What Business Executives Want to Know About Cyber Risk

 

  1. Who should you call first after you’ve had a data breach?
  2. What should be included in a cyber attack communications response?
  3. How can we make sure that everyone knows their role in communicating about a data breach?
  4. How does cyber insurance help?
  5. How do insurance companies determine coverage for cyber attacks?
  6. How can you be sure that you have adequate cyber insurance coverage?
  7. How do assess your risks?
  8. How much does cyber insurance cost?
  9. How can you get better rates on cyber insurance?
  10. Why do companies buy cyber insurance?
  11. What is usually covered by cyber insurance?
  12. Why would a company need cyber insurance to cover PR services?
  13. What is usually NOT covered by cyber insurance?
  14. Are there reasons to NOT pay a ransom?
  15. What else could happen if we don’t pay a ransom?
  16. What businesses and industries are the favorite targets of cyber criminals?
  17. Have cyber threats increased in response to the COVID-19 pandemic?
  18. What’s the first step you should take to prevent cyber attacks from happening in the first place?
  19. What’s the purpose of a security assessment?
  20. What’s the best way to approach cyber security?
  21. Do you need to pay a ransom if you have a good backup?
  22. Who’s responsible for backup for data in the cloud?
  23. What are cyber forensics?
  24. What can you do to guard against internal threats?
  25. Are there other internal risks to think about?
  26. How do you lessen the risk that employees will fall for social engineering?
  27. What’s your advice to business leaders about managing cyber risks?
  28. What’s your advice to business leaders about managing their reputation after a cyber attack?
  29. Has COVID-19 made businesses more susceptible to cyber attacks?
  30. What’s the best thing businesses can do to protect against cyber threats?

 

Who should you call first after you’ve had a data breach?

Immediately notify your IT team, local and federal law enforcement, your insurance carrier, your lawyer, and your communications specialists in the event of a major cyber security incident. A major incident would be something like a ransomware attack that locks up all of your computers and you’re instructed to pay an amount of money, such as bitcoin, to have them unlocked.

Notify the Attorney General’s office if the cyber attack compromises personal identifiable information, as in the event of a Business Email Compromise (BEC).

Depending on the type and severity of the cyber incident, you may need to engage cyber forensics specialists to preserve evidence and investigate what happened. Your IT team should notify you if this is something they recommend.

Back to top

 

 

What should be included in a cyber attack communications response?

You should have a response plan, and a response team that acts like air traffic control, where there are a few people in the tower and thousands of planes trying to take off and land, all while navigating through bumpy skies. The people in the tower are going to direct traffic and deploy the messaging.

Your response team is going to first acknowledge what has happened. That’s not admitting any responsibility or guilt, but acknowledging that something happened so you can de-escalate anxiety. You would contact your top-tiered clients. HR will play a part. Everyone needs to know how to reach each other, starting with the executive team.

Back to top

 

 

How can we make sure that everyone knows their role in communicating about a data breach?

Create a communication plan and detail what you’re going to say, and how you’re going to say it, to both internal and external audiences. Think of your communications plan as your Go-Bag. Imagine a gym bag that is immediately accessible. You open your Go-Bag and there you have your top-tier people that need to be notified and by whom, and how it needs to be done.

Your Go-Bag also contains “Scenario Plates” for situations that you’ve already thought through. Scenarios are different ways that you can be attacked. Each scenario has draft statements and protocols in place that you can deploy as quickly as possible with minimal edits.

Back to top

 

 

How does cyber insurance help?

A small bakery with annual revenues of about $450,000 had a ransomware attack on their kitchen. It locked down the entire kitchen and turned on the ovens with the demand, “Either pay us or we’ll burn the place down”. The insurance company paid the $75,000 ransom and the cost to the business was the $4,500 premium.

If you walk in the door one morning and flip on your computers and you can’t do anything, you’re out of business — and maybe out of business for a month before everything can get fixed.

Cyber insurance can help cover the cost of a ransom payment, getting you back in business, forensic analysis, etc. depending on your specific policy.

Back to top

 

 

How do insurance companies determine coverage for cyber attacks?

Carriers are going to ask questions about what you’ve done in preparation to proactively prevent a cyber attack.

Anything that you can identify that you have in place, including policies and procedures, will help in the placement of cyber coverage.

Back to top

 

 

How can you be sure that you have adequate cyber insurance coverage?

You don’t know how much coverage you’re going to need until you have an incident.

People ask, “How much cyber insurance coverage do we need? What are the limits we need to purchase?” And that’s an individual personal decision. Our question back to them is, “What’s your risk tolerance? How much are you willing to assume internally? How much can you reasonably and comfortably assume?”

