A phishing attack on UnityPoint Health, a hospital and clinic system in Illinois, Wisconsin, and Iowa in March 2018 resulted in 1.4 million patient records being compromised.
In April 2018, hackers were offering up 5 million credit and debit cards online to the highest bidder, stolen from luxury department stores Lord & Taylor and Saks Fifth Avenue.
In May 2018, fitness app PumpUp suffered a security breach that resulted in 6 million customer records being breached, including data like health information, photos, and private messages, as well as Facebook access tokens and some credit card information.
Of course, that’s just a small fraction of all the cyber attacks in 2018.
Even as tech companies, the internet, and the entire digital world advance at an exponential rate and offer cutting edge technology never dreamed of before, effective cyber security remains a tough nut to crack.
In fact, it’s more of a concern than ever before with so many services, sites, and companies, and even devices having access to our personal and financial data.
If a business, even a fresh out of the gate startup, isn’t addressing cyber security issues and taking steps to secure their own data and that of their customers, they’re opening themselves up to tremendous liability.
If smaller companies in the $10 to $30 million range are hit with a big cyber security issue, it can put them out of business, depending on the size and scope of the attack. The financial liability, the distraction it causes, and the financial impact of negative publicity is difficult for a company of that size to deal with. There is real risk there for companies on that end of the spectrum due to cyber threats.
Constant monitoring is a necessity because hackers are constantly trying to attack systems around the world, in every industry. And you need in-depth training of your personnel in how to counter and prevent cyber attacks. Because, let’s face it, the biggest weakness in systems is the human element. Training and then monitoring.
In fast-growing companies, cyber security is something that’s easy to overlook… or considered something that they can get to later, after they’re more established.
The demand for cyber security has prompted tremendous growth in the industries that are involved in:
- Monitoring
- Tracking
- Prevention
- Reconstruction and recovery
When things go wrong, insurance can also play a role, as you’ll see in just a moment.
Cyber Security Best Practices
What does effective cyber security look like?
An attack starts with confusion. When something bad happens, you don’t how serious the breach is until you do further investigation with an internal team or an outside vendor.
What’s important is your response.
You need a prevention protocol, as well as a breach response protocol and public relations protocol. That’s a whole set of responsibilities, much of which can be covered by outside vendors.
For example, you have public relations firms to use social media and other channels to get the word out after a breach – and it’s important to be timely to preserve your reputation. The basic message is: There was a breach, so we’re following the law and notifying you. But it’s not a big deal and here’s why.
In other words, nothing to see here. But if you delay your acknowledgement it can be a public relations nightmare.
There are also regulatory compliance issues to consider. Depending on what industry you’re in or the nature of the beach, you have to notify local government as well.
At that point, you could face some penalties. In healthcare, HIPPA and its requirements are serious business. If there is a major breach of patient information, you could face a seven-figure fine.
The Cost of Cyber Security Breaches and How Insurance Can Help
Computer systems and networks containing financial data, customer records, corporate secrets, and more are so complex it’s hard to plug all the holes; hackers can often find ways around existing security measures.
The response plans above are important. But that response to a cyber attack will cost money. Not only that, but attacks can cause financial impacts like loss of market share and regulatory penalties.
All of those costs can be defrayed if you have an insurance policy.
Cyber Security and Privacy Liability insurance covers a business’s liability in case of a data breach, protecting policyholders from civil suits and government regulatory actions. Also covered: the cost of notifying customers or employees of a breach.
For those on the board of a company, cyber security should be a priority. If you’re not actively taking steps, measures, and investments to improve your cyber security you could be liable for mismanagement and breaching your fiduciary responsibility to the company. That is an exposure which today’s D&O policies MAY EXCLUDE if the company fails to put Cyber Liability insurance in place.
Let’s face it. At a board level, you’re going to be second guessed for anything you do, including cyber security measures. So, you need to bring in the right vendors to protect your company’s data. You must constantly update and monitor, putting the right procedures in place.
How Cyber Security Impacts M&A
Representations and Warranty (R&W) insurance is also a factor here and closely interacts with a Cyber insurance policy. In fact, if a Cyber insurance policy is in place, R&W Underwriters will look more favorably on the deal, and reps involving cyber security and privacy will be insured – not excluded.
In cases where there is R&W insurance, Cyber insurance can help because it protects the Seller if a data breach is discovered after closing.
In general terms, if a potential acquirer looks at your company and sees your vulnerability in the cyber arena (you don’t have sound security or insurance) that could cost them money down the line, they’ll expect the owner to absorb that exposure. That lowers the value of the company.
Keep in mind that during the due diligence process, or worse, between signing and closing, unknown breaches are more likely to be discovered (as happened with Yahoo!) which can result in a company losing significant value, unless the target company has a Cyber Liability policy already in place.
The Challenge with Cyber and Cyber Related Insurance
Cyber Security and Privacy Liability insurance can be difficult because most people don’t know what they’re buying. They don’t know what’s out there. And the policies themselves are very complex.
It’s a situation where if you want to take a shortcut, you’ll get an off the shelf product, which is better than nothing. But if you’re going to be spending $10 – $15k on an insurance policy, you may as well get a good one that will address a whole host of issues.
These policies are quick to implement. And they will protect you even if you already have been breached and don’t know about it… as long as on the date you bought the insurance, you didn’t know about the breach and then the discovery of breach comes to light later. Yes, the policy can pay for circumstances before you had insurance.
With the huge and still growing threat of hackers out there, now is the time to safeguard your valuable data by taking a strong stand with cyber security. Your customers, shareholders, and potential Buyers expect it.
Part of that is securing a Cyber Security Privacy Liability policy. This insurance is very affordable when you consider the consequences if you are breached and no policy is in place.
Download my free Cyber Security and Privacy Liability Insurance Cheat Sheet to find what’s covered and typical costs.