Protect Your Agency from a Cyber Attack

iStock_000010911507_Large

By Timothy L. McClendon, CIC, CWCA,
and Mark C. Greisiger

As I’ve traveled around the country over the last few years, I have seen that most agents recognize the various cyber risks facing their clients and are trying to discuss the subject with them. Some of these agents are becoming experts on the subject as they weave their way through the many different cyber policies now offered in the market. Others, while recognizing the risks, are still not comfortable talking to their clients about cyber liability.


Data Loss Events: Protecting the Protectors

In recent years, agents have done a good job of explaining to clients the need for a disaster recovery plan and, with the help from carriers’ loss control personnel, many insureds have adopted those plans. However, it is probably safe to say that most small-to-middle market businesses today—including most insurance agencies—still do not have a cyber-disaster recovery plan, and most agents are not conversant enough to recommend one. In addition, many agencies that have purchased cyber coverage depend on the cyber insurance carrier to walk them through the breach protocols. While banks, healthcare providers, and big box retailers may be the most-discussed victims of data breaches, cyber risk doesn’t discriminate. Any and all organizations which rely on the internet, electronic devices, data storage, cloud computing, social media, and/or vendors using any of the above are vulnerable—in other words, every organization. Yet, even as an increasing number of insurance firms provide cyber liability coverage to others, those very same firms may not be prepared to handle such an event within their own walls.


High Stakes for Data Loss

Forty-seven states (excluding Alabama, New Mexico, and South Dakota) have enacted security breach notification legislation, along with numerous federal laws. It is important for agents to know the notification requirements of their own state laws—not only for discussions with clients, but for their own needs as well.

Questions agents should ask:

  • What is your state’s definition of “personally identifiable information?”
  • What “entities” are covered under your state’s statute?
  • What level of duty is imposed on entities to protect information in your state?
  • What are the notification requirements in your state?
  • What are the fines or penalties for noncompliance in your state?

Federal laws also contain different reporting requirements, such as HIPAA and the Graham-Leach-Bliley Act. Also, the Affordable Health Care Act makes “business associates” who provide services to “covered entities” subject to HIPAA’s security and privacy requirements. Breach notification laws commonly include the:

  • Scope and nature of information covered by the law
  • Events and conditions triggering obligations under the law
  • Obligations under the law in the event action is required

Here are two resources agents can use to determine the parameters of their state notification laws:


Assessing the Cost of a Data Breach

In the event of a data breach, notification costs alone can be staggering. Estimated costs just to mail notices to customers that could be affected are around $14.00 per person, and credit monitoring can cost as much as $10-$12 per person, per year.

Here are two free websites that can help agents (and their clients) determine the cost of a data breach:

Symantec & Ponemon Institute—Their calculator helps to determine:

  • the likelihood that your firm will experience a data breach in the next 12 months.
  • the cost per record in the event of a data breach at your company.
  • the overall cost of a data breach at your company.
  • https://databreachcalculator.com/

Identity Theft 911—Their calculator will provide:

Net Diligence has conducted research that gives us a general idea of the costs involved with data breaches. An outline of these costs appears in the following table:

NetDiligence-format® 2014 Cyber Claims Study

  • Reviewed 140 claims reported to 15 cyber liability insurers
  • Per breach costs

    • Average claim: $733K (median $144K)

      • Large company = $2.9MIL
      • Medium company = $688K
      • Small company = $664K
  • Per record costs

    • Average per record cost: $956
      (was $307 in 2013)
    • Average records lost: $2.4MIL
      (median records lost: $3.5K)
  • Crisis services costs (forensics, legal counsel, notification, and credit monitoring)

    • Average cost of crisis services: $366K
      ($737K in 2013)
    • Median cost of crisis services: $95K
  • Legal costs (defense and settlement)

    • Average cost of defense: $698K
      ($575K in 2013)
    • Average cost of settlement: $558K
      ($258K in 2013)

Disaster Recovery Plans: Preparing for the Worst

When working with clients, developing and implementing a disaster recovery plan is second nature to most agents. However, doing so for their own firms is quite different. These plans, just like any disaster plan, require preparation and design by more than one person. They require input and buy-in from all sectors of the agency, from the top management down.

