Posts

Cyber Insurance Webinar

Hays Companies VP and National Cyber Liability Practice Leader Dave Wasson was invited by Lathrop Gage to discuss uncommon approaches to cyber threats. This 60-minute webinar addresses the increased threat to companies being targets of data breach, insurance policies and coverage for losses and how this area has evolved in the past 10 years.

Throughout the 60-minute webinar, these cyber insurance and legal professionals covered:

·         Current risks that companies face and those predicted in the near future

·         The State of Law surrounding cyber incidents & insurance coverage around those incidents.

·         Types of policies and products that are currently available to businesses

·         Common pitfalls to avoid obtaining cyber liability insurance

Watch the webinar here – https://vimeo.com/260789216

If you have any further questions, please contact your Hays representative.

Minnesota Business Magazine Feature: Cybersecurity Insurance 101

By: Brian Martucci

Target. Home Depot. Yahoo. Equifax.

What do they have in common? You guessed it — they’ve all experienced major data breaches that exposed tens of millions of users’ sensitive personal and/or financial data. Yahoo was actually victimized twice, each attack compromising hundreds of millions of users. (Oh, Yahoo.)

Your company is vulnerable
Big-company cyber incidents are understandably newsworthy, but they’re really just the tip of the iceberg. Most incidents go unreported in the media, even in wonky tech blogs, because they directly impact fewer people or fail to compromise critical systems.

A 2016 FBI report put the average daily number of U.S. ransomware attacks at 4,000, a 300% increase from2015.

That figure doesn’t count other types of cyber-attacks, such as phishing. Check your spam folder when you get a chance — it’s a virtual certainty that some of those sketchy emails contain malicious files or links.

Insurance can help

“Cybersecurity insurance is a misnomer,” says Dave Wasson, Vice President and Cyber Liability Practice Leader at Hays Companies in Minneapolis. “‘Privacy and security insurance’ is more accurate. Lots of claims have nothing to do with hacking — someone forgot to shred a sensitive document, maybe.”

For brevity, we’ll call it cybersecurity insurance. It exists because general commercial liability policies typically exclude digital and analog privacy and IP threats.

Cybersecurity insurance policies provide financial redress for a broad range of potential threats: the U.S. Department of Homeland Security cites “costs a from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.”

How to approach cybersecurity insurance
Many owners and execs have only a tenuous handle on their companies’ digital and analog vulnerabilities.

“A significant portion of what we do is educational,” says Wasson. “With new clients, the key question is: ‘Is your understanding of your exposure correct?’”

Some companies mistakenly believe they’re taking adequate measures to address perceived vulnerabilities, which they may or may not fully understand. Others affirmatively avoid due diligence on the not-incorrect assumption that actively researching the threat landscape eliminates plausible deniability and increases liability.

At least one large, well-known Minnesota company takes this “head in the sand approach,” says Wasson. (He declined to identify the firm.) Wasson is not a fan: “That’s like saying you’re healthy because you haven’t gone to the doctor,” he says. Self-insuring against privacy and security threats is doable for larger companies with the resources to absorb the cost of a cyber incident, but “understanding potential threats is always better than not understanding.”

What it costs, what it covers
Needless to say, most sizable companies do carry cybersecurity insurance policies. Coverage is increasingly common among SMBs too. When resources are tight, any significant cybersecurity incident is a grave threat.

“For small businesses, you can find good quality policies, not pared down at all, for less than $1,000 per year,” says Wasson. The lower end of the market, below $50,000 per year, is growing fast. (The costliest policies, built for Fortune 1000 firms, cost more than $1 million per year.)

Like other forms of insurance, cybersecurity insurance products are highly customizable, but most policies have seven basic coverages. The devil is usually in the details. Wasson advises clients to pay close attention to three key issues:

“Failure to maintain” clause: This exclusion penalizes policyholders who fail to execute or maintain stated security practices. “It basically says, ‘If you say you have a particular safeguard in place and you don’t, we’ll deny your claim,’” says Wasson. He strongly advises against buying policies with “failure to maintain” clauses.

