Category Archives: Cyber Insurance

The latest risk management news about cyber insurance.

Immediate Vault Immediate Access

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Posted on by

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.

67% of Hotel Websites Expose Guest Data, Study Finds

Posted on by

According to new research from cybersecurity company Symantec, 67% of hotel websites are leaking customer reservation details and other personal information. Candid Wueest, the company’s principal threat researcher, tested more than 1,500 hotels in 54 countries, including low-cost to high-cost hotels, as well as both chain and independent hotels.

buy tobradex online desiredsmiles.com/wp-content/uploads/2023/10/tobradex.html no prescription pharmacy

symantec hotel data exposureWhen a customer uses a hotel’s website to book a room, the site usually creates and sends them a link so that the customer can directly access  and manage their reservation.

buy desyrel online desiredsmiles.com/wp-content/uploads/2023/10/desyrel.html no prescription pharmacy

According to Symantec, part of the problem is that third-party advertisers on hotels’ booking websites and web analytics companies (which track web traffic) can access customers’ bookings because they also get those links. This means that advertisers and analytic companies – including any potential malicious actors among their employees – could access and steal the information that the customer entered when booking a room, and even change or cancel the reservation.

Symantec also found that more than a quarter of the hotel websites examined do not send secure, encrypted links in their confirmation emails. Encrypted links prevent anyone trying to hijack a customer’s data from being able to see that data. If a customer received a confirmation email while using an unprotected WiFi (a public network in a café or an airport, for example), a cybercriminal could intercept that customer’s emails and use the unencrypted hotel booking link to access the customer’s booking. Some of these automatically generated links also contain details like customers’ email addresses in the web address, which makes accessing their information even easier for cybercriminals.

Additionally, many hotel websites are vulnerable to a type of cyberattack called “brute forcing,” where an attacker can use the customer’s email address and guess their booking number to gain access to the reservation and personal information. In some cases, Symantec found that hotel websites did not even require an email address to access customers’ reservation information via brute forcing. Though this method would not be useful to gain access to large amounts of customer data, attackers could use it to target individuals, like a specific CEO or conference attendee.

Wueest noted that hotels have thus far been slow to respond to these data exposure risks, and some have not responded at all. When he alerted the hotels’ data privacy officers to the problems in their sites, 75% responded, and those who did took an average of 10 days. Hotels and their information security staff should promptly assess their booking processes to ensure they are minimizing the risk of potential data leaks and breaches.

buy elavil online desiredsmiles.com/wp-content/uploads/2023/10/elavil.html no prescription pharmacy

By leaving these gaps in their websites’ security, they are endangering their customers and opening themselves up to risk, including potential liabilities and reputational damage.

Symantec recommends that hotels use encrypted links, and ensure that the automatic links generated do not include information like customers’ email addresses. It also recommends that customers use Virtual Private Networks (VPNs, services that protects users’ internet traffic) when booking or accessing their reservations using public WiFi to prevent any cyberattacker from intercepting any information that would provide a way in.

The report should also serve as a reminder that corporate employees’ personal devices and personal information are popular targets for cybercriminals and can be especially vulnerable to risks while traveling. Any time an employee exposes their devices to unprotected networks or, in this case, insufficiently protected websites, it leaves both the employee and their employer at risk. Even if an employee is using their own device to conduct business, it still endangers their employer because it may expose valuable business information. Cybercriminals have particularly used the hospitality industry as a hunting ground for such attacks, for example, targeting individuals using hotel WiFi, tricking them into downloading malicious software and stealing their information or spying on their internet activity.

Former NSA Director Talks Cybersecurity, Insurance at Advisen Conference

Posted on by

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 18 panels and sessions on Oct. 25. The keynote was delivered by Adm.

buy apixaban online achievephysiorehab.ca/wp-content/uploads/2023/10/jpg/apixaban.html no prescription pharmacy

Michael S. Rogers, former Navy commander of U.S. Cyber Command and Director of the National Security Agency (NSA), under the administrations of  Presidents Obama and Trump. Rogers discussed rising cyber threats and offered advice to providers and consumers as they assess their cyber insurance policies.

“For insurers, you need to be prepared, because the list of actors is growing and the threat is growing,” Rogers said. “Don’t build on a strategy [where you believe] things are getting better.”

