Posts

Cyber Liability Update: Tax Season and W2 Phishing Scams

Most companies are familiar with phishing emails and train their employees to recognize suspicious emails sent from malicious actors. Less commonly discussed, however, are W2 scams that target human resources departments.

During tax season, cybercriminals target human resources departments by impersonating an executive of the company, most notably through email. The goal is to obtain W2 information then file a fraudulent tax return and collect the refunds. This time of year is ripe for malicious actors, as HR personnel are busy preparing tax information for employees and sharing sensitive data through multiple departments.

Even after employees receive their W2, HR departments need to stay vigilant and keep an eye out for phishing emails. For most people, tax season doesn’t end until they’ve filed a return, and employees are bound to have questions leading up to that time. Human resources professionals should be on the lookout for suspicious emails from anyone asking for individual or bulk tax information. Multiple grammatical errors and blurry headers are also signs of cybercriminals.

According to IRS Commissioner John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

The W2 phishing scam is occurring earlier in the tax season and to a broader scope of organizations. The number of attacks increased by 870 percent last year and there’s no evidence to suggest these attacks will slow down. As far as action an employer should take, it is recommended to send an email to phishing@irs.gov and place “W2 Scam” in the subject line.

Cyber Liability Insurance policies cover risks associated with W2 scams. For a consultation or assistance with any cyber inquiries, contact us today.

Will 2019 Be the Year of the Cybercriminal?

Consider this—in 2018, two of the five biggest cyberattacks in history occurred. Between the hacks on Marriott and Under Armour, criminals accessed the personal information of more than 650 million people. Cyber attacks also caused billions of dollars in lost revenue as hackers infiltrated everyone from mega-corporations to mom and pop shops.

The growing number of attacks and the costs associated with them are staggering. And while it’s difficult to detail the full extent of the economic impact in 2018, most experts predict that 2019 will be worse. Despite this, many companies have been slow to adopt modern cybersecurity protections, though most have implemented at least the minimum level of cyber protection.

But even the most secure businesses may not be thinking of the most significant threat—their people.

Research indicates that 95% of all data breaches are attributed to some human error.

Not huge mistakes, either. These simple errors happen in a fast-paced environment when everyone’s busy, such as falling victim to phishing. Someone opens an email and downloads an attachment, assuming it’s from a reputable source. Included in that email is malicious code—malware—that allows hackers to infiltrate a company’s network. Some people transfer corporate data outside the company over an unsecured network or simply don’t delete old data, leaving it vulnerable to leaks.

Cyberattacks will make headlines in 2019. No matter how much is spent on security, nothing can cover every human error or new techniques hackers use to infiltrate your network.

Sophisticated cybersecurity systems could help curb the cost of human error. When they’re implemented alongside a culture that prioritizes online safety, you can reduce the number of hackers who gain access to your people and help employees understand how to spot the threats that do breach your system.

Diligent training efforts will help prevent carelessness, breaches and help reduce costs. Here’s a short list of best practices:

Reaffirm culture

Do your people understand the value of information security? If you’re unsure of the answer, it’s time to start an internal communications plan that reinforces your organization’s standards.

Invest in cyber protection

Even if you have the most modern security software, it still requires regular maintenance. Many companies take a “set it and forget it” approach, but all security technology should always have the most recent updates.

Commit to encryption and multi-factor authentication solutions

Many cybercriminals take the path of least resistance, preying on companies that have minimal security. Simple additions like encryption and multi-factor authentication will help augment your security and move your company into safer territory.

Make a plan in the event of an incident

No one is immune to a hack, not even the most secure organizations. But there are ways to minimize the damage, both to your bottom line and your reputation. Create a detailed list of who to call and what steps to take if ransomware shuts down your access or customer information is stolen.

Cyberattacks will make headlines in 2019. No matter how much is spent on security, nothing can cover every human error or new techniques hackers use to infiltrate your network. When you are making your post-attack plan, the call to your cyber insurance broker should be at the top of your list. Insurance won’t stop an attack, but it will help pick up the pieces afterwards.

Contact Hays Companies to learn more about how we can cover you in the event of an attack.

Cyber Insurance Webinar

Hays Companies VP and National Cyber Liability Practice Leader Dave Wasson was invited by Lathrop Gage to discuss uncommon approaches to cyber threats. This 60-minute webinar addresses the increased threat to companies being targets of data breach, insurance policies and coverage for losses and how this area has evolved in the past 10 years.

