In the modern world, almost every business uses some type of network to store information, even if it’s as simple as housing their email. Even companies hosting their email with outside providers, such as gmail, yahoo or some other private email hosts, are at risk.
Many small businesses believe that the information that they have is not sensitive, important or attractive to thieves. These businesses, no matter how low-tech they may think they are, probably has sensitive information saved somewhere. Sensitive information includes any customer information.
A customer list in a spreadsheet, a mailing list saved in your contacts, even correspondence with a customer in your inbox - this sensitive information is everywhere. Now, the information that you collect and save may not be dangerous on its own, but stolen customer lists are popular targets for social engineering scams. Your customers could be contacted based on the information that is saved about them (age, location, name, relatives). Adopting a position of authority, armed with some information about a target, a scammer can easily gain a victim’s trust where more sensitive information could be exposed.
Companies maintaining customer information on networks need to audit their network security systems and internal controls to protect this information. Additionally, companies may want to consider auditing their vendors and their vendors' controls for security to further protect themselves. Finally, companies need to consider purchasing cyber liability insurance.
As companies move more and more toward cloud computing, these risks only increase. The offer of having someone else maintain the security of your customer’s information may be tempting, but also may not be ideal either. When choosing a supplier, question them about security policies including password strength and what information other clients typically save with them. Be sure to confirm if the data will be encrypted, how your company’s information will be isolated from other people’s data and if there are additional steps you can take to secure the information stored with them, such as two factor authentication or login notifications.
Losses from cyber security breaches are significantly increasing. State governments continue to tighten laws on cyber security. This includes making businesses responsible for notifying consumers of data breaches and placing fines on failure to comply. Cyber liability insurance can help protect businesses from these and other types of losses. Specifically, cyber liability insurance can help cover not just the repair of a company's network after a breach, but the loss of income during down-time, as well. It can also help cover liability arising from privacy invasion lawsuits and the need to comply with privacy regulations.
For the unexpected, your business will need cyber liability insurance. You may think that your company’s general liability policy will cover data loss or theft. Be sure to confirm this with your agent. If you already have some type of coverage, be sure that it is complete.
Cyber liability insurance typically provides three types of protection:
- Network Damage
This includes damage resulting from authorized users not having access to the system, service interruption of the network and unauthorized access and destruction of third-party information. This coverage will allow your business to keep running while working through a data problem. This could include being locked out, the data being inaccessible and damage done to someone else’s data or property.
- Security Breach
Security breach coverage protects against the failure of a network to identify and authenticate the party user, failure to protect and secure data, and failure to protect against viruses and denial of service attacks. If your account is hacked, if an employee accidentally shares information, or if someone else damages the data, you will have coverage.
- Privacy Coverage
Privacy coverage exists to protect against claims made for failing to comply with regulatory requirements regarding the privacy of individual and confidential information resulting in third-party claims and the expenses incurred to comply with breach notification requirements. If information is leaked, you will have a responsibility to your customers to notify them and to protect their identity. You will need to determine a way to contact your customers. You may also have a responsibility to offer them identity protection services. This step may be required by law, but it may also be a good-faith gesture that your business does for your customers.
For more information on this article or any other aspects of our Insurance Programs please contact me, Paul Barnard, Insurance Program Manager, at firstname.lastname@example.org or via telephone at 610-507-6595.