Oct 28, 2015
How to Mitigate the Threat of Cyber Extortion
For years there’s been an increase in cyber security issues. It’s hard to go a single day without reading a story about how companies large and small are threatened by cyber risks. As a matter of fact, Graham recently released survey findings showing that cyber security risks are one of the top business threats keeping them up at night.
While many of us are familiar with hacking, it’s quickly being elevated to a whole new level through the increased prevalence of cyber extortion threats. If you’re unfamiliar with how cyber extortion works, let me explain. It’s the process where cyber criminals deny user access to an organization’s website, network or computer to extort payment in exchange for renewed access. This is a frightening proposition, and what’s even scarier is that companies aren’t doing enough to protect themselves from these threats.
As of late there’s been an increase in cyber criminals using ransomware because it allows them to encrypt data on a server or computer and deny service to the device until the victim makes payment for a “key” to unlock their data or files. While cyber liability insurance policies are available to combat this risk, there are certain broad exclusions you should be aware of so your company is protected if a cyber-criminal should attack.
Whether you’re a law firm, a manufacturer or a retail store, you’re at risk and need to take the right precautions to prevent or mitigate the risk associated with cyber extortion threats. A good IT team is always working to stay ahead of the curve and implement the best and most sophisticated cyber protection strategies available, but sometimes it’s not enough.
Combatting Cyber Extortion Threats
You might be wondering: What can my business do to combat this risk? The first step is to develop a robust risk management assessment aimed at uncovering the coverage gaps in your existing insurance program. General liability policies tend to be the industry standard, which covers things like bodily injury, property damage arising out of an insured’s operations, products or premises, as well as personal and advertising injury.
However, these policies were never intended to provide coverage for liability and first party notification expenses resulting from the disclosure of sensitive personal information. Only recently have insurance carriers begun adding exclusionary endorsements to ensure that their policy language doesn’t provide coverage for any of these potential claims.
The good news is that the insurance industry is tackling this issue head-on, and has already developed new cyber liability policies whose structure resembles a standard business automobile policy. In other words, one that provides coverage for both third-party liability claims against the insured, and first-party claims the insured makes against their own policy.
Four Things to Contemplate when Evaluating Cyber Liability Coverage
However, just getting your company any “off-the-shelf” cyber liability policy will not do the job. There are exceptions in those standard policies you need to be aware of, and here are four things to contemplate when evaluating coverage for your company:
- Failure to Encrypt Exclusions
Do not accept a policy that includes a “failure to encrypt” exclusion. You should consider encrypting data anyway to better protect your business from a breach but you do not need to buy a policy that will exclude coverage for loss of unencrypted data.
- Business Interruption
Many carriers include the option to purchase business interruption coverage for lost revenue due to your computer system being shut down. You need to understand if your policy is providing the coverage, many will not include this automatically.
- Governmental Fines and Penalties
A large exposure for most companies is the potential legal action brought by the Office of the Attorney General, the Office of Civil Rights, and the Department of Health and Human Services, among others. Failure to provide at least defense cost coverage, or coverage for fines and penalties, can leave a gap in protection.
- Be Aware of Your Data Vendor
When a company entrusts data to a third-party vendor (e.g., a third party processor or cloud provider) and the breach occurs on the vendor’s system, you’d like to be protected for vicarious liability by your cyber policy. However, some cyber liability carriers include exclusionary endorsements to take this coverage away.
As technology continues to evolve and cyber criminals become more skilled, it’s not a question of if your company will be hacked, but when it will occur. This means that in addition to a strong IT department you need to adopt a cyber liability policy to further insulate your company from cyber extortion. But to make sure your policy is structured properly and that you have the coverage you need, make sure to enlist the help of your insurance broker.
Philadelphia, PA, 19102