145.5 million U.S. consumers were affected – nearly half of the population – after a data breach at Equifax in September.1 With the sudden, dramatic rise of data breaches across the globe, cybersecurity is at the forefront of insurance industry discussions. Nearly all companies today operate with an online component and even the greatest levels of cybersecurity systems can be hacked. Risks, threats, and legal expectations are constantly evolving, making it difficult for organizations to know if they are taking the right measures to properly protect their businesses.
Brokers and agents should discuss Cyber Liability insurance and cybersecurity best practices with clients to ensure they have the necessary coverage to survive an attack. Insurance Market Source connected with Michael Schultz, Senior Broker, Professional Liability, Center of Excellence, Burns & Wilcox to provide brokers with ten tips to better prepare and defend a client’s business against a data breach.
1. Cyber Liability insurance
Having a tailored Cyber Liability policy is no longer a nice-to-have; it is an imperative for all businesses. These policies cover the costs resulting from a data breach, including coverage for: third party claims and first party responsibilities, forensics, notification, credit protection, public relations and crisis management, business interruption, cyber extortion, media liability, and regulatory penalty costs.
Cyber Liability policies are highly customized and are based upon a company’s individual exposures. Working with a cybersecurity insurance expert that understands these policies is a must, as keeping up-to-date on trends, litigation and changes by state in this space takes daily monitoring.
2. Set-up a secure configuration and limit access
Actively updating passwords regularly is a necessity. It is also important to set secure guest passwords, and to not use default passwords on routers, computers, and other devices. Additionally, the number of individuals that are given access to data and functions within a company’s system should be limited. Executives may need to access certain files, but not all. It should section off certain portions of the systems so that all individuals do not have unlimited access.
3. Patch management
Not installing patches is the equivalent to leaving the doors of a warehouse wide open. A May 2017 cyberattack called WannaCry infiltrated more than 230,000 computers running Windows after users failed to install a patch from two months prior. However, even when patches are installed, vendors may be vulnerable, and it is vital that there is a process in place for vendor security at all endpoints.
4. Commercial-grade antivirus software
While some may think it is not needed in this day and age, commercial-grade antivirus and anti-malware software with firewall is imperative. Standard built-in antivirus systems do not catch everything.
5. Regular data backups
With ransomware attacks at epic levels, regular data backups can prevent the loss of all data. If backups are performed and a ransomware attack occurs, simply unplug the infected computer and then restore the last backup. For a Cyber Liability submission, underwriters will ask for backup policies.
6. Centralized log collection
Keeping a log of what is going on in the network will expedite investigations during a breach, helping forensic investigators. At the very least, a log of everyone accessing a system creates a trail for investigative teams to follow. If a breach occurs and there is no centralized log, a company may have to notify every individual they have ever kept records on. On the other side of the coin, with a log collection, the list of notifications may be significantly shorter.
7. Disaster recovery plan
A disaster recovery plan features many of the aforementioned tips, but it is equally important. This is a documented process with procedures to recover data after a loss. Following a detailed, organized plan will only speed up the process during very stressful times such as a data breach.
8. Encryption of data
This is critical as it is much more difficult for hackers to read data after a system is accessed. To access encrypted data a code will have to be cracked. In public places, like a coffee shop for instance, mobile devices, and laptops are prime targets. Encryption will make it harder to access sensitive data, and companies need to ensure that any device accessing their system is encrypted.
9. Compliance with regulations
Industry regulations and standards like HIPAA (Health Insurance Portability and Accountability Act of 1996) and PCI DSS (Payment Card Industry Data Security Standard) are in place to protect the public. Companies can be fined for not being in compliance, and the ramifications for a data breach during non-compliance can be significant in terms of financial harm and brand damage.
10. Active employee cybersecurity training
Scheduling mandatory best practices sessions with all employees on the above points will further emphasize the critical nature of company data and remind associates how to properly protect information.
Data breaches are occurring with increasing severity and frequency, making protection for businesses more of a necessity now than ever before. In fact, the number of breaches increased 13 percent during the first half of 2017 over the last half of 2016.2 Brokers and agents should share these tips with their clients and ensure they are prepared with coverage uniquely designed to safeguard against today’s growing risks.