Understanding Cyber Liability Insurance
It’s been called one of the largest data breaches of all time.
The 2013 breach of Target’s customer data exposed 70 million customers and 40 million credit and debit cards to hackers. These hackers apparently had free access to Target’s entire network for days.
The thieves not only grabbed credit and debit card numbers, they got the corresponding 4-digit PIN numbers as well. On top of that, they stole names, addresses, phone numbers, and email addresses of previous shoppers, regardless of last time they shopped at Target. That would allow them to do some real damage.
(You can read an interesting report on Krebs On Security about how Verizon security experts were asked to expose weaknesses in Target’s security, and found the thieves had nearly unfettered access to the entire system, from deli scales to self-scan cash registers to credit card payment systems.)
The Fallout after a Cyber Security incident
When a breach like this occurs, the merchant has several steps they’re supposed to take, depending on the state and federal laws, and industry regulations. First, they notify the authorities (in Target’s case, it was the FBI). Next, they’re supposed to notify all customers affected by the breach via snail mail. Finally, they’re supposed to provide one year of credit monitoring service.
Imagine the cost of sending a single letter in a single envelope with a single stamp multiplied by 70 million people. If you could do it for $.50 apiece, you were getting off cheap. In Target’s case, that’s $35 million just to tell people their personal information had been stolen.
This also means changing passwords for everyone in the company, and training them on proper password creation. In Target’s case, the Verizon security experts were able to crack 472,308 of Target’s 547,470 internal passwords (86 percent). This allowed them to access various internal networks within Target.com. This included the email network, stores network, and even the headquarters in Minneapolis.
There are all kinds of security changes and updates that have to take place as well. This means bringing in extra IT staff or outsourcing to a professional cyber security firm, as Target did.
The security experts also found many servers were missing critical Microsoft patches. Some were running outdated web server software, many with known vulnerabilities. According to Krebs On Security, the experts didn’t even need to know the login credentials to get in.
Needless to say, Target took immediate action. Krebs On Security said Target spent “hundreds of millions of dollars” to bring in new leaders, build teams of security experts, and even open a “cyber fusion center.”
Of Course, that Wasn’t the End of It.
Several banks lost millions of dollars when they were forced to reimburse customers who lost money. Not to mention the money they spent in replacing debit cards — Citibank replaced every debit card that was even remotely possibly included in the data theft.
As a result, Target was the victim of several multi-million dollar lawsuits. In March 2015, they settled a lawsuit filed by their customers for $10 million. In August 2015, they settled with Visa for $67 million. And in December that year, they settled a class action lawsuit with several U.S. banks and MasterCard for $39 million (after the banks originally rejected a $19 million deal).
Despite everyone’s best efforts, cyber theft and hacking isn’t going away anytime soon. We’ve got things like chips in our debit cards and chip readers at cashier stations, but adoption is slow. And people still aren’t being smart about their computer use, either at work or at home. That means anyone who accepts credit and debit cards and stores that information is vulnerable to data loss through cyber theft.
Cyber Security Issues are Becoming More Common
There have been approximately 6,430 data breaches between August 2005 and August 2016, and 878,880,440 records total have been stolen in that time. And that’s just the financial and personal data. That doesn’t include attacks on websites and blogs to distribute malware, distributed denial of service (DDOS), and other cyber attacks.
Cyber security experts agree: the question is not whether your computer network gets hacked, it’s when it gets hacked. It’s going to happen eventually. The question is whether you have the proper security in place to reduce the damage. Is your data backed up securely and in more than one location (including an off-site location)?
And most importantly, do you have cyber liability insurance?
What is Cyber Liability Insurance?
Cyber liability insurance exists to protect your customers. It protects you in the sense that you’re not on the hook for millions of dollars. It also helps you respond if there is a data breach or data loss. So, in that sense, cyber liability insurance protects your customers. It helps you follow the law, helps you notify the customers, and helps to protect them from future fallout.
If you suffer from a data breach, even if it’s only 3,000 customers for a small ecommerce business, there are certain steps your insurance company will help you take in order to meet any state and federal laws. These can include the following:
- Covering the costs associated with notifying present and past clients. Even if you dealt with a customer on a single purchase, or you have their records on file, but haven’t seen them for several years, you still have to notify them.
- If their credit or debit card information, or their personal information like social security and driver’s license numbers, have been stolen, you have to pay for one year or more of credit monitoring with one or more credit reporting agencies.
