Organizations are finding an increased need to protect themselves from cyber attacks. These threats come in many forms and according to Symantec internet security, small to medium sized organizations are targeted 65 percent of the time. Cyber insurance is becoming increasingly important to organizations that are vulnerable to data breaches and ransom situations by hackers.
Target Corporation’s data breach was disclosed in November 2013 and it was the beginning of a cyber newsworthy 2014 and 2015. Since then, well publicized cyber breaches at Yahoo, Democratic National Convention, National Security Agency, JP Morgan Chase, Home Depot, Michael’s Stores, the US Postal Service, Sony Pictures, and Anthem were only some of the hundreds of breaches of cyber security to make headlines that have changed how all organizations view cyber risk.
Protecting Personally Identifiable Information (PII) is extremely challenging in an environment of technological advancements, rapid adoption rate of technology by consumers and the desire by users for more convenience. PPI, as we will see in the bullets below, is being expanded to include more than names, dates of birth, social security numbers, mother’s maiden name, biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Some states are now including user names and email addresses, in combination with passwords and security questions.
Cyber security and data privacy are top priorities. With this priority comes the knowledge of ramifications and consequences: costly breach expenses, drafting notifications to those impacted, potential litigation, operational disruptions, and reputational damage. Proactive risk management is important.
Regulators are making it clear that enforcement will continue, including:
- Under the Health Insurance and Portability and Accountability Act (HIPAA) and the U.S. Securities and Exchange Commission (SEC) have become more active in reviewing disclosures of material cyber risk for publicly traded companies.
- Amendments to laws in CA and FL, and additional state of NY, is under consideration, have changed to define personally identifiable information (user names and email addresses, in combination with passwords and security questions.)
These fact patterns mean organizations of any size, but in particular high risk classes, (i.e. healthcare, financial firms, schools and higher education, government, retail, and technology) need to consider Cyber Liability coverage. The reasons are because of the breadth of coverage including:
- Incident response planning (spells out steps to take in the event of a breach.)
- A qualified breach response attorney immediately to begin the process of investigating the incident and assisting with the notification process and requirements.
- Retain a forensic investigator for the breach.
- Best practices including policies, white papers and webinars on the topic.
- Proprietary benchmarking and third-party benchmarking
Photo taken from: inhomelandsecurity.com