Cyber Risk in an Online World
It is quite common today to hear and see reports of data breaches from businesses and organizations that you assumed had sophisticated systems, the experts, and the
technology to safeguard their (and your) online data – and you would be correct. The
lesson here is that even with world-class technology and expertise, your business is still at risk in our increasingly online world.
What many businesses don’t realize until it is too late, is the number of risks they need to consider. Even if you are a small or medium-sized business (SMB), you are at significant risk of being hacked. In fact, your business may even be a more likely target because SMBs’ system security and capabilities tend to be less extensive than larger businesses. Don’t be fooled into thinking your business’ data is not attractive to cyber thieves. In a recent article, Steve Haase, president of INSUREtrust, a cyber- insurance firm, cited a Ponemon Institute 2013 survey that found 55 percent of SMBs had experienced a data breach.
Haase went on to say, “Every business has confidential information on employees, if not customers, that hackers can sell on the black market . . . SMBs in the retail space have even more post-breach headaches than their non- merchant peers, because retailers are subject not just to fines and penalties of government agencies, but also those of the payment card industry (PCI).”
In response to the cyber threats businesses and other organizations face, the insurance industry has been developing risk management products that deal with the range of new challenges. In the early days of cyber insurance (which date back to 1997), the policies were strictly written to respond to the third party liability of a network security breach. As risks became more apparent, the coverage has evolved. Many policies now include regulatory penalties, PCI penalties, extortion demands, website media liability including social networking exposure, as well as business expenses for crisis management including legal, forensics, call centers, notification costs, etc. Coverage can even be expanded to include business interruption and data restoration.
Originally, technology companies were the first to be considered highly vulnerable to these risks due to their online presence and related exposures. The risk quickly expanded to many other types of businesses with large amounts of PII (personally identifiable information) such as hospitals and universities. Now, it seems that most any company is a target for a breach. If you use email, you may be the target of a “spear phishing” attack where you get a fraudulent email that appears to be from a trusted source. The aim of the attack is to convince you to unwittingly give your data to the bad guys. Some businesses believe their risk is managed since they have
general liability coverage. But if you have a website, you are exposed because a general liability policy excludes website media under advertising liability.
Many professional classes of businesses, such as law firms, have relied on their Errors & Omissions coverage in a belief that it will address a network security breach. While there is the potential for some third party coverage if related to the “failure to act as a professional,” this type of policy would not respond to all aspects of a security breach and offers no reimbursement of crisis management expenses.
Many businesses believe that they are not responsible for a security breach if their data is in a “cloud” environment. In fact, the obligation to notify those with breached PII from a cloud environment lies with the owner of the data. The “cloud” may also make a breach more of a threat as the information is now part of a vast pool of information that is highly desirable. If a business has made a decision to transfer their data to an off-site provider, they are still responsible for the notification and the related expenses. Consider any type of outsourced vendor that has your corporate confidential data and PII, such as payroll service providers or accounting firms, as a risk area.
Recognize that these are issues all organizations are facing, even the most capable and tech-savvy. Still, businesses and particularly managers with responsibility for systems and network security deficiency, feel that insuring for these risks mean that their capability is being called into question. It is now evident that no network that is totally secure. Managing your business’ cyber risk is just like managing property and casualty risk: you don’t want it to happen; you plan to avoid it, but your business if far better off if you’ve prepared.
The good news is that the costs can be mitigated with a broker partner to help you manage your cyber risk. First of all, the insurance industry has brought many products and coverage options to the market. In fact, their effort to address the issues has made for a buyer’s market. The cost of coverage is small in comparison to property and casualty coverage. More importantly, with the proper guidance the process of anticipating your risk areas helps you in two ways. One, it
identifies where the risks lie. If the risks are identified you can improve operational management and reduce the risk. Two, with the risks identified you can structure coverage that mitigates your risk, but doesn’t overburden you with unnecessary cost.
About BB&T Insurance Services
Start the process now. Think through your cyber challenges and work with your BB&T Insurance Services broker, Clay Chambless Cchambless@bbandt.com to create a plan to manage your risk in an online world.
Sylvia B. Menetre, CIC, ARM, Vice President, BB&T Insurance Services works with Clay Chambless on Cyber Insurance exposures. Sylvia has more than 25 years of experience in agency account management, production, marketing and corporate risk management. She focuses on Cyber coverage including Network Security Liability, Privacy, Website Media and related Crisis Management. Sylvia earned a bachelor’s degree from the University of Georgia and won the Cyber Risk Management Leadership award from Insuretrust in 2014.
Traditional banking services are provided by Branch Banking and Trust Company, Member FDIC. Only deposit products are FDIC insured. Investment solutions are provided by Branch Banking and Trust Company and BB&T Investment Services, Inc. BB&T Investment Services, Inc., is a whollyowne registered broker/dealer subsidiary of Branch Banking and Trust Company, Member FINRA/SIPC. Insurance products are offered by BB&T Insurance Services, Inc., a wholly owned subsidiary of BB&T Insurance Holdings, Inc.
Securities and insurance products sold, offered or recommended are:
NOT A DEPOSIT • NOT FDIC INSURED • MAY GO DOWN IN VALUE • NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY • NOT GUARANTEED BY A BANK
© 2016, Branch Banking and Trust Company. All rights reserved.