IP protection: Cybersecurity insurance newbies are often disappointed by policies’ anemic or nonexistent intellectual property coverages. Some policies do cover NDA-protected IP compromised in a breach. Premiums may be higher, though.

Bringing in outside experts: Does the policy let you bring in your own legal and forensic IT experts after a breach? Some force policyholders to choose from approved professionals; using non-approved experts could compromise or even void your claim. “It’s like the requirement that you select a provider in your health insurer’s network,” says Michael Cohen, head of the Global Privacy, Cybersecurity and Data Protection legal team at Minneapolis-based Gray Plant Mooty.

Data breach? Minimize exposure and get the response right
Cybersecurity insurance alone can’t prevent privacy and security incidents. Insurers require, incentivize and recommend that policyholders take steps to mitigate their exposure.

Established regulatory structures are non-negotiable. For instance, policyholders must abide by the Payment Card Industry Data Security Standard (PCI DSS), an electronic payments security framework backed by major credit card issuers. Healthcare and finance companies must follow other frameworks.

Insurers incentivize the adoption of other safeguards, like robust encryption. “Encryption is one of the few things that has an actual causal impact on policy pricing,” says Wasson.

“The better your encryption, the less you’ll pay.”
Be honest about your data security practices and degree of exposure: On your cybersecurity insurance application, honestly disclose your exposure and mitigation practices. Even absent a “failure to maintain” clause, a misleading or incomplete application could lead to inadequate coverage. Plus, says Cohen, “Being recognized as a leader in data security benefits your organization in the marketplace.”

Don’t needlessly retain data: “Most companies don’t need to collect Social Security numbers,” says Wasson, “and they certainly don’t need to keep them in unencrypted files on mobile devices.” Only collect and retain data needed for essential business functions.

Take special care with legacy systems:
Many companies run key processes on functionally obsolete, unsupported IT systems. This is sub-optimal for all sorts of reasons, but overhauling is costly and disruptive, so it happens. Unfortunately, breaches can wreak havoc on legacy systems, which typically need to be overhauled after the fact anyway. When I spoke to Wasson, he was helping a client through a catastrophic ransomware attack made worse by the forensic impenetrability of its ancient IT. With no backup, the client had to shut down for a month to upgrade its systems and get out from under the attack. (Also relevant: Back everything up!)

Know your obligations under the law:
Legally mandated notification requirements may greatly increase post-breach costs. Firms must abide by notification rules in affected individuals’ home jurisdictions. Said rules vary widely, so firms typically adhere to standards in the strictest state in which they operate. Still, you need an attorney to work through dense regulatory language. To handle high notification volumes, you’ll need to retain a specialized firm.

Create an incident response team:
Don’t wait until it’s too late to build an incident response team. The point person (“breach coach”) should be an attorney experienced in handling data breach matters, whether in-house counsel or an outside expert like Cohen. Add at least one member from HR, IT (inside or outside), marketing or PR (inside or outside), finance, and upper management. Define each member’s role in the event of an incident. Mind insurance company restrictions — remember Cohen’s attorney networks.

Have an incident response plan ready:
Different scenarios call for different responses, but your first call should always be to your designated attorney. They’ll quickly assess the situation’s severity and determine what needs to happen next. If the situation warrants, “next” means a call to the FBI, which has a first-rate cyber forensics team. “The FBI is very discreet,” says Cohen. “Your business won’t leak just because they’re involved.” They may also know about other incidents that hold clues to your own.

You should do these six things “even if you choose to forgo cybersecurity insurance,” says Cohen. After all, fortune favors the prepared. And the careful.

WHAT CYBERSECURITY INSURANCE COVERS:
Security and Privacy Liability: Provides financial protection against third-party claims alleging “failure to protect sensitive information or maintain adequate network security.” May also cover “breach of the insured’s own privacy policy” and “breach of confidential corporate information” covered by confidentiality or non-disclosure agreements.

Privacy Regulatory Defense and Penalties: Covers regulator-assessed penalties and fees, where allowed by law, as well as costs associated with “complying with or defending against a privacy related regulatory investigation” by certain state and federal agencies or authorities.

Breach Costs: Covers costs directly associated with breach response, including notification to potentially affected parties, computer forensics, legal expenses, public relations campaigns,
and ongoing identity theft protection and monitoring.

