Question and Answer with Michelle Lopilato, the Senior Vice President, Director of Cyber and Technology, Hub International, along with John Farley, Vice President, Cyber Risk, HUB International
Cyber attacks are a reality in today’s age of technology, but that doesn’t mean you have to become a victim when it affects your business. You can stay afloat by arming your start-up/SMB with proactive and reactive cyber security strategies.
Tragically, 60 percent of small to midsize companies that suffer a cyber attack are out of business within six months. Don’t make the mistake in assuming that your business is not as susceptible to breaches as large companies. In fact, 55 percent of 600 small and medium sized business (SMB) in a recent survey reported being hacked.
Read on to find out how cyber security experts John Farley and Michelle Lopilato address the most frequently asked questions regarding breaches among start-ups and SMBs.
Q: What type of cyber insurance coverage should a start-up and SMB purchase?
A: Due to the fact there are at least 38,000 known cyber threat vulnerabilities, it would be prudent to purchase a complete and industry tailored cyber policy that covers cyber extortion, data asset loss, breach response costs, privacy liability, network security liability, media content liability, regulatory defense, payment card industry violations and business interruption. Since the marketplace is so competitive, the cost-savings would not make an impact to the overall premium versus the risk a company would be taking on, potentially affecting their balance sheet.
Q: In the event of a data breach, who is liable, the vendor or the business?
A: Legal liability and the associated costs can fall on both the original data collector and their vendor. Data protection laws and jurisdictional issues may affect the allocation of liability. A well written contract with favorable indemnity language and insurance requirements may help shift the legal burden from the business owner to the vendor.
Q: Who is legally responsible if customer information held in a third-party cloud service is hacked?
A: If a vendor is hacked and their client data is compromised, both the original data collector and the vendor could face liability and incur costs. There are many factors that could determine liability, including: regulatory requirements, industry standards, contracts, jurisdiction, and the facts of the incident.
Q: If a hacker successfully accesses a company email and orders the bookkeeper to transfer funds to a third-party account, does cyber insurance cover the loss of those stolen funds?
A: A cyber insurance broker can assist in this process to determine the best way to proceed, but generally the cyber policy can respond if the coverage is negotiated. However it is best to consult with a broker with cyber expertise who understands the endorsements and can determine if securing coverage on a commercial crime policy is the best option for this type of loss. The endorsements will provide a sub limited amount of coverage, and companies may be more successful securing coverage on a commercial crime policy with higher sublimit.
Q: Which cyber-insuring agreement receives the most claims?
A: The most common are data breach responses. This includes costs to comply with privacy law, which could consist of legal consultation, data forensics, public relations, notification, credit card monitoring or ID theft monitoring, and also call center costs.
Q: Where do the involved regulatory bodies originate –from the state where the insured operates or where the victim resides?
A: State privacy laws apply to where the victim lives and not where the breach occurs. If a breach affects clients or customers residing in several states, understand that the laws of each state are all different. You must comply with the various timelines for notification. Additionally, there are federal regulators that have laws to protect different types of data, such as HIPAA for healthcare, FERPA for education, and GLB/Red Flag Rules for financial institutions.
Q: If data is being held ransom, should a business owner pay off the hacker?
A: The FBI recommends against paying hackers in ransomware attacks and explains it only encourages future cyber-attacks. There’s also no guarantee that a hacker will release your data after being paid. It is recommended that you regularly back up network data to quickly restore your files and avoid having to negotiate with hackers.
However, should you be unable to restore backups or not have them, an insurance policy would pay the ransom to secure your stolen/encrypted data in order for company to become fully functional again.
Q: Even with technology and software solutions available, does human error remain one of the greatest risks if there aren’t training, protocols, and practices in place?
A: Yes, absolutely! While nearly half of all data breaches are due to malicious individuals, 25 percent of them are due to human error. These mistakes could include: lost or stolen laptops or thumb drives, employees clicking suspicious links, data entry error, improper delivery of data/records, and improper disposal.
You may be small, but you can be mighty as long as you incorporate effective cyber security strategies. Act now to protect your business from a data breach!
About The Experts:
Michelle Lopilato, Senior Vice President, Director of Cyber and Technology Solutions at HUB International, is responsible for advising clients and prospects on issues related to cyber, privacy and technology related risks, as well as negotiating with carriers on policy terms and conditions.
John Farley, Vice President and Cyber Risk Practice Leader at HUB International, has 25 years of experience in insurance and risk management. John leads HUB’s Cyber Risk division of consultants and brokers focused on assisting clients with achieving their risk improvement goals, providing advisory services and serving as a network security and privacy liability consultant. He helps clients with pre and post data breach services, applying his extensive knowledge in data breach response.