Cyber Risk
in an Online
World
by Sylvia Menetre
I
2016 Issue 1 |
THE
SCORE
30
t is quite common today to hear and see reports of data
breaches from businesses and organizations you assumed
had sophisticated systems, the experts and the technology to
safeguard their (and your) online data. The lesson here is even
with world-class technology and expertise, your business is still
at risk in our increasingly online world.
What many businesses don’t realize until it is too late, is
the number of risks they need to consider. Even if you are a
small- or medium-sized business (SMB), you are at significant
risk of being hacked. In fact, your business may even be a more
likely target because SMB’s system security and capabilities tend
to be less extensive than larger businesses. Don’t be fooled into
thinking your business’ data is not attractive to cyber thieves.
In a recent article, Steve Haase, president of INSUREtrust, a
cyber-insurance firm, cited a Ponemon Institute 2013 survey that
found 55 percent of SMBs had experienced a data breach.
Haase went on to say,“Every business has confidential
information on employees, if not customers, that hackers can sell
on the black market … SMBs in the retail space have even more
post-breach headaches than their non-merchant peers, because
retailers are subject not just to fines and penalties of government
agencies, but also those of the payment card industry (PCI).”
In response to the cyber threats businesses and other organizations face, the insurance industry has been developing risk
management products that deal with these new challenges. In
the early days of cyber insurance, which date back to 1997, the
policies were strictly written to respond to the third-party liability
of a network security breach. As risks became more apparent, the
coverage has evolved.
Many policies now include regulatory penalties, PCI
penalties, extortion demands and website
media liability (including social networking
exposure), as well as business expenses for
crisis management including legal, forensics, call centers and notification costs, etc.
Coverage can even be expanded to include
business interruption and data restoration.
Originally, technology companies were the first to be
considered highly vulnerable to these risks due to their online
presence and related exposures. The risk quickly expanded to
many other types of businesses with large amounts of personally
identifiable information (PII) such as hospitals and universities. Now, it seems any company is a target for a breach. If you
use email, you may be the target of a“spear phishing” attack
and receive a fraudulent email that appears to be from a trusted
source. The aim of the attack is to convince you to unwittingly
give your data to the bad guys.
Some businesses believe their risk is managed since they
have general liability coverage. But, if you have a website, you
are exposed because a general liability policy excludes website
media under advertising liability. Many professional classes
of businesses, such as law firms, have relied on their Errors &
Omissions coverage in a belief it will address a network secu