- Fixing unforeseen issues that might exist. These can be in the millions of dollars, depending on the size of the breach and the legal and regulatory requirements.
- There are sometimes other requirements you have to follow, depending on your state, your type of business, and even the industry you work in.
You Are Not In It Alone
But rather than making you try to figure out everything that needs to be done, your insurance company will step in, hire the right vendor to handle everything, and they’ll notify your customers and manage the credit monitoring. This is typically not done in your office; the vendors do it out of their own office, unless they need direct access to your records.
Cyber liability together with your General Liability insurance can also cover loss of income if you’re the victim of a DDOS attack or hacking that brings down your network, website, or ecommerce store.
Who Needs Cyber Liability Insurance?
In short, nearly everyone needs it. If you do anything on the Internet, or do anything that uses a computer, you need it. The Internet is so vital to business today, it’s hard to imagine that as little as 10 years ago, it wasn’t a big concern to the industry. But now it’s in everything we do. Here are a few examples. If you:
- have an ecommerce site, whether you’re an online-only store, or have a bricks-and-mortar operation as well.
- have a computer network where you store people’s sensitive data.
- or your business depends on your website for promotion, marketing, client communication, or any kind of data storage.
- have a restaurant with a back room credit card processing system.
- run a small coffee shop that uses an iPad and a <a href=”” target=”_blank”>https://squareup.com/Square credit card swipe device</a>.
- offer free wifi at your restaurant, coffee shop, public space, or office.
- have a digital copier in your office. (There are even rules and suggestions from the FTC on how to deal with digital copiers.)
- accept major credit cards and store brand credit cards, and run them through a point-of-sale system.
- store your customers’ bank information.
- store sensitive personal data, like names, addresses, phone numbers, social security numbers, and driver’s license numbers.
In short, if you have a computer for your business, you need cyber liability insurance. This includes attorneys, CPAs, mortgage lenders, Realtors, and so on. It includes medical professionals, health-care practices, nursing homes, and home health care companies.
Not Limited to Data Breaches
But data breaches are not the only thing you need protection against. There are other ways hackers can take over a website. They can put up a shell site over your own that looks like the original, and pretend to be your site, while collecting login information from your members and visitors. They can scrape the information from your website, create a copy, and have a nearly-similar web address. Then they’ll try to inject some code into your site, so when someone clicks a link, they’ll redirect to the fake site and hope the user won’t notice.
For example, if you had ABCShoes.com, a hacker could use ABCShocs.com (notice the C at the end of Shocs) as their redirect site. And if your customers don’t pay close attention to their address bar, they might think they’re on the same website, and enter their credit card information for a purchase. The thief is then able to use the credit card or sell it to other hackers and thieves.
In the B2B world, such as manufacturers and distributors, if your work depends on the proper functioning of your computer network — storing financial and customer information, specs on your products, proposals and operating instructions, etc. — your data is valuable to competitors, including overseas manufacturers who might want to pirate your technology.
There’s also pure link hijacking, because you registered with a fly-by-night web host or domain registrar (the place where you buy your domain names, like GoDaddy). One friend’s website was hijacked in a way that when a visitor clicked three links on his website, they would be redirected to a black market Russian pharmaceutical website. In other cases, these hackers might target all the buy/checkout buttons, and redirect users to a fake page on their site to capture credit card information.
Even in a retail business, like clothing or shoes, you may think you’re safe because you don’t store credit card information, because that’s all kept on the credit card processor’s site. Or you may be PCI compliant (a set of security standards to ensure any company that accepts and stores credit card information maintains its security), but that doesn’t make you safe. Even Target was PCI compliant when they were hacked.
Hackers will often target PCI compliant companies, because they may not have strong security elsewhere. Once the hackers are inside a network, they can look around until they find their way to the store credit card information.
And finally, hackers can even try to attack the space between the credit card machine and the processor, intercepting the data as it travels through the phone lines. If that’s not secure or encrypted, there’s still plenty of danger.
Basically, if you work in a cash or check-only business, like a small building contractor, you can probably get by without it. Otherwise, you need cyber liability insurance.
But if you’re not sure, please ask your insurance professional about it.
What Does Cyber Liability Cover?
We’ve already covered data breaches and theft due to hacking, but there’s a lot more to it. Cyber liability insurance will also cover costs associated with notifying your customers, monitoring their credit for one year or more, and any other surprise incidental costs associated with your state, federal, and even industry-related laws and regulations (such as HIPAA issues for a healthcare business).
