By Sylvia Menetre
Cyber Risk in an Online World
It is quite common today to hear and see reports of data breaches from businesses and organizations you assumed had sophisticated systems, the experts, and the technology to safeguard their (and your) online data. The lesson here is even with world-class technology and expertise, your business is still at risk in our increasingly online world.
What many businesses don’t realize until it is too late, is the number of risks they need to consider. Even if you are a small or medium-sized business (SMB), you are at significant risk of being hacked. In fact, your business may even be a more likely target because SMBs’ system security and capabilities tend to be less extensive than larger businesses. Don’t be fooled into thinking your business’ data is not attractive to cyber thieves. In a recent article, Steve Haase, president of INSUREtrust, a cyber-insurance firm, cited a Ponemon Institute 2013 survey that found 55 percent of SMBs had experienced a data breach.
Haase went on to say, “Every business has confidential information on employees, if not customers, that hackers can sell on the black market . . . SMBs in the retail space have even more post-breach headaches than their non-merchant peers, because retailers are subject not just to fines and penalties of government agencies, but also those of the payment card industry (PCI).”
In response to the cyber threats businesses and other organizations face, the insurance industry has been developing risk management products that deal with these new challenges. In the early days of cyber insurance (which date back to 1997), the policies were strictly written to respond to the third-party liability of a network security breach. As risks became more apparent, the coverage has evolved. Many policies now include regulatory penalties, PCI penalties, extortion demands, website media liability (including social networking exposure) as well as business expenses for crisis management including legal, forensics, call centers, notification costs, etc. Coverage can even be expanded to include business interruption and data restoration.
Originally, technology companies were the first to be considered highly vulnerable to these risks due to their online presence and related exposures. The risk quickly expanded to many other types of businesses with large amounts of PII (personally identifiable information) such as hospitals and universities. Now, it seems any company is a target for a breach. If you use email, you may be the target of a “spear phishing” attack and receive a fraudulent email that appears to be from a trusted source. The aim of the attack is to convince you to unwittingly give your data to the bad guys. Some businesses believe their risk is managed since they have general liability coverage. But, if you have a website, you are exposed because a general liability policy excludes website media under advertising liability.
Many professional classes of businesses, such as law firms, have relied on their Errors & Omissions coverage in a belief it will address a network security breach. While there is the potential for some third-party coverage if related to the “failure to act as a professional,” this type of policy would not respond to all aspects of a security breach and offers no reimbursement of crisis management expenses.
Many businesses believe they are not responsible for a security breach if their data is in a “cloud” environment. In fact, the obligation to notify those with breached PII from a cloud environment lies with the owner of the data. The “cloud” may also make a breach more of a threat as the information is now part of a vast pool of highly desirable information. If a business has made a decision to transfer their data to an off-site provider, they are still responsible for notifying those affected and covering related expenses. Consider any type of outsourced vendor that has your corporate confidential data and PII, such as payroll service providers or accounting firms, as a risk.
These are issues all organizations are facing, even the most capable and tech-savvy. Still, businesses and particularly managers with responsibility for systems and network security deficiency, feel insuring for these risks means their capability is being called into question. It is now evident no network is totally secure. Managing your business’s cyber risk is just like managing property and casualty risk: you don’t want a breach to happen; you plan to avoid it, but your business is far better off if you’ve prepared.
The good news is the costs can be mitigated with a broker partner to help you manage your cyber risk. First, the insurance industry has brought many products and coverage options to the market. In fact, their effort to address the issues has created a buyer’s market. The cost of coverage is small in comparison to property and casualty coverage. More importantly, with the proper guidance, the process of anticipating your risk areas helps you in two ways. One, it identifies where the risks lie. If the risks are identified, you can improve operational management and reduce the risk. Two, with the risks identified you can structure coverage that mitigates your risk, but doesn’t overburden you with unnecessary cost.
Start the process now. Think through your cyber challenges and work with your BB&T Insurance Services broker to create a plan to manage your risk in an online world. Your BB&T Wealth advisor can connect you with a BB&T Insurance Services broker if you do not already have one.
About the Author
Vice President, BB&T Insurance Services
Sylvia has more than 25 years of experience in agency account management, production, marketing and corporate risk management. She focuses on cyber coverage including network security liability, privacy, website media and related crisis management. Sylvia earned a bachelor’s degree from the University of Georgia and won the Cyber Risk Management Leadership award from Insuretrust in 2014.