Throughout the 60-minute webinar, these cyber insurance and legal professionals covered:

·         Current risks that companies face and those predicted in the near future

·         The State of Law surrounding cyber incidents & insurance coverage around those incidents.

·         Types of policies and products that are currently available to businesses

·         Common pitfalls to avoid obtaining cyber liability insurance

Watch the webinar here – https://vimeo.com/260789216

If you have any further questions, please contact your Hays representative.

Minnesota Business Magazine Feature: Cybersecurity Insurance 101

By: Brian Martucci

Target. Home Depot. Yahoo. Equifax.

What do they have in common? You guessed it — they’ve all experienced major data breaches that exposed tens of millions of users’ sensitive personal and/or financial data. Yahoo was actually victimized twice, each attack compromising hundreds of millions of users. (Oh, Yahoo.)

Your company is vulnerable
Big-company cyber incidents are understandably newsworthy, but they’re really just the tip of the iceberg. Most incidents go unreported in the media, even in wonky tech blogs, because they directly impact fewer people or fail to compromise critical systems.

A 2016 FBI report put the average daily number of U.S. ransomware attacks at 4,000, a 300% increase from2015.

That figure doesn’t count other types of cyber-attacks, such as phishing. Check your spam folder when you get a chance — it’s a virtual certainty that some of those sketchy emails contain malicious files or links.

Insurance can help

“Cybersecurity insurance is a misnomer,” says Dave Wasson, Vice President and Cyber Liability Practice Leader at Hays Companies in Minneapolis. “‘Privacy and security insurance’ is more accurate. Lots of claims have nothing to do with hacking — someone forgot to shred a sensitive document, maybe.”

For brevity, we’ll call it cybersecurity insurance. It exists because general commercial liability policies typically exclude digital and analog privacy and IP threats.

Cybersecurity insurance policies provide financial redress for a broad range of potential threats: the U.S. Department of Homeland Security cites “costs a from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.”

How to approach cybersecurity insurance
Many owners and execs have only a tenuous handle on their companies’ digital and analog vulnerabilities.

“A significant portion of what we do is educational,” says Wasson. “With new clients, the key question is: ‘Is your understanding of your exposure correct?’”

Some companies mistakenly believe they’re taking adequate measures to address perceived vulnerabilities, which they may or may not fully understand. Others affirmatively avoid due diligence on the not-incorrect assumption that actively researching the threat landscape eliminates plausible deniability and increases liability.

At least one large, well-known Minnesota company takes this “head in the sand approach,” says Wasson. (He declined to identify the firm.) Wasson is not a fan: “That’s like saying you’re healthy because you haven’t gone to the doctor,” he says. Self-insuring against privacy and security threats is doable for larger companies with the resources to absorb the cost of a cyber incident, but “understanding potential threats is always better than not understanding.”

What it costs, what it covers
Needless to say, most sizable companies do carry cybersecurity insurance policies. Coverage is increasingly common among SMBs too. When resources are tight, any significant cybersecurity incident is a grave threat.

“For small businesses, you can find good quality policies, not pared down at all, for less than $1,000 per year,” says Wasson. The lower end of the market, below $50,000 per year, is growing fast. (The costliest policies, built for Fortune 1000 firms, cost more than $1 million per year.)

Like other forms of insurance, cybersecurity insurance products are highly customizable, but most policies have seven basic coverages. The devil is usually in the details. Wasson advises clients to pay close attention to three key issues:

“Failure to maintain” clause: This exclusion penalizes policyholders who fail to execute or maintain stated security practices. “It basically says, ‘If you say you have a particular safeguard in place and you don’t, we’ll deny your claim,’” says Wasson. He strongly advises against buying policies with “failure to maintain” clauses.

IP protection: Cybersecurity insurance newbies are often disappointed by policies’ anemic or nonexistent intellectual property coverages. Some policies do cover NDA-protected IP compromised in a breach. Premiums may be higher, though.

Bringing in outside experts: Does the policy let you bring in your own legal and forensic IT experts after a breach? Some force policyholders to choose from approved professionals; using non-approved experts could compromise or even void your claim. “It’s like the requirement that you select a provider in your health insurer’s network,” says Michael Cohen, head of the Global Privacy, Cybersecurity and Data Protection legal team at Minneapolis-based Gray Plant Mooty.

Data breach? Minimize exposure and get the response right
Cybersecurity insurance alone can’t prevent privacy and security incidents. Insurers require, incentivize and recommend that policyholders take steps to mitigate their exposure.