It can cover the business income side of things when a website or network goes down. Let’s say your company does all its business online, and something happens to your ecommerce server. It doesn’t have to be malicious cyber activity, it could be that the web host suffered a fire or storm-related blackout. Regardless, your company is losing revenue because of the site loss.
That’s when the business income section of your cyber liability or general liability insurance kicks in. It will trigger after 48 – 72 hours of downtime, and cover the income you’ve lost during that downtime. When the electricity went out in New York City during Hurricane Sandy, a lot of companies were covered by their business income coverage.
Of course, this is also why you should work with an external web host, because they usually offer a 99.99 percent uptime guarantee, and will do everything they can to be up as soon as possible. But if you sell thousands of dollars per day, you don’t want to fall in that .01 percent for several days.
It can also cover data that’s lost in a fire or physical theft. This kind of thing is typically covered in general coverage, but can be expanded and customized to fit some needs of special data and other valuable information a company might own.
Previously, businesses stored their backup data on in-house servers, or on CD backups stored in someone’s desk drawer. But that had the potential of being lost in a fire or flood. (And many people discovered they hadn’t done their backups correctly when they went to restore their lost data.) So security and disaster recovery experts recommend storing backups offsite, and even in the cloud.
As a result, cyber liability insurance policies have expanded to also cover cloud-based backups or offsite locations. In the beginning, the insurance policies focused on customer-specific information — banking information, personal information, credit cards, credit history — it has expanded. Now it can cover other forms of data, like financial records and other financial information.
The coverage can even extend to businesses that might go out of business because of data loss. (The fact that this can even happen reinforces a very strong argument for having more than one backup method of data, including an offsite location and a cloud-based location.)
Are There Limitations to the Scope of Cyber Liability Insurance?
Of course, all of these stipulations are set up when you first purchase your cyber liability insurance. Like where your data backups are stored, how much is kept, how long they’re kept for. There are also questions about the size of your company, length of time in business, what you want covered.
And when corporations are more complex, have more employees, more locations, etc., there will be more stipulations. These include having two forms of backups, regular frequency of backups, and regular validation of those backups.
There may even be IT and security requirements, especially if your business stores a lot of sensitive data. This is typical of a large retailer or hospital.
The Big Takeaway
Cyber liability insurance exists for a reason. If you don’t have it, or don’t feel you have the right coverage, please speak to an insurance agent about the kind of cyber liability coverage you should carry. In the meantime, here are a few other things you can do.
- Make sure you have secure passwords on all your computer systems, including your home computers. This is especially important if you access your work network from home. Don’t just replace letters with numbers and symbols, like [email protected] Hackers already know that trick. Instead, use a password vault like LastPass or 1Password, and use their password generator to create complex passwords.
- Whenever possible, always use two-step authentication, such as Google Authenticator, in conjunction with your mobile device. This will ensure that there are two requirements in place to gain access to your sites. This will make it nearly impossible to log into one of your accounts even if they do get your password.
- Never use the same password for several different accounts. If hackers can figure out one, they’ll try that password on everything else.
- Make sure your network’s firewalls and operating systems are completely up-to-date. Install all updates and patches, and invest in a solid network security system. Require employees to change their own passwords on a regular basis.
- If you have an IT department/staff, ask them about the state of your network security. Have them ensure that your network software is up to date as well.
- Finally, check out the Federal Trade Commission’s website. They have a lot of information on what you can do to help protect your business and your data.
At times, it may seem like you’re fairly safe from anything happening to your network. If you own a small business, you may think, “I’m so small, the hackers won’t even pay attention to me.”
Except this isn’t true. We’re long beyond the days of computer jockeys trying to break into a corporation’s mainframe. The theft is automated and hackers can launch attacks on hundreds and thousands of servers in minutes. Even a small business’ servers can be of some use to hackers, even if it’s a matter of using it to launch attacks on other servers.
If you want true peace of mind, you need to talk to two people:
- a security specialist who will make your computer networks as secure as possible
- an insurance professional who is knowledgeable about cyber liability insurance, to make sure you have the right coverage.
Cyber liability insurance may be a small part of your total business insurance needs, but it can be one of the most important policies you have. This will keep you, your business, and your customers safe if and when your data falls into the wrong hands.