Back to top

 

 

How do assess your risks?

Think of the data that you’re storing and the implications to your business if it was stolen or exposed. A situation that exposed personal information is a much different risk compared to a situation where banking information is compromised.

At the same time, you have to set in place barriers that will minimize risks. Cyber criminals have, for the most part, figured out what they think you can pay in ransomware. If they can figure that out, you can figure that out, and it should be a component of your risk assessment.

Back to top

 

 

How much does cyber insurance cost?

The premium is generally based on your industry, your specific operations, and on your revenue.

For example, a manufacturing company with annual revenue of $25-30 million dollars could anticipate premiums of anywhere between $6,000 to $7,000 a year for $1 million in coverage. They could also consider a $3 million or a $5 million option.

What matters is your comfort level, what information you store, and your comfort level with risk. It’s a cost-benefit analysis that’s different for every company, so there isn’t a right or wrong answer.

Back to top

 

 

How can you get better rates on cyber insurance?

It helps significantly if you can demonstrate what you’ve done to become PCI-compliant or HIPAA-compliant, or that you have put specific controls in place like multi-factor authentication.

A lot of times the insurance company will do a dark web search of your key individuals and provide a report on what they find.

Back to top

 

 

Why do companies buy cyber insurance?

There was a company that worked 100% for the US Department of Energy and Department of Defense. One day this company was contacted by the Pentagon and the FBI, and was informed that the Chinese government had been in their system monitoring every keystroke for the last 14 months.

The company had a small crime coverage on their general liability policy that paid $10,000. Fortunately, they also had other coverages that eventually paid the claim after two and a half years.

This company now buys cyber coverage.

Back to top

 

 

What is usually covered by cyber insurance?

Coverage depends on the policy, its conditions and coverage terms. Some policies are written broadly to cover costs for legal, communications, and IT services. Some will pay for loss of revenues. Some will pay for reputation management.

It’s not uncommon for many general liability and crime policies to have a little bit of cyber coverage inclusive in them. But this creates a false sense of security because, a lot of times, those coverages are minimal and have exclusions.

Back to top

 

 

Why would a company need cyber insurance to cover PR services?

A cyber attack could be the catalyst for an acute business disruption that puts the company’s credibility at stake. When public confidence has been shaken or lessened, the first thing people do is to distance themselves from the entity that they think is possibly toxic.

That puts deals on hold. Once people start backing away, calls aren’t returned, and negative sentiment grows, the business starts hemorrhaging.

That’s why crisis management services may be necessary — to manage the situation before it gets that bad.

Back to top

 

 

What is usually NOT covered by cyber insurance?

Depending on your policy, incidents caused by social engineering where employees volunteer to participate – knowingly or unknowingly – may not be covered.

A manufacturing company learned about this when one of their major customers was hacked and changed the routing codes for making payments. The company received some compensation for the redirected money, but it didn’t cover the entire amount.

Back to top

 

 

Are there reasons to NOT pay a ransom?

If you pay a ransom to a foreign entity that has been designated by the Department of Treasury’s Office of Foreign Asset Control (OFAC) as a “Malicious Cyber Actor,” paying a ransom could be considered enabling the criminals, and thus a federal crime.

Here’s the OFAC’s memo: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

Back to top

 

 

What else could happen if we don’t pay a ransom?

A manufacturing company with annual revenues of about $45 – $50 million had a ransomware attack. The ransom was for $200,000 and they decided not to pay because they thought they could restore from their backup systems.

Unfortunately, they found out that their backup systems weren’t up to snuff and operations were down for some time. By the time they got back up and running, their total cost was about $250,000. They didn’t pay the ransom, but the event impacted them.

This company did not have cyber coverage at the time. Had they had it in place, it would have paid for a good portion of that.

Back to top

 

 

What types of businesses are the favorite targets of cyber criminals?

The top industries that are being targeted are government, finance, technology, manufacturing, and healthcare…though it can happen to anyone.

Nearly half of all cyber attacks hit small to medium-sized businesses. These companies don’t have the technology or the policies and procedures in place to mitigate attacks. Mom-and-pop shops are being targeted more than ever and an average ransomware payment is between $75,000 and $200,000.

Back to top

 

Have cyber threats increased in response to the COVID-19 pandemic?

Ransomware attacks have increased 85% in the last eight months. Phishing attacks have increased over 600% since COVID hit because the nefarious actors are finding it easier to access many companies.

This is going to continue to increase and grow even greater.

Back to top

 

 

What’s the first step you should take to prevent cyber attacks from happening in the first place?

You first have to acknowledge the risk and commit to spending resources on prevention. Prevention includes changing internal policies and procedures that are too often seen as inconveniences. Companies sometimes err on the side of making things easy rather than making things secure, but there has to be a balance.