There are many resources for assistance in developing a plan. The government’s Privacy Data Assistance Center offers a particularly good Data Breach Response Checklist. You can find it for download at: http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf

Here are a few key items for consideration when putting together an agency’s security breach disaster plan:

  1. Stop the breach. Does your agency know how to stop a breach? The agency’s IT department, whether internal or external, needs to act fast to stop the security breach and/ or to prevent further loss of data. Options include shutting down/locking down the system, limiting access to data, changing passwords, etc.
  2. Develop a response team. Regardless of size, an agency may want to develop a response team and specify the role and responsibilities of each team member—both internal and external.
  3. Get the facts—date, time, and duration—of the breach. Did the breach include the loss of personal information (employee records, customer records, medical records such as health information and WC claim data, etc.)? Who caused the breach? Was it an internal accidental breach by an employee or actions of a rogue employee? Was it an external breach (former employee, vendor, customer, an unknown hacker)?
  4. Contact your firm’s insuring company (or companies). Your agency’s response team should coordinate its steps with those of the insurer’s response team.
  5. Statutory requirements. Is your agency familiar with the statutory requirements? Know which legal jurisdictions your agency needs to contact (local law enforcement, state, federal, and international). Business location and the location of the affected individuals will be primary considerations. This will also depend on the specific data that was breached. Report accordingly.
  6. Contractual requirements. Review existing contracts (vendors’ or clients’) and comply with contractual obligations to the other party. If a party to the contract (such as external IT or a payroll vendor) was the cause of the breach, what obligation do they have to your insurance agency?
  7. Contact legal counsel.
  8. Notification of affected individuals. Know if and when to contact the affected individuals according to statutory and contractual requirements. Remember—the notification should include information that complies with applicable statutory and/or contractual requirements. Know what communication vehicle should be used to send notice to the affected individuals.
  9. Conduct forensic investigation according to statutory and contractual requirements.

Immediate Safeguards

A tested data breach incident response plan is a manual for the worst-case scenario—a known instance of data loss—but firms can be doing more to protect themselves now and help prevent such events from occurring. A firm’s best defenses are:

  • Security updates
  • Biometrics
  • Smart cards
  • Strong internal controls

Security Controls and Monitoring

Reliable security demands a layered approach. This includes intrusion detection software, patch management, encryption of private data, data loss prevention solutions, firewalls, mirror sites, backup servers, security and event logging software, virus protection, and other controls that can help partition, compartmentalize, and hide important resources and information assets. Because the IT department does not exist in a vacuum, IT security procedures should align with the privacy policy.


Understanding Systems

A network systems map not only provides a template for monitoring security and preparing for potential breach incidents, it also creates a blueprint for an emergency situation, allowing for a quicker and more accurate response in isolating and remediating the problem. Create a map that includes an inventory of your sensitive customer data assets, and keep it up-to-date.


Cyber Risk Assessments

An enterprise-level cyber risk assessment may be the single best way to improve your organization’s cyber security posture. State laws and federal regulations, such as HIPAA and HITECH, currently mandate that covered entities conduct a regular cyber risk assessment of potential vulnerabilities and address those vulnerabilities with direct action. Many insurance companies also mandate risk assessments for cyber liability coverage. A cyber risk assessment will identify and document any glaring security omissions or oversights, review privacy and compliance practices, and may include activities such as penetration testing, using industry accepted standards as benchmarks.


Staff Training

Proper employee training for security and privacy awareness helps to avoid cyber risk incidents. Your employees should be aware of legal issues involved in breach response, and should also learn how to preserve evidence and practice discretion in the case of an event.


