The SCORE 2016 Issue 1 | Page 32

Cyber Risk in an Online World by Sylvia Menetre I 2016 Issue 1 | THE SCORE 30 t is quite common today to hear and see reports of data breaches from businesses and organizations you assumed had sophisticated systems, the experts and the technology to safeguard their (and your) online data. The lesson here is even with world-class technology and expertise, your business is still at risk in our increasingly online world. What many businesses don’t realize until it is too late, is the number of risks they need to consider. Even if you are a small- or medium-sized business (SMB), you are at significant risk of being hacked. In fact, your business may even be a more likely target because SMB’s system security and capabilities tend to be less extensive than larger businesses. Don’t be fooled into thinking your business’ data is not attractive to cyber thieves. In a recent article, Steve Haase, president of INSUREtrust, a cyber-insurance firm, cited a Ponemon Institute 2013 survey that found 55 percent of SMBs had experienced a data breach. Haase went on to say,“Every business has confidential information on employees, if not customers, that hackers can sell on the black market … SMBs in the retail space have even more post-breach headaches than their non-merchant peers, because retailers are subject not just to fines and penalties of government agencies, but also those of the payment card industry (PCI).” In response to the cyber threats businesses and other organizations face, the insurance industry has been developing risk management products that deal with these new challenges. In the early days of cyber insurance, which date back to 1997, the policies were strictly written to respond to the third-party liability of a network security breach. As risks became more apparent, the coverage has evolved. Many policies now include regulatory penalties, PCI penalties, extortion demands and website media liability (including social networking exposure), as well as business expenses for crisis management including legal, forensics, call centers and notification costs, etc. Coverage can even be expanded to include business interruption and data restoration. Originally, technology companies were the first to be considered highly vulnerable to these risks due to their online presence and related exposures. The risk quickly expanded to many other types of businesses with large amounts of personally identifiable information (PII) such as hospitals and universities. Now, it seems any company is a target for a breach. If you use email, you may be the target of a“spear phishing” attack and receive a fraudulent email that appears to be from a trusted source. The aim of the attack is to convince you to unwittingly give your data to the bad guys. Some businesses believe their risk is managed since they have general liability coverage. But, if you have a website, you are exposed because a general liability policy excludes website media under advertising liability. Many professional classes of businesses, such as law firms, have relied on their Errors & Omissions coverage in a belief it will address a network secu