Then have a security assessment done to get a clear picture of where your vulnerabilities are, so you can make educated decisions regarding your security posture.

Back to top

 

 

What’s the purpose of a security assessment?

Security needs to be evaluated and measured against best practices to uncover bad habits and routines that actually create security vulnerabilities that increase risk.

An assessment identifies those vulnerabilities so that systems and processes can be introduced to lessen the risk. One of those processes, for example, could be to detect intruders. It can take 200-300 days for a network intruder to be discovered if threat detection tools and processes aren’t in place.

Back to top

 

 

What’s the best way to approach cyber security?

Cyber security is all about layers and putting as many of the right layers of security between your people, the data you’re trying to protect, and the bad guys. You should have as many layers as your risk tolerance allows.

For every layer, there’s a cost so you have to justify those costs and compare them to the costs that you would have if you had a cyber event.

Back to top

 

 

Do you need to pay a ransom if you have a good backup?

Your backup isn’t insurance against a cyber attack but you need to be confident that you can restore operations from your backup in the event that a cyber incident happens that steals or corrupts your data. In fact, if your backup system isn’t architected properly on the front side, the bad guys will encrypt your backups as well.

If you’re following best practices, there’s a gap between your live production data and your stored data.

Back to top

 

 

Who’s responsible for backup for data in the cloud?

Resources in the cloud create a bit of a blind spot. There’s an assumption made that your cloud provider is backing up and has some restore plan in place, but for the most part, that’s not the case.

The obligation still is on the company who owns the data.

Back to top

 

 

What are cyber forensics?

Cyber forensics groups are typically a third-party that will piece together how a cyber attack happened. They’re going to use log files and timelines and whatever documentation you have to piece together exactly what happened, how long the bad guys were in the system and if they sent any data off-site. That helps to figure out what obligations to notify individuals about the exposure of their personal or corporate data.

As soon as you declare that a breach has occurred, you should consider a forensics team because you need to know, for example, if a ransomware attack is covering up the tracks of someone who’s been in your network for a long time and may have been taking data and trying to get into other areas of your network, or even your customers’ or vendors’ networks.

Back to top

 

 

What can you do to guard against internal threats?

The goal of IT is to provide the services your employees need to stay productive and do their work uninterruptedly, and that means having access to information. It’s very important that the company has very clearly defined internal procedures for both HR and IT so that everyone understands who gets access to specific data.

Back to top

 

 

Are there other internal risks to think about?

Combined threats are attacks where an outsider attacks you through one of your own employees, usually through social engineering. Social engineering is very effective because it plays on our human nature to want to respond and communicate.

We can put all kinds of systems to make it very difficult for that person to do the wrong thing, but they have to receive email and they have to use the internet so it’s impossible to totally shield them.

Back to top

 

 

How do you lessen the risk that employees will fall for social engineering?

User education is key to getting every employee trained and aware of what a phishing attack looks like, what links and attachments on an email shouldn’t be clicked, etc.

Employees need to be more aware and more savvy of what’s going on and how they can be manipulated with social engineering scams.

Back to top

 

 

What’s your advice to business leaders about managing cyber risks?

Cyber threats are true significant risks that many people underestimate. We never tell people they need to buy insurance coverage — our objective is to help them understand their risk and then help them figure out the best way to mitigate it.

You need to know this is a serious significant risk that is continuing to grow. Every single week, it’s getting more and more prevalent. So, just be aware of that and manage it the best way you can. Sometimes, that’s insurance. Sometimes, it may not be, but it absolutely is how you manage your network and how you protect it.

Back to top

 

 

What’s your advice to business leaders about managing their reputation after a cyber attack?

Treat your reputation like you treat your car. You want to get there, and you want to get there safely. So, don’t wait for the engine lights to come on. There are some preventative things you can do and don’t always think it’s going to happen to somebody else. Think ahead.

Back to top

 

 

Has COVID-19 made businesses more susceptible to cyber attacks?

We are in the midst of the worst pandemic the country has seen in a hundred years and it’s not going to end soon. It’s a situation where your business has had to think what am I going to do to just survive? How am I going to make it to the next payroll? And things like cyber security are just not on people’s minds right now, understandably so.

You’re distracted. You’re not paying attention. Get your guard back up and don’t let yourself be a victim.

Back to top

 

 

What’s the best thing businesses can do to protect against cyber threats?

Increase your security posture. Make sure you’re using technology like multi-factor authentication and that you’re using endpoint security based on AI. Use email protection based on AI that takes information from different pieces of your system in order to identify a threat ahead of time.

Back to top