The clash between the stringent privacy requirements of HIPAA and the known vulnerability of most cyber systems creates a host of anxieties for most modern medical care providers. The Health Insurance Portability and Accountability Act requires that medical providers and insurers take reasonable precautions to ensure that the medical information of their patients remains private. At the same time, it is increasingly apparent that almost all cyber information systems have at least a few vulnerabilities, even if only through their users, and few systems can withstand a dedicated, concentrated cyber assault.
Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.
The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.
Social engineering attacks continue to represent a significant attack vector on U.S. businesses. The frequency and cost of these attacks keep increasing. Businesses need to protect themselves or they could be facing large losses. While people tend to view hackers as computer whizzes exploiting technical flaws in software code, the reality is that over 95% of attacks focus on exploiting human weaknesses, not technological ones.
Class action lawsuits present numerous challenges for both defendants and harmed parties. The costs of such lawsuits and the situations in which lead plaintiffs bring them often mean the only ones that benefit from them are the attorneys on both sides of the aisle. While legislators seek to remedy some aspects of class litigation, these suits continue to expand. Recently, they have expanded into the area of cyber crimes and data breach litigation.
Many businesses remain hesitant to purchase cyber insurance policies. Studies show fewer than a third of a businesses within the United States have specific coverage for their cyber risks. Yet losses resulting from those risks can easily reach catastrophic levels. This has left underinsured companies searching for unique recovery theories under their traditional insurance policies when suffering the types of losses that cyber insurance would cover.
Whether to purchase cyber risk insurance remains a big question for many companies. Recent studies have shown that only a quarter of U.S. companies currently have cyber risk insurance despite more than half of companies stating they expect to suffer a breach within the next year. These positions seem inapposite, but they appear to stem from doubts about the effectiveness and the extent of cyber coverage given its price.
Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.
In the popular imagination, major cybersecurity events involve an elite hacker (or a group of them) employing a singular genius to crack complex computer codes and steal vital secrets or millions of dollars. The reality is that most hackers use a set of tools available for sale for shockingly small amounts of money. “Hacker schools” in places like Brazil and Russia can train someone who is relatively computer illiterate to use those simple tools to exploit vulnerabilities and gain access to sensitive information, whether it be trade secrets or personally identifiable information useful for committing identity theft.
The last few months have seen a series of high profile ransomware attacks strike businesses across Asia, Europe, and North America. Large numbers of businesses have seen significant losses as a result of these attacks. Losses have stacked up, and companies without cyber insurance are now facing hefty bills.
"When people consider cybersecurity, too often they think of high-level data encryption, secure sockets layers (SSL), and high powered firewalls and antivirus protection", says Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM. "Yet overlooking simple steps to protect a company’s information technology resources can prove just as costly." Thinking through issues like adequate backup systems, employee training, and network setups can save a company millions of dollars. A series of outages at major airlines over the past year have highlighted the specific importance of planning backup systems properly. Delta Airlines, United Airlines, and Southwest Airlines have all suffered major information technology outages that canceled hundreds or thousands of flights cost these companies millions of dollars in revenue.