Established regulatory structures are non-negotiable. For instance, policyholders must abide by the Payment Card Industry Data Security Standard (PCI DSS), an electronic payments security framework backed by major credit card issuers. Healthcare and finance companies must follow other frameworks.

Insurers incentivize the adoption of other safeguards, like robust encryption. “Encryption is one of the few things that has an actual causal impact on policy pricing,” says Wasson.

“The better your encryption, the less you’ll pay.”
Be honest about your data security practices and degree of exposure: On your cybersecurity insurance application, honestly disclose your exposure and mitigation practices. Even absent a “failure to maintain” clause, a misleading or incomplete application could lead to inadequate coverage. Plus, says Cohen, “Being recognized as a leader in data security benefits your organization in the marketplace.”

Don’t needlessly retain data: “Most companies don’t need to collect Social Security numbers,” says Wasson, “and they certainly don’t need to keep them in unencrypted files on mobile devices.” Only collect and retain data needed for essential business functions.

Take special care with legacy systems:
Many companies run key processes on functionally obsolete, unsupported IT systems. This is sub-optimal for all sorts of reasons, but overhauling is costly and disruptive, so it happens. Unfortunately, breaches can wreak havoc on legacy systems, which typically need to be overhauled after the fact anyway. When I spoke to Wasson, he was helping a client through a catastrophic ransomware attack made worse by the forensic impenetrability of its ancient IT. With no backup, the client had to shut down for a month to upgrade its systems and get out from under the attack. (Also relevant: Back everything up!)

Know your obligations under the law:
Legally mandated notification requirements may greatly increase post-breach costs. Firms must abide by notification rules in affected individuals’ home jurisdictions. Said rules vary widely, so firms typically adhere to standards in the strictest state in which they operate. Still, you need an attorney to work through dense regulatory language. To handle high notification volumes, you’ll need to retain a specialized firm.

Create an incident response team:
Don’t wait until it’s too late to build an incident response team. The point person (“breach coach”) should be an attorney experienced in handling data breach matters, whether in-house counsel or an outside expert like Cohen. Add at least one member from HR, IT (inside or outside), marketing or PR (inside or outside), finance, and upper management. Define each member’s role in the event of an incident. Mind insurance company restrictions — remember Cohen’s attorney networks.

Have an incident response plan ready:
Different scenarios call for different responses, but your first call should always be to your designated attorney. They’ll quickly assess the situation’s severity and determine what needs to happen next. If the situation warrants, “next” means a call to the FBI, which has a first-rate cyber forensics team. “The FBI is very discreet,” says Cohen. “Your business won’t leak just because they’re involved.” They may also know about other incidents that hold clues to your own.

You should do these six things “even if you choose to forgo cybersecurity insurance,” says Cohen. After all, fortune favors the prepared. And the careful.

WHAT CYBERSECURITY INSURANCE COVERS:
Security and Privacy Liability: Provides financial protection against third-party claims alleging “failure to protect sensitive information or maintain adequate network security.” May also cover “breach of the insured’s own privacy policy” and “breach of confidential corporate information” covered by confidentiality or non-disclosure agreements.

Privacy Regulatory Defense and Penalties: Covers regulator-assessed penalties and fees, where allowed by law, as well as costs associated with “complying with or defending against a privacy related regulatory investigation” by certain state and federal agencies or authorities.

Breach Costs: Covers costs directly associated with breach response, including notification to potentially affected parties, computer forensics, legal expenses, public relations campaigns,
and ongoing identity theft protection and monitoring.

Multimedia Liability: Covers “claims alleging intellectual property infringement [copyright infringement, defamation and libel, common law privacy rights, plagiarism or piracy, misappropriation of ideas] arising out of the advertising of a company’s goods or services, either online or offline.”

Business Interruption: Covers loss of income if the insured party is unable to conduct business “due to a malicious third party hacking event.”

Data Recovery: Covers costs associated with digital asset replacement, such as software licenses and proprietary software. May be combined with business interruption coverage.

Cyber Extortion: Covers costs associated with ransomware attacks, including investigations to determine whether the threat is credible and the cost of complying with the attackers’ demands (e.g., paying the ransom).

Interested in learning more about Cyber Risk? Check out our recent FOCUS publication on Ransomware.

N.B. Precise nomenclature varies by issuer.

Source: “Cyber Liability Insuring Agreement Overview,” Hays Companies.

This article originally appeared in Minnesota Business Magazine. To view the original article, please click here