Cyber attacks and security breaches are increasingly on the rise. According to Hartford Insurance, if a business experiences a cyber attack or breach, it takes an average of 14 days to resolve the attack and costs an astonishing average of $17,696 per day!
Many business owners simply do not understand the importance of purchasing a Cyber Liability policy or how the policy works. Quite often, they are also under the assumption that their current Business Owners policy provides coverage for such a risk.
Hartford has created a short video that will help address some of the common misconceptions regarding Cyber Risk. You may view the video by clicking here.
The 1986 ISO General Liability policy form provided relatively broad coverage for advertising injury for non-media companies. On the other hand, media companies such as newspapers, television stations, and advertising agencies were required to purchase a special Media Liability policy. However, due to recent restrictions on advertising injury coverage under a General Liability policy, many non-media companies should strongly consider the purchase of a Media Liability (offline) or Cyber Liability (online) policy in order to close certain coverage gaps.
The 2001 ISO version of the General Liability form includes a new exclusion that eliminates coverage for “injury arising out of the infringement of copyright, patent, trademark, trade secret, or other intellectual property rights.” However, the new exclusion excepts “ infringement in your ‘advertisement’ of copyright, trade dress, or slogan.” Therefore, coverage is now specifically excluded for all trademark and trade secret claims. In addition, coverage for the three remaining types of intellectual property claims (copyright, trade dress, or slogan) is dependent upon such offenses arising out of an ‘advertisement’.
As regards the definition of ‘advertisement’, only infringements that occur in the advertisement itself are covered. The new 2001 edition includes the following new restrictions on Internet activity:
* Advertisement with respect to a website means only “that part” of the website that is about “your products, goods or services for the purposes of attracting customers or supporters.”
* Coverage is eliminated for claims “rising out of an electronic chat room or bulletin board that the (insured) hosts, owns, or over which the (insured) exercises control.” It is likely that the use of blogs, Facebook, Twitter, and other social media fall under this exclusion.
* Coverage is also eliminated for “unauthorized use of another’s name or product in the (insured’s) e-mail address, domain name or meta-tag, or any other similar tactics to mislead another’s potential customers.” One area of concern that has not yet been clarified by the courts is use of trademarked terms in meta-tags.
To follow are some common situations where the above mentioned restrictions can eliminate coverage for non-media companies:
* Claims for copyright infringement arising out of text, photographs or other content that are not part of an online advertisement. The use generic photos on company on company websites in areas that are not actually part of a specific product advertisement is a common source of litigation. Providers of stock photos are using watermarking technology to search the internet for instances of the unauthorized use of their photographs and many law firms are specializing in providing representation in this area.
* Trade dress claims arising out the look and feel of a website, blog, social media, etc. that is not part of an online advertisement. These involve navigation (ex: buttons, bars), color schemes, hyper links, menus, etc.
* Online comparative advertising where your product is represented as being bigger, better, faster, etc. as compared to the competition. These representations may result in claims for false or misleading advertising and unfair competition under the Lanham Act or various state statutes. However, if these representations are directed at a specific competitor, they may be covered under advertising injury.
* Product packaging that too closely resembles a competitor may result in liability for trade dress infringement. These claims may be excluded because the courts may not consider the product packaging to be part of an advertisement.
If any of these instances of potential uncovered claims are a concern, a business should strongly consider adding Media Liability (offline) or Cyber Liability policies (online).
Source: Elizabeth C. Kock and Jay Ward Brown, Levine Sullivan Koch & Shultz, LLP; Risk & Insurance; December 2011.
The odds that a cybergang will stealthily turn your PC into a bot this summer and use it to carry out all manner of cyberattacks just notched notably higher.
Security analysts anticipate a surge in SpyEye attacks the rest of this year. “Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,” say Sean Bodmer, senior threat intelligence analyst at network security firm Damballa.
Using SpyEye, a criminal can issue commands to networks of thousands of bots. SpyEye-run botnets have proved to be unstoppable. Criminals use them to deliver spam scams, conduct hacktivist attacks and booby-trap legit websites with infections that create more bots.
What’s more, SpyEye may be best known for enabling thieves to orchestrate the systematic siphoning of cash from the online banking accounts of consumers and small organizations. Transactions security firm Trusteer has documented SpyEye-orchestrated banking account heists in action. SpyEye:
•Waits for the account holder to log into his or her online banking account.
•Collects the user’s balance figure and determines whether the account is ripe for theft.
•Initiates money transfers invisibly.
•Transfers funds into a mule account that is set up and controlled by the thief to receive cash transfers.
•Erases any evidence of the fraudulent transfer.
