Does your business have a cyber security plan in place?

If you are like most business owners, you hear about cyber breaches and stories about ransomware in the news but you have no plans to do anything about it. Over 50% of US firms do not carry cyber risk insurance and nearly a third have no plans on purchasing coverage. As discussed in a previous post, many business owners either feel that they will be covered by their business owner’s policy or are unaware that their general liability policy does not provide coverage. With the frequency of attacks on the rise, now is a good time to address some different ways to protect your business.

A cyber insurance policy is designed to cover both first-party and third-party losses because of your business’s negligence. When people think of a data breach, they imagine a scenario where either customer’s information or employee’s information is compromised. At a cost of $220 per record stolen in the US, you can see how the cost of a breach can easily add up.

First-party cyber costs that contribute to the cost of record stolen include: forensic investigation, legal advice, compliance with state-specific notification requirements, public relations and business interruption. Third-party costs include: legal defense, costs of legal settlements, subrogation costs from credit card companies and the cost of ongoing credit-monitoring.

Cyber security risk management strategy

Any good risk manager, including your independent agent, will tell you that insurance is not always the answer. Insurance is a form of risk transfer that is best utilized for low-frequency high-severity risks. In our cyber scenario, a policy is not going to respond to a single laptop damaged by malicious software. However, it will respond to the liability arising from the personal information that is on a lost laptop if it were to fall into the wrong hands.

Below are a few risk management strategies that you should consider while assessing your cyber security:

Cyber Risk Retention
Retention of any risk is never a good strategy unless you make a conscious decision to do so and you have a plan in place to respond if a loss were to occur. Unknowingly retaining a risk is not a strategy and not having a plan or the resources to respond to an incident is not self-insurance; it is no-insurance. Even if you feel as though you have a rock-solid firewall and a full-time IT staff that is consistently backing-up your data, you should still look into purchasing an insurance policy. If you choose not to, it would be wise to designate a significant amount of money in your budget that you can use to respond to a claim when it occurs.

Cyber Risk Control
Controlling your cyber risk is always a best practice for your business: keeping your software up-to-date, using proper firewalls and anti-virus software, backing-up your data, using email encryption, regularly updating your passwords, and developing procedures for the handling of sensitive information can all reduce your risk exposure. Many breaches occur because of easily addressed issues like the failure to install a critical update.

A good strategy is to develop a yearly technology budget and make sure you stick to it. Be sure to designate funds to update your hardware and software, hire a reputable IT staff and/or vender, and make sure to designate a percentage of those funds for cyber insurance. Many times, the controls you put in place for your own security will qualify you for discounts on your cyber policy. It is important to balance your expenses to provide a mix of risk control and risk transfer.

Cyber Risk Transfer
As discussed above, risk transfer generally refers to purchasing insurance and transferring the financial risk to a third-party – the insurance company. And, while putting the proper controls in place can qualify you for premium discounts, risk control should not be a complete substitution for risk transfer. While many data breaches occur because of the lack of proper controls, just as many occur because of human error.

Social engineering is a common strategy used by cyber criminals to gain access to your company’s sensitive information. “spear-phishing” is a targeted attack on a specific individual or organization. Instead of sending blast emails posing as a lottery winner in Africa asking for your help, cyber criminals are not targeting specific individuals in your organization that have access to the information they are looking for. They will research their targets using social media and send a specific attack posing as a known contact using a similar email address. Once these attackers have the log-in credentials of an employee, any type of firewall or encryption you utilize will be worthless – they will just walk through the front door unnoticed.

Cyber Risk Avoidance
Risk avoidance is becoming difficult as more and more companies transfer their operations to online and cloud-based operating platforms. Emails are a required tool for almost every business and even the most unforeseen businesses now have an online presence. Avoiding all cyber risk exposure may be impossible, but there are some steps you can take to avoid some of the risks: creating “whitelists” are a good way to avoid malicious software. As opposed to “blacklists” which are prohibited sites or software that your firewall blocks, “whitelists” are lists of approved websites or software that become the only available resources for your company. Instead of trying to figure out every bad website or software that is out there and adding them to your blacklists, all you need to do is come-up with a list of approved sites and software that your business needs to operate and make that list the only sites and software accessible on your company’s computers.

If you have questions for the best strategy to manage your cyber risk, call Shove Insurance today and we will help guide you through the process and come up with a risk management strategy specific for your business.