage.” (PwC, “Managing cyber risks with insurance," June 2014)
“Cybersecurity is not just an IT issue but an enterprise risk management issue. As with any major business risk, companies should consider cybersecurity insurance as a way to transfer risk and mitigate potential losses.” (Cavignac & Associates, Best Practices Annual Cyber Insurance Reviews, 2015)
“The risk of data breaches is real. Many small business owners may not think they need this type of insurance, but start ups and small businesses are actually the most vulnerable to security threats. Thousands of small businesses handle sensitive customer credit or bank account information daily, and many are also responsible for protecting personal identifiable information (Social Security, driver’s license and other sensitive data). All it takes is one careless mistake by an employee, unauthorized access by a former employee or vendor, unshredded document, skilled hacker, or stolen laptop, and your company could suddenly face an unprecedented legal and financial challenge. Combined with strong security measures, cyber liability coverage is a cost-effective way to mitigate that risk.” (Insureon.com/products/cyber-liability)
According to the National Association of Insurance Commissioner & the Center for Insurance Policy and Research (NAIC), “managing cyber risks through insurance is relatively new. Although the market for cyber liability insurance is off to a good start, it is expected to grow dramatically over time as businesses gradually become more aware that current business policies do not adequately cover cyber risks. As data breaches occur more frequently, there are additional pressures for businesses to step up efforts to protect the personal information in their possession. Cyber attacks may come from nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Cyber criminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can be eventually monetized, such as credit card numbers, health records, personal identification information and tax returns.”
NAIC's list of Cyber risks includes:
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including data elements such as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license number, birth dates and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms or other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
The NAIC also states that securing a Cyber Liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk management techniques applied by the business to protect its network and its assets. The insurer will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will be keenly interested in how employees and others are able to access data systems. At a minimum, the insurer will want to know about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.
“Cybersecurity for your business is not only about adding layers of security technology. It starts with understanding and managing your cybersecurity risks. The 5-Step Approach to Better Business Cybersecurity is based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework, represents an approach that applies to the specifics of your business, helping you understand how best to identify and protect your business’s vital data and technology assets, and how to detect, respond to and recover from a cybersecurity incident.”
The Better Business Bureaus' The 5 Step Approach to Better Business CyberSecurity
The Federal Communications Commission (FCC) also provides a tool for small businesses to create customized cyber security planning guides, FCC’s Small Biz Cyber Planner. Seehttps://www.fcc.gov/cyberplanner. The planner also outlines steps to take should a breach occur. All businesses should set a policy for managing these types of risks and plans to address such incidents if and when they occur.
As John Chambers, CEO of Cisco articulated recently at the World Economic Forum in Davos, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”
With that in mind, the question arises as to how this could impact the lending arena? From a due diligence standpoint, do lenders now have to ask potential borrowers about their cyber liability plan and ascertain if they are appropriately covered via Cyber Liability insurance? Particularly if the borrowers’ business is involves the collection of sensitive, personal information? What happens if the borrower becomes a victim of a cyber intrusion that disrupts their business or generates unforeseen litigation and the costs of addressing the cyber intrusion results in the borrowers’ inability to meet their contractual obligations to the lender? There have been a number of articles written in 2014 and 2015 regarding the increasing compliance requirements that lenders are facing. Will 2016 lead businesses to further evaluate their vendor and customer relationships based upon overall risk, including cyber risk? In short, has become a fact of life?
Rather than rolling the dice and trusting Lady Luck, your best defense is a good offense. Take the time now to make a cybersecurity plan for your business; and, don’t forget to include any third pParty vendors that you may rely on as well. A cyber liability policy is becoming an increasing necessity for business, the challenge is in determining how much coverage and at what amounts to offset cybersecurity risks for your business.
Co-Owner & Managing Director | aVeriFact, LLC
Sandra Lovett-Tillman is a Co-Owner/Managing Director at aVeriFact, LLC dba C&R Credit Services. Her primary area of expertise is client development associated with the implementation of aVeriFact’s Financial and Background investigation services to improve due diligence results for our clientele. As a Co-Owner, Sandra’s responsibilities also include the company’s IT functions.
Lovett-Tillman brings over 20 years experience in credit/collection sales of which 8 years have been directed towards expanding financial investigation options for asset-based lending, pre-lending & credit evaluations, commercial recovery, litigation, and employee background due diligence. Her experience, knowledge and insight have resulted in an impressive growth in services for our clients and she enjoys working to develop search options to address their unique challenges and ensure that they “Always Verify Facts” prior to making critical business decisions.
Lovett-Tillman is a 1984 graduate of Louisiana State University, with a BS-Business/Management and has been a Licensed LA Private Investigator since 2007. She also works with her BSA Scoutmaster husband, Ken, as a Parent Coordinator for Boy Scout Troop 321 and is a Youth Leader in her church working with 7th through 12th graders. She has three boys (ages 17, 18 and 26), who help to keep her grounded and makes life interesting!
She can be reached at 800-468-5818 or via e-mail at firstname.lastname@example.org.