CYBER LIABILITY & DATA BREACH COVERAGE
Cyber Liability & Data Breach Coverage
Large corporations are not the only targets of cyber crimes. While all industries are impacted, those with complicated supply chains such as manufacturing and technology businesses, are hit most frequently.
Why do I need cyber liability insurance?
Credit Card Transactions
Even though you use a POS machine and a credit card vendor, you may still be responsible for a breach.
Personally Identifiable Info (PII)
Do you have employee data in your payroll software on your computer?
Vendor Payments & Online Banking
If you pay your bills online, is it possible you or your bookkeeper might be tricked into paying by way of a fake link through a phishing act? Could anyone in your office be baited into updating a credit card expiration date online, only to discover that email wasn’t sent by the legitimate bank or vendor?
Could anyone in the office who handles wire transfers fall victim to a social engineering attack?
Employee Laptops, Smart Phones, and Electronic Devices
Are you sure these are protected should they be stolen and fall into the wrong person’s hands? Are these devices all secured and protected from a data breach?
How can a Cyber Policy protect me and my business?
Cyber policies can have First Party and Third Party coverage. The First Party sections cover the business’s own financial loss caused by a cyber event, which is defined as any actual or suspected unauthorized system access, electronic attack, or privacy breach.
The Third Party section covers the business for liability claims against them caused by a cyber event. For example, your business sent harmful malware to a third party’s computer systems or failed to prevent an individual’s data from being breached.
Forensics & Legal Expenses
Hiring experts to determine the scope of the breach and your legal responsibilities can be costly.
Public Relations Costs
This coverage is for retaining a team of experts to repair any damage to your business’s reputation.
Notification Costs and Credit Monitoring
Now a law in most states, businesses are responsible for notifying anyone that may have been affected by a breach. This coverage may also pick up the costs of providing free credit-monitoring for those affected, typically for 12 months.
This covers the business in the event of a lawsuit arising out of exposed customer or employee private information. Health Insurance Portability and Accountability Act (HIPAA) mandates rules and regulations designed to protect consumers’ healthcare data. If your business transmits health information in electronic, oral or written form, you are likely considered a ‘covered entity” that must follow thee requirements. Business associates of covered entities are also subject to HIPAA requirements. Health information covered under HIPAA is classified as protected health information (PHI), and a wide range of data can fall into this category. A patient’s name, date of birth, social security number and address can all be considered PHI.
Hackers have been known to hold businesses hostage by demanding funds before returning control of the network. Extortion coverage will cover the costs of any “ransom” payment that third party demands.
A cyber attack can quickly bring down a business network and keep it offline leading to downtime and unhappy customers. This coverage will reimburse the business for lost business income during this network outage.
Data Loss and Restoration
This covers the cost of restoring any lost data. Some policies may cover any diagnosis and repair to the original cause.
Fraudulent Funds Transfer
Cyber criminals target small business bank accounts by stealing on-line banking credentials and transferring money to offshore accounts. Since the small business itself was breached, the bank may not reimburse the stolen funds. This coverage will protect the business from such fraudulent funds transfers.
Cyber criminals use information posted on social media to obtain information used to impersonate customers, vendors, or employees with the goal of tricking a small business into releasing funds or sensitive banking information. Social Engineering Fraud coverage will reimburse the business for the funds lost through such deceptions.
Social engineering is the practice of tricking an employee into revealing sensitive information or sending money to an unauthorized recipient.
Example: The employee receives an email or phone call appearing to come from a legitimate business or individual, and they are tricked into providing them with personal information. Scammers use Facebook and LinkedIn for personal information.
Your employee may send money to a third party, thinking they’re a legitimate recipient for the funds. Sensitive information may also be received from phishing (or a computer system hack) and be used to impersonate you or an employee, with the intent of tricking your bank into sending money to a third party.
Vendor Impersonation: An internet thief under the disguise of “Verizon” sent out an email that instructed an employee to click on a link in order to pay an overdue balance. Unfortunately, the link led to a fake Verizon webpage and the employee entered in the company’s credit card information, resulting in a loss of company funds.
Executive Impersonation: The accounting manager of a spa received an email that appeared to have been sent by the spa’s owner which referenced how great his son’s team is doing at the baseball tournament they are at in Pensacola. The email also instructed the manager to transfer $2000 to the bank account listed in the email. The manager did as she was instructed, however, it was subsequently discovered that the request was sent by an imposter.
Scenario: You get an email from your boss. She tells you she is tied up in a meeting and needs you to compile all of the employees’ W-2s in PDF format. She says that she has cc’d a tax consultancy firm she hired and asks you to send the W-2s over to them for a review. She adds they’re pressed for time and would like them sent over as soon as possible. She ends the email by asking you to give her a call around lunch time after you’ve sent it. The email is signed with your boss’s digital signature.
You send the W-2s to the tax firm as requested, and give your boss a call around lunch like she asked. Only then do you learn that she never sent an email asking you for the W-2s. She’s also never heard of the “tax consultancy” you sent them to. Together, you find out that the request was fake, the tax consultancy doesn’t exist, and you just sent everyone’s personal information to a cyber criminal. In this scenario, you were the victim of a social engineering attack that employed several tactics.
Types of Cyber Liability Claims:
Theft of Funds: This happens when you have inadvertently shared your online bank account credentials with someone, and they steal your funds straight out of your bank account. Most often this is done by phishing emails or social engineering.
How does it happen?
Extortion. Attackers use the threat of a cyber attack, or the threat to expose or destroy data that they have already compromised, to extort money out of the victim.
Electronic Compromise. Attackers manage to hack into the business’s network, gain access to their online accounting or banking platforms and start wiring money out of the victim’s account.
Social Engineering. Attackers imitate a third party (e.g. a vendor or supplier of the victim business) and trick the victim into wiring money to the wrong bank account. The victim believes they are wiring funds to a third party they know, but in reality, it is going to the fraudsters. This is referred to as “voluntary parting of funds”.
Theft of Data: Theft of personally identifiable information (PII) of your customers.
Damage to Digital Assets: This is when someone hacks into your system and locks up your computers demanding ransom.
Kristie English, M.Ed.
Principal / Agent
Why do I need cyber liability insurance? All of my purchase transactions are done through my POS system and that’s covered by their insurance since I don’t hold onto the customer’s credit card information.
Payment Card Industry Data Security Standards (PCI-DSS) were established by the major credit card companies. If you accept, transmit, or store cardholder data, these rules apply to you. Even if you use a third-party vendor for payment processing, you as the merchant, are still liable for a breach.
We're here to help you understand the best options for protecting your business from hackers and data breaches.
Call us at (833) BIG-TREE / (425) 673-7948, or use our online form to request a quote.