[BreachExchange] Computer Attacks Underscore Need for Cyber Insurance

[Audrey McNeil]

https://www.memphisdailynews.com/news/2017/aug/26/corporate-data-breaches-
underscore-need-for-cyber-insurance-coverage/

The cyberattack that hit FedEx subsidiary TNT Express in June, temporarily
disrupting the company’s worldwide information systems, was a reminder
about the fragility of digital systems that Herb Davis didn’t need.

Among the facts that emerged in the aftermath of the Petya ransomware virus
entering the TNT system through the company’s Ukrainian operations before
spreading to the whole system, was that FedEx didn’t have any kind of cyber
insurance plan to cover the attack. Smith, a vice president with
Smith-Berclair Insurance in Memphis, has been writing such policies for
years and wishes more companies – especially small businesses that don’t
have the deep pockets of a company the size of FedEx – would decide to use
them to proactively protect themselves.

The benefits of such plans typically include things like covering a
business’s liability when its systems are breached, leaving the personal
information of customers exposed and vulnerable to electronic theft.

Meanwhile, despite the barrage of headlines about attacks and data breaches
across the corporate landscape, Smith said he still finds too many
companies with dangerous misconceptions about what they need to know – one
of the most common being that they’re “too small” to get attacked.

“Many small businesses think that because they’re not Blue Cross or Home
Depot or Target, that they’re too small to bother with it,” Smith said.
“And that’s not true. Criminals like to go after the low-hanging fruit. And
small businesses represent the low-hanging fruit.”

Smith says the first standalone cyber policy he wrote was for a law firm
that practices family law, including a lot of divorce cases.

“I was talking to the managing partner, and I said, ‘Tell me, what kind of
financial information do you have on your clients?’” Smith said. “She
rolled her eyes and said, ‘We have everything. Their social security
numbers. All their bank account numbers. All their investment numbers.
Driver’s licenses. Everything.’”

That “everything,” of course, being a target-rich environment of personal,
identifying information that cyber-crooks could use to wreak havoc on not
just a small business, but the lives of its clients. And what likely comes
as no surprise: the frequency and severity of such attacks is expected to
only get worse with time.

Charmy Shrode, vice president of underwriting for Tennessee-based insurer
SVMIC, points to forecasts that suggest health care organization will soon
be the sector most targeted by cyber criminals.

“As a physician-owned mutual insurance company providing medical
malpractice insurance to the majority of Tennessee’s physicians, SVMIC
understands this risk and the concern it creates among health care
providers, as well as patients,” Shrode said. “To help our policyholders
address this risk, we collaborated with NAS, a leading provider of cyber
coverage, to offer a limited cyber benefit to our physicians.”

Shrode says the company also encourages all health care providers to assess
the risks in their practice and buy additional supplementary cyber coverage
as needed.

In terms of the kinds of coverage that’s out there, Lipscomb Pitts
Insurance senior vice president Sonya Dunn said her firm works with many
carriers offering products that can respond to the different needs of
clients.

The policies, she explains, are generally written to cover things like the
expenses, damages, regulatory fines and penalties that occur with a
cyber-related event or privacy breach.

“Recently, some clients were struck by the Petya ransomware attack where
their computer systems were locked down until they paid the extortion in
the form of bitcoin demanded by the culprits, or either restored their
systems to their latest unaffected backup,” she said. “Coverage for this
type of event is provided by cyber extortion or network extortion clauses
added to a cyber policy.

“Security event costs or notification costs cover the expenses related to a
privacy breach. These expenses can include mailing costs for notices,
credit protection, computer forensic costs, as well as public relations
costs to protect the insured’s brand and reputation. … The coverage forms
from the carriers are not standardized, so each one should be reviewed and
compared to find the best policy for the customer.”

Another benefit her firm provides clients is online training resources for
their employees to teach them practical steps to avoid risk. She adds that
along with the purchase of coverage, many carriers also offer cyber
security training, best practices guidelines, risk assessments, incident
response planning, as well as newsletters and support hotlines.

Still, the misconception that small businesses need to disabuse themselves
of is that it can’t happen to them.

“There are people out there,” Smith stresses, “especially hackers operating
out of Eastern Europe, China, who are constantly trolling, looking to find
breaches and get private information.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170828/09e313cd/attachment.html>