He also put a particular spotlight on the fact that there is no universally accepted guideline for cyber threats when considering acts of war. Cyber, he said, differs from traditional triggers because there’s typically no physical injury or loss of life.

“You have these wholly different international views, because nation-states in western democracies do not have ownership of the web,” he said. “They do not control their citizens and control the flow of data,” as opposed to countries with greater control of information.

buy bactroban online achievephysiorehab.ca/wp-content/uploads/2023/10/jpg/bactroban.html no prescription pharmacy

“Because you have these broad, polar views it’s been difficult at times, on an international level, to get a consensus on what a framework be like to set a cybersecurity standard,” which Rogers added, could help define how a cyber attack might be considered an act of warfare.

buy strattera online achievephysiorehab.ca/wp-content/uploads/2023/10/jpg/strattera.html no prescription pharmacy

He proposed an approach that could start nations on a path to a universally accepted guideline: “Can get we get a smaller subset of issues to coalesce around a core group of principles, start small, and build from there? I think we’ll have success that way.”

Rogers noted that he is a proponent and believes incentivization may be the key to keeping businesses safer and maintaining lower premiums, using features of the automotive industry as an example.

“Automatic brakes and safer vehicles, for example, were an incentive for the buyer and the seller,” he said. “Production and consumption were all incentivized to make better decisions. I don’t know if it will work [with cyber insurance]. It’s all about risk.”

Rogers’ insight dovetailed along with the new information from the eighth annual Advisen cyber survey that Zurich Insurance released at the opening of the conference.

The percentage of companies that purchase cyber insurance, either via stand-alone policies or endorsements, has increased 40 points since 2011. This year’s results show a 10% increase from 2017, the largest year-over-year increase since its inception.

“Cyberrisks continue to change and businesses continue to look for ways to protect themselves from those risks,” said Paul Horgan, head of North America Commercial Insurance for Zurich North America. “These survey results provide a critical snapshot of the attitudes, concerns and actions of risk managers. It is our responsibility to respond to their needs and concerns with innovative services and solutions.”

Survey results show the two most influential factors driving cyber insurance purchases in the past year:

  • regulatory changes such as the European Union’s (EU) General Data Protection Regulation (GDPR), and
  • business continuity risks such as the Dyn distributed denial of servicer (DDoS) attack, WannaCry and NotPetya events. These caused significant losses to businesses around the world, shutting down network systems and in many cases slowing or actually halting business operations.

The Advisen data reflects a stark contrast to the feedback from last year’s survey, which found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth had gone stagnant after a steady six-year increase from 35% to 65%.

These factors were two of the top emerging cyberrisks identified by Risk Management magazine in early 2018.

Data Breaches Taking Slightly Longer To Detect, Study Finds

Posted on by

Despite rising global awareness of data breaches in various industries, organizations experienced an increase in the number of days to identify a data breach over the last fiscal year. According to a new study conducted by the Ponemon Institute and published by IBM, it takes an average of 197 days for a company to identify a breach – up six days from 2017 – and an average of 69 days to contain it (which also showed a three-day increase from 2017).

“We attribute the increase in days to the growth in the use of IoT devices, extensive use of mobile platforms, increased migration to the cloud and compliance failures,” study authors said in 2018 Cost of Data Breach Study: Impact of Business Continuity Management.

This year’s study included 2,634 employees from 477 companies in 17 industries in 13 countries and two regions. The study found that the average total cost of a data breach in 2018 is .

buy biaxin online imed.isid.org/wp-content/uploads/2023/10/jpg/biaxin.html no prescription pharmacy

86 million; $1.45 million is attributable to the most-costly component, which is lost business cost. The least expensive component is data breach notification at The least expensive component is data breach notification at $0.16 million.

Ponemon also included a framework for measuring the cost of mega breaches, which are breaches involving at least 1 million compromised records. There is also a special analysis of the cost to recover from a data breach.

buy cytotec online imed.isid.org/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

Some notable findings include:

  • The average cost per compromised record at the surveyed organizations was $148 in fiscal year 2018, up from $141 in 2017 but down from $158 in 2016.
  • The larger the data breach, the less likely the organization will have another breach in the next 24 months.
    buy robaxin online imed.isid.org/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

  • Healthcare organizations took an average of 55 days to detect a breach, but 1,037 days to contain it.

To download IBM’s survey, click here.