Contracts and Vendors

When a data breach occurs, the inhouse customer service team, public relations department, and IT team will need help handling the complexities of response and remediation—particularly where legal and regulatory issues are concerned. Contracting vendors in the heat of the moment can also lead to poorly-made decisions and a lack of due diligence. Identify, in advance, vendors for applicable services such as legal counsel, forensics, credit monitoring, call center and victim notification, and crisis management and PR. Sign business agreements so that when the emergency strikes, you can immediately engage these vendors.


In Case of Danger

During a suspected data loss event, time is of the essence. Sometimes, breaches have been in process for days (if not weeks or months) before discovery. At the first alert of a potential breach, action must be quick and decisive to avoid further loss. The following are some required steps to take immediately:

  • Engage internal and external legal counsel, as well as privacy or compliance personnel.

    • Note: A breach expert or manager can help coordinate the response in relation to regulatory and legal requirements, such as notification timelines. This individual will also assist you in managing the process steps.
  • Make sure internal stakeholders understand the situation.

    • In addition to your internal response team, this might include upper management.
  • Follow your data breach incident response plan, including the engagement of your breach response experts.
  • Allow forensics investigation to begin, and be prepared to offer support.
  • Plan for PR/media relations strategy and crisis communications.

    • Craft official messaging (with counsel & PR oversight) that is consistent and clear. Note that this messaging might differ by audience: for victims, the media, partners, and internal purposes.
  • Legal counsel to report breach to federal and state agencies.
  • Notify, with legal counsel oversight, affected customers, partners, and vendors according to regulatory and legal requirements.
  • Prepare customer support resources.
  • Prepare for a potential Fed/State Attorney General investigation (counsel guidance) and/or class action lawsuit.

Cyber Insurance Policies

One of the great benefits of purchasing a quality cyber risk insurance plan is that many of them come with built-in event management assistance which may include hot-line contacts for agency personnel and clients. They may also assist with securing a professional public relations firm to manage the PR nightmare.

For example, Hartford’s Data Breach Policy comes standard with data breach risk management services from Identity Theft 911 (IDT911), one of North America’s leading data risk management companies. Their services include an online proprietary breach preparedness website that provides:

  • Theft prevention information such as data protection tips, breach scenarios, articles, and best practices
  • Legal rights and responsibilities: upto-date information on consumer, regulatory, and third-party requirements
  • Damage control tips to help establish procedures to minimize the impact of a data breach incident
  • Help with a response plan that includes a breach-counseling professional, notification letters and regulatory compliance, crisis management and public relations, recommended remediation steps for future prevention, and documentation support in the event of a lawsuit

These policies are not always expensive. In fact, many are relatively inexpensive and can help agencies prepare for the worst. Most agents find it much easier to sell a product they have purchased for themselves. With the growing number of carriers and products available, there is no excuse for agents not to have this valuable coverage in place.

Many thanks to John Cheffer, Data Privacy Underwriting Specialist at The Hartford Financial Products, for his assistance with valuable information in this article.


Learn More, Earn More

Attend the CRM Control of Risk Course to learn about first and third-party cyber exposures and risk control techniques. Also, many Ruble Graduate and Advanced Risk seminars include sections and presentations dedicated to cyber risk—check the agenda of the specific seminar you wish to attend. To learn more about general commercial liability exposures and treatments, attend a CIC Commercial Casualty Institute. And keep in mind, The National Alliance Research Academy’s book, Risk Management Essentials, is an excellent resource for learning about all types of risk.


Tim McClendon has been an insurance agent for over 40 years. He is a managing partner at Hertel McClendon, LLP, a tenured CIC, a CISR and CIC National Faculty member, a mentor for both the CIC and CISR Programs, as well as a past CISR board member.

Mark Greisiger is President of NetDiligence, which provides cyber risk assessment and data breach crisis services for cyber liability insurance carriers, to assist their insureds and advise if reasonable security and privacy safeguards are in place to mitigate data breach loss and liability. Since 2001, NetDiligence services have been utilized by the majority of insurers in the United States and United Kingdom that offer cyber risk insurance products, providing loss control services for their insured business clients.

Comments are closed.

All Rights Reserved. | The National Alliance for Insurance Education & Research