How to Determine Your Clients’ Cyber Exposures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancejournal.com/magazines/features/2014/11/03/345167.htm

Cyber Liability is certainly one of the hottest topics in both the media
and insurance industry today. It seems like headlines and news stories
announce new victims of data theft almost on a weekly basis.

But even with all the attention that personal data theft and cyber
liability are getting, many insurance professionals are still reluctant to
engage their insurance clients on the personal data theft and cyber
liability exposures that face them. In most cases, the lack of familiarity
suggests there is a need for an organized approach to assessing personal
data theft and cyber liability exposures.

Here is a basic overview of who has an exposure and the options available
to deal with it.

Does my client have personal data theft or cyber liability exposures?

If your client stores or collects personally identifiable information in
either a written or electronic format, they have an exposure. In the event
of either a physical theft or an electronic theft of the information
stored, your client could be financially impacted in multiple ways.

Your client’s liability to those whose records have been impacted could be
only part of the total cost. There are 47 states and multiple federal
agencies with laws and rules regarding personally identifiable information
and the required notification to and monitoring of record holders following
a breach.

You’ve probably received a letter yourself letting you know that your
record may have been compromised and that your credit will be monitored.
Did you know the estimated cost of everything going on behind that letter
is $228 per record?

To put this in perspective, insureds with just 250 records at an estimated
cost of $228 for monitoring and notification per record would incur a cost
of $57,000. That’s before anyone loses a dime as a result of the theft. Few
businesses deal with fewer than 250 customers over time.

Most definitions of personally identifiable information in legislation
include name, address, date of birth, Social Security number, credit card
numbers, email addresses and passwords as information that must be
safeguarded.

Be aware that definitions of personally identifiable information are
expanding.

Does your client interact with the internet?

Many companies actually conduct business via their website accepting credit
card payments either directly or through a third party vendor that they
link to.

Companies also use their website, Facebook or LinkedIn page as a source of
communication with their clients. Companies also upload and download data
to third party vendors. Consider your agency using a rating program for a
carrier. Imagine a virus being uploaded from your system disabling the
carrier’s site. Many businesses interact similarly within their industries.

How should you deal with exposures?

Almost every business has some exposure. Now, what’s the best way to deal
with the exposure?

Avoidance is one method. If your clients do not have an incident or a
breach they are all set. The other name for this is luck. Statistics would
argue against relying on luck. More than nine million Americans have been
victims of identity theft resulting in more than $5 billion in losses. Over
the next few years it is estimated that almost everyone in the U.S. will be
a victim of some form of identity theft.

Security is another method. Increasing security and expanding training in
the handling of information is a great way of protecting information and
networks from threats. Internal protocols, access limitation and training
can reduce the possibility of rogue employees, accidental dissemination or
external hackers gaining unauthorized access.

While most companies agree the expense of security is more than worth the
cost of a serious system breach, it is almost weekly that we hear of a top
company having their sophisticated system breached.

Finally we come to insurance. While insurance neither prevents nor deters
cyber attacks, it does reduce the financial impact following an incident or
breach. Additionally, insurance programs can be designed to cover multiple
data and cyber liability exposures within a budget. Most policies today
also provide an emergency response service that immediately responds and
assumes management of the incident.

In summary, almost every client has some personal data theft or cyber
liability exposures. If they store or collect personally identifiable
information or interact with the internet there is some level of exposure.
Security and training can minimize the potential of an incident but most
prudent business owners would supplement this with some level of insurance
protection given the statistics and trends.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!