Immediately notify your IT team, local and federal law enforcement, your insurance carrier, your lawyer, and your communications specialists in the event of a major cyber security incident. A major incident would be something like a ransomware attack that locks up all of your computers and you’re instructed to pay an amount of money, such as bitcoin, to have them unlocked.
Notify the Attorney General’s office if the cyber attack compromises personal identifiable information, as in the event of a Business Email Compromise (BEC).
Depending on the type and severity of the cyber incident, you may need to engage cyber forensics specialists to preserve evidence and investigate what happened. Your IT team should notify you if this is something they recommend.
You should have a response plan, and a response team that acts like air traffic control, where there are a few people in the tower and thousands of planes trying to take off and land, all while navigating through bumpy skies. The people in the tower are going to direct traffic and deploy the messaging.
Your response team is going to first acknowledge what has happened. That’s not admitting any responsibility or guilt, but acknowledging that something happened so you can de-escalate anxiety. You would contact your top-tiered clients. HR will play a part. Everyone needs to know how to reach each other, starting with the executive team.
Create a communication plan and detail what you’re going to say, and how you’re going to say it, to both internal and external audiences. Think of your communications plan as your Go-Bag. Imagine a gym bag that is immediately accessible. You open your Go-Bag and there you have your top-tier people that need to be notified and by whom, and how it needs to be done.
Your Go-Bag also contains “Scenario Plates” for situations that you’ve already thought through. Scenarios are different ways that you can be attacked. Each scenario has draft statements and protocols in place that you can deploy as quickly as possible with minimal edits.
A small bakery with annual revenues of about $450,000 had a ransomware attack on their kitchen. It locked down the entire kitchen and turned on the ovens with the demand, “Either pay us or we’ll burn the place down”. The insurance company paid the $75,000 ransom and the cost to the business was the $4,500 premium.
If you walk in the door one morning and flip on your computers and you can’t do anything, you’re out of business -- and maybe out of business for a month before everything can get fixed.
Cyber insurance can help cover the cost of a ransom payment, getting you back in business, forensic analysis, etc. depending on your specific policy.
Carriers are going to ask questions about what you’ve done in preparation to proactively prevent a cyber attack.
Anything that you can identify that you have in place, including policies and procedures, will help in the placement of cyber coverage.
You don't know how much coverage you're going to need until you have an incident.
People ask, "How much cyber insurance coverage do we need? What are the limits we need to purchase?" And that's an individual personal decision. Our question back to them is, "What's your risk tolerance? How much are you willing to assume internally? How much can you reasonably and comfortably assume?"
Think of the data that you’re storing and the implications to your business if it was stolen or exposed. A situation that exposed personal information is a much different risk compared to a situation where banking information is compromised.
At the same time, you have to set in place barriers that will minimize risks. Cyber criminals have, for the most part, figured out what they think you can pay in ransomware. If they can figure that out, you can figure that out, and it should be a component of your risk assessment.
The premium is generally based on your industry, your specific operations, and on your revenue.
For example, a manufacturing company with annual revenue of $25-30 million dollars could anticipate premiums of anywhere between $6,000 to $7,000 a year for $1 million in coverage. They could also consider a $3 million or a $5 million option.
What matters is your comfort level, what information you store, and your comfort level with risk. It’s a cost-benefit analysis that’s different for every company, so there isn’t a right or wrong answer.
It helps significantly if you can demonstrate what you’ve done to become PCI-compliant or HIPAA-compliant, or that you have put specific controls in place like multi-factor authentication.
A lot of times the insurance company will do a dark web search of your key individuals and provide a report on what they find.
There was a company that worked 100% for the US Department of Energy and Department of Defense. One day this company was contacted by the Pentagon and the FBI, and was informed that the Chinese government had been in their system monitoring every keystroke for the last 14 months.
The company had a small crime coverage on their general liability policy that paid $10,000. Fortunately, they also had other coverages that eventually paid the claim after two and a half years.
This company now buys cyber coverage.
Coverage depends on the policy, its conditions and coverage terms. Some policies are written broadly to cover costs for legal, communications, and IT services. Some will pay for loss of revenues. Some will pay for reputation management.
It’s not uncommon for many general liability and crime policies to have a little bit of cyber coverage inclusive in them. But this creates a false sense of security because, a lot of times, those coverages are minimal and have exclusions.
A cyber attack could be the catalyst for an acute business disruption that puts the company’s credibility at stake. When public confidence has been shaken or lessened, the first thing people do is to distance themselves from the entity that they think is possibly toxic.
That puts deals on hold. Once people start backing away, calls aren’t returned, and negative sentiment grows, the business starts hemorrhaging.
That's why crisis management services may be necessary -- to manage the situation before it gets that bad.
Depending on your policy, incidents caused by social engineering where employees volunteer to participate – knowingly or unknowingly – may not be covered.
A manufacturing company learned about this when one of their major customers was hacked and changed the routing codes for making payments. The company received some compensation for the redirected money, but it didn’t cover the entire amount.
