Tag Archives: cyber insurance

Immediate Vault Immediate Access

Holding Executives Accountable for Cybersecurity Failures

Posted on by

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks.

online pharmacy suhagra with best prices today in the USA

According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently.

online pharmacy mobic with best prices today in the USA

Her performance bonus was slashed by more than a third as a result of the company’s security failings.

online pharmacy naprosyn with best prices today in the USA

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Beware of Coverage Gaps for Social Engineering Losses

Posted on by

Social engineering is the latest cyberrisk giving companies fits and large financial losses. A social engineering loss is accomplished by tricking an employee of a company into transferring funds to a fraudster. The fraudster sends an email impersonating a vendor, client, or supervisor of the company and advises that banking information for the vendor/client has changed or company funds immediately need to be wired at the “supervisor’s” direction.

buy prelone online blackmenheal.org/wp-content/uploads/2023/10/jpg/prelone.html no prescription pharmacy

The email looks authentic because it has the right logos and company information and only careful study of the email will reveal that the funds are being sent to the fraudster’s account. Unsuspecting and trusting employees unwittingly have cost their companies millions of dollars in connection with social engineering claims.

But when companies look to their traditional insurance program, they are usually met with the unhappy surprise that they do not have coverage for such a loss.

buy ventolin online blackmenheal.org/wp-content/uploads/2023/10/jpg/ventolin.html no prescription pharmacy

Most assume that the loss will be covered by the crime/fidelity policy that nearly all companies have. Insurers, however, have denied coverage for social engineering claims under those policies, claiming that the loss did not result from “direct” fraud. Insurers contend that the crime policy applies only if a hacker penetrates the company’s computer system and illegally takes money out of company coffers. In the case of a social engineering claim, company funds have been released with the knowledge and “consent” of an employee, albeit the employee has been induced by fraud to release the funds. Policyholders and insurers are currently litigating the scope of coverage under traditional crime policies nationally with mixed results.

Some crime policies also contain exclusions that may pose specific barriers to social engineering claims. For example, many traditional crime policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property. In addition, some insurers have put overly broad exclusions on crime policies that are directed toward eliminating coverage for many cyber risks, including social engineering claims.

Given the prevalence of social engineering claims and the clear market for companies looking to insure against such risks, some insurers have begun to offer an endorsement that provides coverage for social engineering claims.
buy flagyl online https://galenapharm.com/pharmacy/flagyl.html no prescription

The coverage may be subject to a sublimit and may include coverage for some, but not all, social engineering risks. The coverage also might be subject to additional exclusions.

buy robaxin online blackmenheal.org/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

Like all insurance policies, the precise words of the endorsement matter and, therefore, should be carefully reviewed.

Finally, and most important of all, social engineering coverage will not automatically be added to a company’s policy and not all insurers will provide such coverage. Therefore, companies should review their current insurance program with their insurance professionals and experienced coverage counsel to determine whether they have appropriate coverage that is in line with the market for social engineering claims.

Check out “6 Tips to Minimize the Risks of Social Engineering Fraud” from Risk Management.

Travelers Must Cover Inadvertent Data Disclosures, Court Rules

Posted on by

A recent Fourth Circuit case affirmed a Virginia district court ruling that insurer Travelers Indemnity Company of America had a duty to defend a class action brought against its insured, Portal Healthcare Solutions, LLC, under a cyber liability insurance policy providing coverage for the electronic publication of certain materials. Portal Healthcare provided “electronic storage and maintenance of certain medical records” as a service to its healthcare provider clients.

buy rifadin online www.handrehab.us/images/patterns/jpg/rifadin.html no prescription pharmacy

The class action suit alleged that Portal Healthcare negligently failed to provide services when a wrong security setting on a web access portal was selected, allowing internet search engines to scoop up not only the login page as a search result, but also the underlying sub-pages containing medical records.

Travelers argued that it had neither a duty to defend nor indemnify under the 2012 and 2013 policies acquired by Portal Healthcare. The 2012 policy included a “Web Xtend Liability Endorsement” applicable to coverage for “Personal Injury, Advertising Injury and Web Site Injury Liability.” The 2013 Policy contained a Commercial General Liability Coverage Form applicable to “Personal and Advertising Injury Liability.” The applicable definitions included:

  • “Advertising injury” means injury, arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Personal injury” means injury, other than “bodily injury,” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life
  • “Web site injury” means injury, other than “personal injury” or “advertising injury” arising out of one or more of the following offenses: … electronic publication of material that … gives unreasonable publicity to a person’s private life …”

Travelers asserted that it owed a duty to defend Portal Healthcare only if the underlying class action complaint alleged “(1) injury arising out of the offense of “electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 Policy) or (2) injury caused by the offense of “electronic publication of material that … discloses information about a person’s private life” (2013 Policy).”

The Fourth Circuit, however, held that the Eastern District Court of Virginia correctly analyzed the matter under the “Eight Corners” rule, where the court must look first to the four corners of the contract (the insurance policy) and then the four corners of the complaint. The policy provided coverage for “publication” of electronic materials which either gave “unreasonable publicity” to or “disclosed” information about an individual’s private life.

Travelers argued that there could not be “publication” when the insured’s business was the protection of information and there was no evidence that a third party actually viewed the information.

buy lariam online www.handrehab.us/images/patterns/jpg/lariam.html no prescription pharmacy

The District Court determined in the first instance that “publication” does not refer to intent (whether intentionally or unintentionally disclosed) so that argument was rejected. As to the second element, the court noted that publication occurs when placed “before the public,” without reference to whether the public actually reads the information.

Under the second requirement for coverage, Travelers maintained that “publicity” required a proactive step to “attract” interest, and “disclosure” requires a third party to actually view. The District Court held that publicity was unreasonable due to the nature of the sensitive information contained in the medical records and there was no requirement that the insured take overt action to attract attention to the information.

buy minocin online www.handrehab.us/images/patterns/jpg/minocin.html no prescription pharmacy

As to the “disclosure” argument, the District Court held that disclosure occurred when the possibility of viewing by a third party happened, not when or if a third party actually viewed the information.

The District Court also addressed the fact that there was no express exclusion of the actual security failure involved and at a minimum the insurance carrier would have to defend (although it could still later argue it had no duty to indemnify) based on the law that such an ambiguity is decided in favor of the insured.

This makes it clear that it is critical to pay attention to the type of coverage purchased and to the fine print. It may also be helpful to have an insurance agent review the types of coverage you have, to look for gaps based on your business and possible risks, since each policy type includes those risks which are intentionally covered and others which are expressly excluded. Although the types of policies continue to expand to cover new technologies and new risks, depending on the carrier and the policy’s exclusion language, the coverage may not be what you think it is.

10 Tips for Securing Responsive Cyber Coverage

Posted on by

SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.

  1. Be careful with insurance applications.
    buy anafranil online www.nicaweb.com/images/layout1/gif/anafranil.html no prescription pharmacy

    Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.

  2. Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
  3. Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
  4. Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
  5. Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
  6. If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
  7. Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
  8. Beware of breach of contract exclusions.
  9. Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a  subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
    buy vibramycin online www.nicaweb.com/images/layout1/gif/vibramycin.html no prescription pharmacy

  10. Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident.
    buy zofran online www.nicaweb.com/images/layout1/gif/zofran.html no prescription pharmacy

    Make sure you are protected.