[Related: Cyber risk: It’s personal]

1. Breach exposure

Issue: A major source of cyber loss continues to arise from unauthorized corporate network breaches.

Example: Exploiting a then-unknown gap in an insured’s IT network, cyber criminals gained access to sensitive customer data that constituted personally identifiable information (PII) and personal health information (PHI). The potential breach required that about 18,000 customers spread across 22 states (all requiring specific notice parameters) be notified and have their credit monitored.

Solution: Because this client had the proper risk management plan in place, the crisis management team was able to quickly notify affected customers and provide credit monitoring services for a year. Also, because the risk management plan included cyber/privacy cover, the cost of notification and credit monitoring—totaling $255,000—was covered after the policy retention was met.

Companies need to first assess their vulnerabilities and then look into evaluating the right cyber and privacy liability plan based upon the results of those assessments. Cyber liability is associated with electronic systems, the Internet, network access and the network security systems of an organization. Privacy liability is associated with privacy issues, specifically the unauthorized dissemination of information or lack of protection for or release of PII such as credit card information and Social Security numbers.

Nearly every organization is exposed to cyber and privacy liability, but especially one that does business online, accepts credit card payments, manages a network, or possesses any form of PII relating to clients or employees. Short-term cyber or privacy crisis solutions include coverage for notification expenses, credit monitoring and crisis management. Long-term cyber or privacy crisis solutions include coverage for defense and damages along with business revenue protection.

(Photo: Shutterstock/pichetw)

2. Hacking Event

Issue: Hardly a week goes by without news of organized criminals accessing systems to inflict financial or reputational damage—or both—on organizations.

Example: A Midwest furniture chain’s computer systems were attacked by “Backoff” malware, a virus that targets point-of-sale systems used throughout the retail industry. The furniture chain had to suspend operations for four days at five major store locations. Approximately 96 hours was spent on the data recovery efforts, costing the company $19,200. Meanwhile the business lost as a result of the partial shutdown of the store locations totaled $216,000.

Solution: As a result of securing the right coverage, the furniture company’s expenses, including business interruption, were covered in full, subject to the policy terms and conditions.

Businesses should review their existing polices with their agents and brokers to make sure they have best-in-class cyber coverage for hacking events. The cyber policy should include coverage for:

• business Interruption
• loss of income,
• data restoration
• brand/reputational management,
• defense and
• damages.

In addition, be sure you understand the clauses relating to coverage for forensic investigation and legal review in your cyber policy.

(Photo: Shutterstock/wk1003mike)

3. Social Engineering Exposures

Issue: Increasingly, social-engineering techniques are used to induce employees to break normal security procedures, leading to a dramatic rise in cyber security incidents and resulting financial losses. Social engineering is a non-technical method of intrusion used by hackers that relies on human mistakes. In many instances, it involves tricking people into breaking normal security procedures, typically using innocuous subject lines from contacts or company-generated emails.

Example: A scammer pretending to be the CEO of a financial services company emailed the firm’s director of treasury in an attempt to induce the transfer of money due to an emergency “transactional need.” The scam email claimed the funds were needed to complete an acquisition.

Solution: Fortunately for the company, a funds-transfer protocol was in place and the CEO was alerted, preventing a potentially costly fraud.

For this type of threat, it’s important to implement pre-and-post cyber incident best practices, and communicate cyber risk updates to employees in every area of your company, continually.

According to a recent cyber risk survey, 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years. And 30% of all victims of social engineering cite an average per-incident cost of more than $100,000 to locate, remediate and protect against further losses from a successful social engineering attack.

Work with your agent or brokerage firm to ensure that your cyber policy contemplates Social Engineering attacks, including phishing and unauthorized electronic transfers, for example. In addition, educating your employees is a firm’s single best defense from a social engineering cyber attack. Ask your agent or broker about cyber webinars, training sessions and updates that can make your employees aware of the latest social engineering exposures seeking to trip them up.

(Photo: Shutterstock/Andrey Armyagov)

4. Cyber Extortion Risk

Issue: Cyber extortion, which involves a demand for money to avoid a cyber attack or release of confidential information, is on the rise. Although cyber breach and hacking are still the most common types of risks impacting companies today, cyber extortion is the fastest growing cyber threat. Organizations that have fallen victim to cyber extortion include Domino’s, Nokia and Code Spaces, many universities, and several police departments across the country. As a result, companies and organizations are paying out millions of dollars to cybercriminals for the safe recovery of stolen data or to avoid network harm.

Example: A manufacturing firm received an email stating that the functionality of its system was about to be compromised and unless $250,000 was sent to a particular email address/contact drop in one week, major parts of the firm’s network would be destroyed, including proprietary data.

Solution: Fortunately for the company, a strong cyber and privacy liability program was in place, and the cost of the ransom was covered. It’s critical to communicate cyber risk updates to employees in every aspect of the firm, however, so attacks such as this one are brought to the attention of management as soon as possible.

[Related: Managing manufacturing risk: Cyber enters the picture]

It’s no longer a matter of “if” but a question of “when” a company will be attacked. Therefore, understanding the true breadth of cyber threats and securing risk management solutions that backstop your company’s IT and other departments’ risks can provide critical financial protection from a cyber threat that is very real and growing. Your agent and broker can help you from risk assessment, to risk management, assuring the correct coverage for your organization and ensuring that you have the tools to effectively manage a cyber incident in case one occurs.

Paul King is USI’s vice president of management professional services (MPS) and is based in USI’s Dallas office. The MPS group leverages the USI ONE Advantage™ with prospects and clients across the country. USI ONE is a fundamentally different approach to risk management, integrating proprietary business analytics with a networked team of local and national experts in a team based consultative planning process to evaluate the client’s risk profile and identify targeted solutions to address those risks. To learn more about USI ONE, contact Paul at [email protected] or 214-443-3107. Visit the firm's website for more information.