If you pay a ransom to a foreign entity that has been designated by the Department of Treasury’s Office of Foreign Asset Control (OFAC) as a “Malicious Cyber Actor,” paying a ransom could be considered enabling the criminals, and thus a federal crime.
Here's the OFAC's memo: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
A manufacturing company with annual revenues of about $45 - $50 million had a ransomware attack. The ransom was for $200,000 and they decided not to pay because they thought they could restore from their backup systems.
Unfortunately, they found out that their backup systems weren’t up to snuff and operations were down for some time. By the time they got back up and running, their total cost was about $250,000. They didn’t pay the ransom, but the event impacted them.
This company did not have cyber coverage at the time. Had they had it in place, it would have paid for a good portion of that.
The top industries that are being targeted are government, finance, technology, manufacturing, and healthcare...though it can happen to anyone.
Nearly half of all cyber attacks hit small to medium-sized businesses. These companies don’t have the technology or the policies and procedures in place to mitigate attacks. Mom-and-pop shops are being targeted more than ever and an average ransomware payment is between $75,000 and $200,000.
Ransomware attacks have increased 85% in the last eight months. Phishing attacks have increased over 600% since COVID hit because the nefarious actors are finding it easier to access many companies.
This is going to continue to increase and grow even greater.
You first have to acknowledge the risk and commit to spending resources on prevention. Prevention includes changing internal policies and procedures that are too often seen as inconveniences. Companies sometimes err on the side of making things easy rather than making things secure, but there has to be a balance.
Then have a security assessment done to get a clear picture of where your vulnerabilities are, so you can make educated decisions regarding your security posture.
Security needs to be evaluated and measured against best practices to uncover bad habits and routines that actually create security vulnerabilities that increase risk.
An assessment identifies those vulnerabilities so that systems and processes can be introduced to lessen the risk. One of those processes, for example, could be to detect intruders. It can take 200-300 days for a network intruder to be discovered if threat detection tools and processes aren’t in place.
Cyber security is all about layers and putting as many of the right layers of security between your people, the data you’re trying to protect, and the bad guys. You should have as many layers as your risk tolerance allows.
For every layer, there’s a cost so you have to justify those costs and compare them to the costs that you would have if you had a cyber event.
Your backup isn’t insurance against a cyber attack but you need to be confident that you can restore operations from your backup in the event that a cyber incident happens that steals or corrupts your data. In fact, if your backup system isn’t architected properly on the front side, the bad guys will encrypt your backups as well.
If you’re following best practices, there’s a gap between your live production data and your stored data.
Resources in the cloud create a bit of a blind spot. There’s an assumption made that your cloud provider is backing up and has some restore plan in place, but for the most part, that’s not the case.
The obligation still is on the company who owns the data.
Cyber forensics groups are typically a third-party that will piece together how a cyber attack happened. They’re going to use log files and timelines and whatever documentation you have to piece together exactly what happened, how long the bad guys were in the system and if they sent any data off-site. That helps to figure out what obligations to notify individuals about the exposure of their personal or corporate data.
As soon as you declare that a breach has occurred, you should consider a forensics team because you need to know, for example, if a ransomware attack is covering up the tracks of someone who’s been in your network for a long time and may have been taking data and trying to get into other areas of your network, or even your customers’ or vendors’ networks.
The goal of IT is to provide the services your employees need to stay productive and do their work uninterruptedly, and that means having access to information. It’s very important that the company has very clearly defined internal procedures for both HR and IT so that everyone understands who gets access to specific data.
Combined threats are attacks where an outsider attacks you through one of your own employees, usually through social engineering. Social engineering is very effective because it plays on our human nature to want to respond and communicate.
We can put all kinds of systems to make it very difficult for that person to do the wrong thing, but they have to receive email and they have to use the internet so it’s impossible to totally shield them.
User education is key to getting every employee trained and aware of what a phishing attack looks like, what links and attachments on an email shouldn’t be clicked, etc.
Employees need to be more aware and more savvy of what’s going on and how they can be manipulated with social engineering scams.
Cyber threats are true significant risks that many people underestimate. We never tell people they need to buy insurance coverage -- our objective is to help them understand their risk and then help them figure out the best way to mitigate it.
You need to know this is a serious significant risk that is continuing to grow. Every single week, it's getting more and more prevalent. So, just be aware of that and manage it the best way you can. Sometimes, that's insurance. Sometimes, it may not be, but it absolutely is how you manage your network and how you protect it.
Treat your reputation like you treat your car. You want to get there, and you want to get there safely. So, don't wait for the engine lights to come on. There are some preventative things you can do and don't always think it's going to happen to somebody else. Think ahead.
We are in the midst of the worst pandemic the country has seen in a hundred years and it's not going to end soon. It's a situation where your business has had to think what am I going to do to just survive? How am I going to make it to the next payroll? And things like cyber security are just not on people's minds right now, understandably so.
You're distracted. You're not paying attention. Get your guard back up and don't let yourself be a victim.
Increase your security posture. Make sure you're using technology like multi-factor authentication and that you're using endpoint security based on AI. Use email protection based on AI that takes information from different pieces of your system in order to identify a threat ahead of time.