In today’s world, chances are good that your business uses computers, phones, or tablets to store information. But have you considered the fact that business plans, financial records, and confidential customer information being stored on electronic devices in any capacity make your business susceptible to cyber-attacks?
While the biggest cyber-crimes, such as WannaCry or the Equifax breach, make headline news, smaller cyber events are happening every day. In the past year alone, 53% of U.S businesses have been hacked by cyber-attacks according to a study released by The Hartford Steam Boiler Inspection and Insurance Company (HSB). Of those businesses, 72% of them spent over $5,000 to investigate and deal with the consequences of the attack, while the remaining 38% had to spend more than $50,000 in the aftermath.
Given the increasing number of cyber-attacks on businesses of all sizes, and the substantial cost associated with these attacks, cyber insurance is becoming increasingly important to help businesses recover. However, you don’t have to wait until something has already happened to take action. Here are four components of cyber risk management that your business needs to protect itself.
Develop Strategies to Prevent a Data Breach
Analyze your cyber risks from three different perspectives: technology, people, and processes. This risk assessment will give you a clear picture of potential holes in your security.
Technology: Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets, and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy. Consider firewalls for servers and networks, or restricting access to suspicious websites.
People: Educate your employees on data security practices and current phishing scams. Send frequent reminders to not click on anything that seems suspicious, too good to be true, or uncharacteristic of the sender. Consider the employees that have access to server rooms or other valuable data, and make sure these areas are not accessible to the general public.
Processes: Technology has a tendency to evolve faster than the rules governing it and the procedures involving it. Evaluate the way you collect, store, or transmit sensitive financial or customer data. Make sure your vendors are compliant with the latest cybersecurity recommendations.
Revisit and revise your plan regularly, because new risks arise often, sometimes even daily
Know Your Disclosure Responsibilities
If you experience a data breach, you may be legally required to notify certain people. If your company is publicly traded, guidelines issued by the Securities and Exchange Commission (SEC) make it clear that you must report cybersecurity incidents to stockholders — even when your company is only at risk of an incident.
The SEC advises timely, comprehensive and accurate disclosure of risks and events that would be important for an investor or client to know. It’s important to evaluate what information and how much detail should be released. Notifying a broad base when it is not required could cause unnecessary concern for those who have not been affected by the breach.
Smaller, privately held companies will likely still be required to investigate, notify, and potentially offer reparations (such as Credit or Identity Theft Monitoring) after a breach. Consult a reputable legal authority with experience in cyber-crime to help guide you.
Some extreme cases of a data breach may cause you to go further than just assessing and disclosing the information. You may have to destruct or alter data depending on its sensitivity.
Your Crisis Management and Response Plan
Preparedness is key when developing your cyber crisis management program. When you experience a data breach, you need to be prepared to respond quickly and appropriately, as time is of the essence.
Determine when and how the breach occurred, what information was obtained and how many individuals were affected. Then assess the risks you and your clients face because of the data breach, and how you will mitigate those risks.
When communicating with your employees and customers, be genuine and clear while letting them know what actions you are taking, but be cautious to not overshare. Focus on improving future actions, and how you can immediately assist your clients, to help restore good faith.
Work with your legal advisors, risk, managers, and IT department to create and refine your plan on a regular basis.
Protect Your Data — and Your Business — With Cyber Liability Insurance
Even the most prepared and secure businesses can fall victim to a cyber-attack, which is why it is crucial to have cyber liability insurance.
Cyber liability insurance is specifically designed to address the risks that come with using modern technology. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure.
Some examples of how cyber liability insurance can help protect your business:
Providing liability coverage for breach of confidential information
Help cover costs relating to information breach, including but not limited to:
Consumer notification of data breach
Customer support and services offered to help affected individuals protect themselves (i.e. free credit report monitoring)
Cost of experts needed to assess the extent of data breach/corruption
Legal costs associated with regulatory investigation and expenses imposed for data breach by regulatory entities
Cost of a Public Relations agency needed to repair reputational damage where applicable
Costs of restoring corrupted or stolen data
Supplement loss of income associated with business downtime due to a data breach and interruption of normal business activities
Personal injury and advertising exposure (i.e. damage to one's reputation because of social media hacking)
Reimburse direct costs of an act of cyber extortion, cyber deception or cyber terrorism
Your cyber liability insurance policy can be tailored to fit the unique needs of your business. Consult an experienced member of our Commercial Lines team by reaching out to firstname.lastname@example.org or by calling (800) 333-7234. We also invite you to learn more about the services we provide at www.easterninsurance.com.