October 27, 2017
Enquire the Expert: What You Should Know About Cyber Risk
Divisional Vice President
There is no doubt that cyber security impacts everyone. In 2017 alone, there were a few extensive cyber attacks. The WannaCry ransomware attacked thousands of computers around the world. Equifax’s recent attack impacts half of American adults. It has become clear that companies can no longer take a passive role and that cyber security needs to be proactively managed. We interviewed Grant Goldsmith, Divisional Vice President at Avalon Risk Management, to learn more about this important topic and how companies can handle this risk.
Q: When people think of cyber attacks, they often think of identity theft. What are some other forms of cyber attacks?
A: Ransom is becoming a common type of cyber attack. In these events, hackers shut your systems so that you can’t access them. This can render your computer and entire network inoperable. The criminals demand a ransom in order to return your systems and data to normal conditions.
There are also cases of intrusions where client data are made public. Hackers will put confidential company information, which includes customer data, on the internet where your competitors can see it. The released information not only contains your customer list, but also your pricing schedules. Breaches like these are not only threatening because the data is exposed but also because you lose customer and public trust. People may stop doing business with you because they are no longer confident in your company and its security. This directly hits your bottom line.
Q: Desktop and laptops are not the only things that can be hacked. What other vulnerabilities does a company have?
A: Mobile devices and anything that interacts with them, including wearables and apps, present a serious threat. These products were designed for a specific function (like counting steps) and to interact with your phone. They are not built with security in mind and are easier to penetrate. Now, companies need to consider more than just what the company owns but also what the employees decide to interact with on their devices. The way into a company’s system may not be through the network directly; it may be through someone’s wearable device which talks to the phone. Once they’re in the phone, they can use it access the network and information on it. This creates a backdoor for cyber criminals to get into your systems.
Q: What do you think is a business’ largest concern when it comes to cyber security?
A: Companies should be concerned about the amount of people with computers that are hooked to the network. Each of these is a potential entry point for hackers. The more entry points you have, the more vulnerable you are. Laptop computers tend to be more vulnerable because they are often used outside of the office where they access wi-fi in public places. Sales people at airports are especially susceptible. When they log on to check their email between flights, they are creating an opportunity for hackers who troll the public wi-fi to find victims. If you don't have strong security on your device, they can gain access and eventually infiltrate the company system.
A second concern would be not keeping software up to date. Companies and computers use a variety of software, and vendors constantly update them to improve operations and strengthen security issues. Unfortunately, not everyone gets the updates and patches as soon as they’re available. This was what happened with Equifax that allowed hackers to get in.
Q: There has been several large cyber attacks in the last few years. Do you see this trend continuing or do you think that companies will become better at preventing attacks?
A: This trend will continue because there are too many ways to get in. We are becoming a more electronic based society, and this will only increase as we perform more every day functions electronically. Nowadays, we don’t even need to take out our wallet to checkout at the grocery store. Our phone and smart watch can be our digital wallet using apple pay or other services. This creates another point of entry into our data and system.
Q: Let’s talk about Cyber Liability Insurance. Should all companies have it?
A: I would suggest that any company with an internet presence consider obtaining Cyber Liability Insurance. This is especially important for anyone who’s primary interactions are electronic through email or system integrations. Customs brokers and logistics companies often have systems that interact with their customer’s systems. When our system is interacting with their system, it produces a way for a virus or some sort of intrusion to occur and spread.
More and more large companies, like Coca Cola, are requiring their vendors to have Cyber Liability Insurance to do business with them. Their systems often interact and they want to know that they’re covered if their system is negatively impacted through this interaction. If the virus was contracted through the vendor, they’re going to look to the them to rectify the situation. As this becomes a best practice for large companies, small and mid-size companies will also adopt this policy. Additionally, savvy lawyers know that cyber related events are not typically covered by a crime policy so they work Cyber Liability Insurance into the contract.
Q: Can you go into more details on Cyber Liability Insurance? What does it cover and not cover?
A: There isn’t a standard form in the market and policies vary. There are also a number of enhancements that can be added to policies and not every company will need them. Therefore, it would be in the consumer’s interest to first decide what their needs are and then search for it in the market. If they look to the market first, they may become overwhelmed by what’s out there and not get the policy that is best for them.
Cyber Liability Insurance generally covers two components – liability and first party. The liability aspect covers the insured in case their system does damage to other systems. This includes spreading malicious emails or viruses. First party covers damage that we sustain due to a cyber attack, cyber intrusion, network hijacking, or ransomware.
In many cases, crime is also covered. This includes direct withdrawal of money (where they infiltrate the system and wire money out) and social engineering (where hackers send fictitious emails asking for money). For example, the hacker impersonates the CFO and ask the CEO to deposit $10,000 in earnest money for a project that is currently in the works. This is a legitimate venture that both individuals have discussed, so the CEO complied with little hesitation. After the money is sent, the CEO discovers that the CFO never requested this but there is no way to get the money back. Often in these cases, the criminals have infiltrated the system long enough to know the right narrative and the right time to insert themselves into it to trigger the fraudulent transfer of funds without raising suspicion.
Q: What is the greatest misconception regarding Cyber Liability Insurance?
A: Companies think that they already have coverage for these events through their General Liability or Crime insurance policies. But these policies often have exclusions for cyber events.
Q: What is the one thing that businesses can do to protect their company from a cyber attack?
A: Employ a reputable third party vendor to perform an intrusion test annually. This will give them an overall grade rating of how vulnerable or healthy they are. This provides the groundwork on what should be done going forward. If they are relatively healthy, then they will know the few areas that need to be tightened. If it reveals that they are very vulnerable, they can address it immediately and develop a corporate plan of action. This inexpensive test can help close the door on a majority of the common attacks.
A cyber attack can severely damage a company’s reputation and bottom line. Therefore, cyber risk needs to be a cornerstone in a company’s overall risk management strategy. Learn more at Avalon’s Cyber Liability page.