Multimedia Liability: Covers “claims alleging intellectual property infringement [copyright infringement, defamation and libel, common law privacy rights, plagiarism or piracy, misappropriation of ideas] arising out of the advertising of a company’s goods or services, either online or offline.”

Business Interruption: Covers loss of income if the insured party is unable to conduct business “due to a malicious third party hacking event.”

Data Recovery: Covers costs associated with digital asset replacement, such as software licenses and proprietary software. May be combined with business interruption coverage.

Cyber Extortion: Covers costs associated with ransomware attacks, including investigations to determine whether the threat is credible and the cost of complying with the attackers’ demands (e.g., paying the ransom).

Interested in learning more about Cyber Risk? Check out our recent FOCUS publication on Ransomware.

N.B. Precise nomenclature varies by issuer.

Source: “Cyber Liability Insuring Agreement Overview,” Hays Companies.

This article originally appeared in Minnesota Business Magazine. To view the original article, please click here

Restaurant Risk Insights: Health Inspections

Approximately 3,000 state and local agencies are responsible for inspecting more than one million food establishments in the United States, according to the Food and Drug Administration (FDA). Health inspectors investigate a company’s food handling, preparation and storage procedures to ensure that food is fresh and the environment in which it is prepared is sanitary. The Center for Disease Control (CDC) reports that approximately 48 million Americans get sick, 128,000 are hospitalized and 3,000 die of foodborne illness each year.

On average, state health departments conduct health inspections two to four times per year.

There are three types of inspections:

1.       Routine inspections are usually unexpected. The inspector examines of all aspects of your restaurant to ensure compliance with state health codes.

2.       A complaint inspection happens after customers observe unsafe food practices or complain they got sick as a result of dining at an establishment.

3.       A follow-up inspection occurs after a restaurant was issued a violation and was given a certain amount of time to correct the violation.

Preventative Measures

Mandated by law, health inspections cannot be avoided. Take a proactive approach and you’ll always be prepared for an unexpected inspection. While consistent readiness may not always be feasible, it’s an important goal to work towards.

Having preventative measures in place will help you during a health inspector’s visit. Here are some ways to stay on top of inspections:

·         Research your local and state laws regarding health inspections. Laws vary from state to state. Know what laws are applicable to your establishment.

·         Obtain a copy of the food service inspection checklist for your state and regularly conduct your own health inspections to ensure your business is ready for the day when the real inspector shows up.

·         Consult the FDA website for a current copy of the Food Code, which offers suggestions and best practices for food safety and health inspections. Many state laws have been modeled after this document.

·         Join your state’s restaurant association to stay on top of state regulations regarding food safety, foodborne illness and health inspections.

·         Require employees to take food safety courses and make safe food handling and preparation a priority in your company’s culture. Display food safety posters and other relevant safety information in the kitchen, at hand washing stations and in the employee break room so information is readily available to all employees.

For more information about health inspections, managing your risks and obtaining insurance for your business, please visit http://www.hayscompanies.com/contact-us/ to get in touch with your local consultant.

Hays Experts’ New Publication

Congratulations to Bruce Hollcroft and Bruce Lyon, two of Hays Companies’ Risk Control Directors, on their recent textbook publication titled Risk Assessment, A Practical Guide to Assessing Operational Risks. The book was written by Hollcroft, Lyon and Georgi Popov, Associate Professor on risk assessment at the University of Central Missouri.

Risk Assessment, A Practical Guide to Assessing Operational Risks, teaches the fundamentals of risk assessment to students and those in the safety, health and environmental professions, who recognize the need to refine their personal risk assessment capabilities.

Risk assessments have begun to receive more prominence in operational risk management systems. This book fills a content gap in educational material about the growing field of risk assessment.

“Working alongside industry experts at Hays Companies has pushed me to continue developing my risk management skill set and knowledge base. This book is an accumulation of my expertise and similar outside education,” Hollcroft remarked. “I hope it will be a guide to others interested in the topic and help cultivate our future risk assessment leaders.”

