It seems not a week goes by these days without news breaking of another massive data breach affecting hundreds of millions of people. At the end of November 2018, Marriot, the global hotel chain, announced they had been hacked and the personal information of five hundred million preferred customers had been exposed to criminals. What’s worse, Marriott announced the original data breach occurred over four years ago, leaving people unknowingly at risk for identity theft during that time.
Within the context of cyber security, one most always discusses the subject in exponentials; Whether considering the number of breached records, the amount of damage, or the size of data leaks. What was groundbreaking three years ago in volume will seem quaint by the end of the year. A host of news stories regarding the 2013 and 2014 data breaches at Yahoo Inc. over the past few months have underlined this aspect of the conversation about cybersecurity. It serves as a stark reminder that companies need to keep an eye on their cyber risks and seriously consider purchasing cyber insurance if they have not done so already to survive this increasingly harsh ecosystem.
Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.
The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.
Risk transfers are a vital aspect of any comprehensive risk management plan. Theoretically, those in the best position to avoid a risk should always bear responsibility for the risk. The real world does not work that way, unfortunately. Oftentimes, larger companies and larger contractors use risk transfers to try and push liability “downhill” – onto the backs of smaller companies with less negotiating leverage.
Social engineering attacks continue to represent a significant attack vector on U.S. businesses. The frequency and cost of these attacks keep increasing. Businesses need to protect themselves or they could be facing large losses. While people tend to view hackers as computer whizzes exploiting technical flaws in software code, the reality is that over 95% of attacks focus on exploiting human weaknesses, not technological ones.
Ideally, most businesses would purchase cyber insurance coverage. This coverage can protect your company from the costs associated with data breaches, ransomware attacks, and other potential avenues of liability resulting from your cyber systems. However, as more and more companies move their operations to the cloud, significant questions arise as to how this impacts a company’s risks, exposures, and insurance.
Cyber insurance policies typically cover a range of damages that can be caused by a system breach. These expenses range from notification and defense costs to business interruption and data loss coverage, as well as a host of other types of damages. Because cyber insurance is not yet standardized, though, the types of damages that are covered can vary significantly from policy to policy- and from carrier to carrier.
Class action lawsuits present numerous challenges for both defendants and harmed parties. The costs of such lawsuits and the situations in which lead plaintiffs bring them often mean the only ones that benefit from them are the attorneys on both sides of the aisle. While legislators seek to remedy some aspects of class litigation, these suits continue to expand. Recently, they have expanded into the area of cyber crimes and data breach litigation.
Many businesses remain hesitant to purchase cyber insurance policies. Studies show fewer than a third of a businesses within the United States have specific coverage for their cyber risks. Yet losses resulting from those risks can easily reach catastrophic levels. This has left underinsured companies searching for unique recovery theories under their traditional insurance policies when suffering the types of losses that cyber insurance would cover.
Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.
Companies who have relied on virus detection and anti-malware software to provide sufficient cybersecurity now have to look for new approaches. In May 2017, cybersecurity experts found “fileless malware” on the networks of over one hundred forty different banks. Fileless malware first gained some degree of public notoriety when security firm Kaspersky Labs detected a breach in its own networks - hackers using sophisticated techniques to spy on the companies trying to stop them. Since then it has grown to encompass approximately 15% of known cyber attacks.