5 Steps to Protect Organizations From Cyber Liability

Because cyber crime has developed into a problem with potentially catastrophic consequences, cyber risk is arguably one of the single greatest threats facing companies today. The 2009 Computer Crime and Security Survey conducted by the Computer Security Institute found that 43 percent of U.S. businesses experienced some kind of cyber security incident last year.

In the face of these threats, formal protection efforts are inconsistent at best: The World Wide Web is global and borderless, and laws that govern the protection and disclosure of confidential consumer information vary considerably from state to state and country to country.

All organizations are at risk for some type of data exposure. After all, the use of interconnected networks and cloud computing is nearly unavoidable in today’s business world and can provide innumerable benefits.

Companies need to be investing in technologies and establishing policies that safeguard data and lessen the risk of a breach, which could cause a company to incur sizable direct cleanup expenses while severely damaging customer trust and loyalty.

There are five crucial steps a company can take to protect itself from the surge of cyber crime:

1. Enlist the CFO in the fight against cyber crime. The responsibility for preventing network security and privacy exposures extends well beyond the information technology department. Rather, the chief financial officer should lead the company’s efforts and develop a holistic, enterprise-wide approach. With a visible, senior-level executive directing the cyber risk management initiative, people at all levels of the organization are more likely to fully understand the financial risks involved and work to manage them.

2. Uncover the cyber crime vulnerability, and quantify it. To comply with corporate governance best practices, an organization should hire a third-party expert to evaluate the organization’s cyber risk and the potential financial impact of a breach. Questions to consider:

• Is our organization retaining any private data about clients, vendors or employees?
• What’s the best way for us to evaluate the costs and benefits of additional IT loss-prevention expenditures?
• Should we purchase cyber risk insurance?

3. Add a cyber risk expert to the company’s board of directors. Awareness and visibility begin at the top. By having a board member who is familiar with cyber crime and understands the level of risk and the loss potential, an organization can ensure this issue remains a priority. Additionally, a board member with a deep understanding of cyber liability can guarantee a holistic approach to risk management within the company and can oversee the adoption of formal procedures to control data security.

4. Consider risk transfer solutions. Now is the time to consider an insurance solution for cyber exposure. Because security breaches typically occur in areas of the organization generally considered to have adequate security protocols — or in unanticipated areas — insurance makes good sense. Fortunately, the overall property & casualty insurance market remains favorable, and numerous insurers are committed to this field. While there’s no replacement for sound risk management practices, a comprehensive insurance policy can be a solid last line of defense.

5. Involve the HR team. Internet security must be part of organizational processes at every level and in all parts of the business. As the driver of company culture, HR can help support and strengthen information security campaigns and procedures. Because the lines between employees’ personal conduct and their business conduct — during business hours — can sometimes become blurred, HR must clearly define and communicate the company privacy policy, as well as all rules and requirements regarding employees’ use of the Internet. In addition, HR should continuously monitor employees’ use of social networking sites and remind employees that the Internet is very much a public forum.

The number of data security breaches within companies is growing exponentially as they rely more heavily on technology and the Internet. Every organization must protect its priceless data and develop ways to prevent costly breaches.

Published by: Lawrence Racioppo and Craig Nelson (Insurance Journal)

http://www.insurancejournal.com/news/national/2011/02/14/186007.htm

Cybercrimes Increase As Economy Falters

 A weakening economy has exacerbated the problem of cyber-related crimes, causing millions of dollars in losses to businesses. Spamming, hacking, pinging and denial of service are just a few of the fraudulent cyber attacks that can cripple a business. Reliance on traditional insurance and information security to deal with these ever evolving risks is not enough, making cyber insurance critical to protecting businesses, according to the Insurance Information Institute (I.I.I.).

“The surge in cyber crimes is enormous,” said Loretta Worters, vice president of communications with the I.I.I. “From email phishing scams, which attempt to trick a consumer into providing sensitive data to fake Web sites, to cyber hijacking, in which crooks use stolen usernames and passwords to filch online accounts, these schemes damage networks, data and computer systems as well as expose businesses to third-party claims.”

The insurance industry has developed cyber insurance products to help businesses confront the growing number of network security risks that have the potential to shut down a network, destroy vital data or steal customer information. As the public becomes more concerned about privacy, businesses have become more aware that they are liable in the event the personal information of their customers is compromised. However, not enough businesses are properly insured.

According to a recent Ernst & Young survey of 1,400 organizations in its2008 Global Information Security Survey, only 13 percent of survey respondents currently have insurance coverage for the losses resulting from a cyber attack. In addition, only 20 percent of respondents have a documented strategy for information security and less than half perform formal risk analyses to direct information security activity.

Losses from cyber crimes can be considerable and are on the rise. The 2007 Computer Security Institute’s Computer Crime and Security Surveynoted that 46 percent of companies had experienced one or more security incidents in the past 12 months; the average reported loss increased to $350,424 from $168,000 the previous year.

“Regardless of product line or service, virtually all major businesses today rely on computer networks to function," said Worters. “But they need to recognize that network security risks are fundamentally different than traditional physical risks like fire. If a hacker or virus shuts down a network or destroys computer software or data, most businesses today have either limited or no coverage. Insurers have excluded these risks from standard commercial policies and are now offering stand-alone coverage. Whether your company conducts business over the Internet, stores customer data on servers or simply uses email, it is at risk.”

Specialized cyber-risk coverage is available primarily as a stand-alone policy. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved. Both first- and third-party coverages are available. 

Types of Coverage

• Loss/Corruption of Data – Covers damage to, or destruction of, valuable information assets as a result of viruses, malicious code and Trojan horses.
• Business Interruption – Covers loss of business income as a result of an attack on a company’s network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expenses, forensic expenses and dependent business interruption.
• Liability – Covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of: -Breach of privacy due to theft of data (such as credit cards, financial or health related data); -Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties; -Failure of security which causes network systems to be unavailable to third parties; -Rendering of Internet Professional Services; and -Allegations of copyright or trademark infringement, libel, slander, defamation or other “media” activities in the company’s Web site, such as postings by visitors on bulletin boards and in chat rooms. This also covers liabilities associated with banner ads for other businesses located on the site.
• Cyber Extortion – Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Crisis Management – Covers the costs to retain public relations assistance or advertising to rebuild a company’s reputation after an incident. Coverage is also available for the cost of notifying consumers of a release of private information, as well the cost of providing credit-monitoring or other remediation services in the event of a covered incident.
• Criminal Rewards – Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a cyber criminal who has attacked a company’s computer systems.
• Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

What Does Cyber Insurance Cost?

Depending on the policy, coverage can apply to both internally and externally launched attacks, as well as viruses that are specifically targeted against the insured or widely distributed across the Internet. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations desiring comprehensive coverage. As part of the application process, some carriers offer an online and/or on-site security assessment free of charge regardless of whether the applicant purchases the insurance. This is helpful to the underwriting process and also provides extremely valuable analysis and information to the company’s chief technology officer, risk manager and other senior executives. “Companies spend billions of dollars annually setting up firewalls, buying anti-virus software but that’s not enough,” noted Worters. “Purchasing cyber insurance is another layer of protection to safeguard your business.” 

Published by:

Insurance Information Institute (iii)
http://www.iii.org