The authors intend for this text to assist professors at a university level who sense the need for their students to gain knowledge and aptitude with respect to risk assessment. It will also serve as a primer for employed safety professionals, needing a practical guide on risk assessment techniques.

“I hope this book educates and motivates prospective risk management experts,” Lyon said. “More important than any publications or expertise on my end is the ability to pass this information on to young professionals. Hays Companies has helped me realize the incredible value in educating young learners to ensure the success of not just a company, but an industry and the clients it serves.”

Congratulations to Bruce Hollcroft and Bruce Lyon on the publication. They are proving once again that Hays employees truly are experts in their fields, devoted to educating others.

To purchase a copy of the book, click here.

For more information or to contact the authors directly, email Bruce Hollcroft at bhollcroft@hayscompanies.com or Bruce Lyon at blyon@hayscompanies.com.

Hays in the News – Risk and Insurance Magazine

In the most recent issue of FOCUS, Hays Companies concentrated on Cyber liability and the ever increasing attention it is receiving in the media. This caught the eye of Risk & Insurance magazine, requesting an expert opinion from our Dave Wasson, Cyber Liability Practice Leader with Hays Companies.

In discussing a recent New York Times article, detailing the prevalence of troll attacks from Russia, Risk & Insurance noted that our FOCUS issue spoke to how “brand terrorism” is becoming a new trend in cyber attacks. Troll attacks are “organized disinformation campaigns augmented by social media posts, [that] create an atmosphere of chaos and economic disruption”.

Dave Wasson provided further detail on this phenomenon, stating “The Internet has provided incredible transparency for sharing information on an anonymous basis that can often be viewed as one of the best attributes of the Internet. But that transparency cuts both ways in that the Internet provides an equal transparency for sharing misinformation.”

As our world is increasingly becoming more mobile and connected, the chances of a company experiencing some form of a cyber attack increases as well. Hays Companies has been a leader in the Cyber liability realm and is proud to participate in this piece.

For more information and the entire article, please click here.

SAFETY Act and What You Need To Know

In 2002, after the 9/11 attacks, the private sector was reluctant to develop security products and services in civilian settings due to the enormous liability risks involved.  In response, Congress enacted the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act to encourage the development and deployment of new and innovative anti-terrorism products and services.  The SAFETY Act created liability limitations for claims arising out of, relating to, or resulting from an act of terrorism.  The Act applies to a broad range of products and services, including technology products, software and other forms of anti-terrorism security measures.

Since the SAFETY Act also provides liability protections for companies deploying SAFETY Act Certified/Designated products, the Department of Homeland Security (DHS) has listed an extensive list of approved technologies.  You can find the list here.  At Hays Companies we recommend any company that could reasonably foresee being exposed to a terrorist act or threat to highly consider purchasing approved SAFETY Act technologies to be used as a strong defense if you are attacked in a way that technology was designed to prevent.

We also want our clients to consider if they are producing or consulting on products/services that could be used in an anti-terrorism capacity, that becoming Certified or Designated by the Department of Homeland Security could significantly lessen their potential liability.

To understand the criteria for designation or certification please refer to this SAFETY Act Fact Sheet and the SAFETY Act website.  As of May 2013, DHS has made 600 approvals for products, technologies and services supporting more than 151,000 private sector jobs in small and large businesses.

To learn more about the SAFETY Act and how to apply for protections, visit www.safetyact.gov. Hays Companies, Cyber Liability Practice Leader, Dave Wasson (dwasson@hayscompanies.com) is also available for consultations.

Hays Team Recognized With Prestigious Industry Award

Congratulations to Hays team members Bruce Lyon and Bruce Hollcroft! They recently received first place honors at the American Society of Safety Engineers (ASSE) 2013 Professional Paper Awards Competition.

Their article, “Risk Assessments: Top 10 Pitfalls & Tips for Improvement” competed in the Technical Writing Category and was published in the December 2012 issue of Professional Safety magazine.

Mr. Lyon and Mr. Hollcroft will attend the Safety 2013 Conference in Las Vegas this summer to be recognized among their peers and receive their award.

Read the award-winning article Risk Assessments: Top 10 Pitfalls & Tips for Improvement