This article originally was published in the Upstate Business Journal.
Your heart raced when the caller on the phone identified himself as an FBI agent. But the conversation was matter-of-fact.
About 2,500 sets of credit card information from your clients had been posted for sale on a Ukrainian cybercrime forum along with the personal information of 125 of your current and former employees. The FBI believed that this information was possibly stolen from your business computers and concluded that your network may have been hacked by an Eastern European criminal gang.
As you consult with your leadership team, you realize that the list of actions you will need to take seems endless:
1. You will need to get your IT systems functioning again and ensure that the bad guys are out of your system for good. You learn that this may not be easy because hackers often leave back doors to let them return to continue their theft. It will take significant IT expertise to delete them from your system permanently.
2. You will need to find out how long the criminals were inside your system, what data was stolen, and how the criminals may have used your system to hack into the systems of your customers or vendors. This forensic investigation also requires special IT expertise.
3. You will need to check the contracts you have with customers and vendors whose data was compromised, verifying your contractual obligations. Payment card companies have specific provisions concerning breach response and notification, and you need to pay attention to them.
4. Because of the liability issues involved, you will probably want the most sensitive parts of the investigation to be guided by an attorney. This allows the results of parts of the investigation to be treated as attorney-client privileged.
5. The biggest headache may be notification of affected customers and employees. You must notify each person whose personal data was compromised. Legal requirements are different from state to state. The notice you must give will be determined by the breach notification laws of the state in which each customer or current or former employee now lives. You will also need to notify the attorney general’s office in many of these states.
6. You will probably need a dedicated website for posting information. You may need a call center unless you want the people you notify calling in on your business switchboard.
For even a small business, responding to a data breach can be a major expense and a costly distraction from managing the enterprise. One helpful option is to add once-exotic cyber insurance policies to standard property, casualty, and business liability insurance packages.
What does cyber insurance do?
Cyber insurance pays for breach response costs up to policy limits. Often the insurance company provides breach coaches and a pre-positioned team of experts with the roadmap and experience required to walk you through the steps you must take to respond. The expertise and assistance that comes packaged with cyber insurance can be as valuable as the liability coverage under the policy — perhaps even more so.
Typically, the provider’s breach response team can respond to the breach more efficiently and cheaper than your own team. And your internal leadership team can focus on managing your business during the months ahead.
What are the basic provisions you need in a cyber insurance policy?
• Coverage for breach response costs, including system restoration, forensic investigation, third-party notification, legal expenses, credit monitoring services, and web and call center response.
• Network security coverage to protect you against claims made by third parties that were economically harmed by the breach, including both customers and vendors. (More than half of the major breaches that have involved national or global companies have come through small vendors whose systems were initially breached.)
• Insurance for third-party liability that may arise if your website is infected with malware that loads itself on to the computers of people who access your site. This is referred to as a watering hole attack.
• Business interruption coverage. Businesses that do a lot of sales through the web or by email or telephone may find business interruption coverage a higher priority.
• Cybercrime coverage against wire transfer fraud and internal social engineering attacks — the sorts of attacks where employees are tricked into making wire transfers or diverting payments to false accounts. Businesses that deal with multiple foreign customers and suppliers may prioritize coverage for wire transfer fraud and funds transfer loss.
• Coverage for costs and damage caused by ransomware or other cyber extortion, and for the damage done to internal systems by malware.
Since cyber insurance is a new field, the terms and conditions of cyber insurance policies have not been standardized by decades of practice, as with property and casualty insurance, and it is important when reviewing cyber insurance options that you consult with a skilled adviser who can assess your business’s level of risk and guide you through the terms of the available policies.
Lily Tomlin pointed out that “reality is the leading cause of stress among those in touch with it.” Increasingly we are aware of the reality of cybercrime, but reviewing the security steps we need to take to prevent it — as well as our response options should we experience it — will go a long way toward lessening that stress.
The author gratefully acknowledges the insights of Bob Graham, vice president of Hub Insurance, on cyber insurance policy provisions.
Belton Zeigler regularly counsels clients on data management and cybersecurity in matters such as data breach preparation and response and litigation involving data management.