•Adds the stolen amount back to the official account balance, as if nothing is amiss.
Skilled hackers quickly created simple programs to access full versions of SpyEye and began selling them for about $100, Damballa’s Bodmer says.
The emergence of this new, cheap spy software could be the tipping point that finally convinces most small businesses with websites of the need to purchase cyber liability insurance.
Source: Spy Eye hacker toolkit to lead surge in cyber attacks, USA Today, August 22, 2011,
The spammers and cyberthieves haven’t given up and gone home. Instead they are moving with the times and stirring up trouble in other ways, targeting smartphones and social networkds, which offer vast amounts of personal information.
The popularity of “apps” is opening the door to a wide range of suspicious and malicious applications. Locative services such as Foursquare and Fowalla are also a potential problem. These services allow you to easily search, track, and plot the wherabouts of friends and strangers. But cybercriminals can use this information to craft targeted attacks, according to McAfee.
The main way to combat breaches, [Beeson] said, is by encrypting the information. But the McAfee report noted that because of our historically fragile cellular infrastructure and slow strides toward encryption, user and corporate data may face serious risks.
Source: Patricia Vowinkel, February 17, 2011
Millions of people are being tricked into buying or downloading scareware or rogueware due to pop ups telling them their computer is infected. Users unknowingly click on the pop up and buy security software that steals their credit card information or spreads malware through Trojan Horses.
Once the computer is infected they not only become victims of fraud but also pay money for the so called “security software”. Victims report that they loss even more money to eliminate the malicious software.
Some important ways to protect yourself is to always be cautious of offers that pop up while you are already online. And be careful of what you download. Many large and small businesses use filters or blocks to protect their data. If you need security software, buy from a reputable vendor through their website.
Source: Matrix Consulting – Newsletter
“Risk is a function of the likelihood of a given threat source’s exercising a potential vulnerability, and the resulting impact of that adverse event on the organization.”
Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.
Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.
Cyber Attacks focus on the following areas:
* disrupting infrastructure operations
* posting confidential enterprise information online
* theft of intellectual property
* identity theft
* theft of confidential information
* confiscating or compromising online bank accounts
* spreading viruses on other computers
* malicious insiders seeking revenge
* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code
A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:
* identification of viruses on servers, workstations, and laptops.
* open ports on firewall
* which assets are currently being attacked
* which assets are most likely future targets
* Payment Card Industry (PCI) audit if credit cards are used
* HIPAA and HITECH audit for medical information if applicable
* various state confidentiality and data protection laws
See entire article for suggested risk management controls to reduce these risks.
Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research
Online criminals are targeting small to midsized businesses according to the US Federal Bureau of Investigation. Hackers are getting away with over $100 million in bank fraud through malicious programs know as Trojans.
Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking. This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit. Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.
The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place. Even though this may be true there are ways to protect your business and yourself. Educate your employee’s about the risk and instruct them in basic security awareness. Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.
Source: US Federal Bureau of Investigation
For the first time, major international corporations are reporting higher fraud losses more from electronic theft of data than from physical stealing of assets, cash and inventory. With 98 percent of businesses affected, China appears to have the highest level of fraud followed by Colombia with 94 percent and Brazil at 90 percent.
A recent study performed in 2010 showed that the amount lost by businesses to fraud rose from $1.4 billion to $1.7 billion over the previous year. The majority of fraud losses have been from “inside jobs” carried out by company employees.
“How much fraud there is depends more on opportunity than anything else,” Tommy Helsby, Kroll chairman for Europe, Middle East and Africa, told Reuters. “Much more work is done electronically, and that creates new opportunities for fraud. It takes time for companies to catch up with that. There’s a real range of dangers,” said Helsby. “‘It can be simple theft or the risk of reputational damage if your firm loses customer data. That itself could be an existential threat to your business.”
Many companies are discouraged from expanding in some crucial emerging markets, China, Africa, and Latin America due to their suspicions over fraud.
“That means you miss out on some of the fastest growing markets,” said Helsby. “You can’t make the risk go away, but you can manage it through having the right systems in place.”
With fraud losses at an all time high, Cyber Liability insurance is a critical part of the risk management plan of any major corportation.
Source: Insurance Journal
“Cyber liability coverage has evolved from just liability insurance for information technology companies to coverage that nearly every class of business should have if they don’t already.” Many businesses including banks, restaurants, retailers, and medical offices are unaware of the great security technology exposure they face.
In addition, the internet is not the source of all data breach problems. Lower tech breaches commonly arise that are caused by leaving password notes out in plain view, theft of laptops, and improper disposal of medical records.
“Recent state laws require companies that have experienced a security breach to notify all customers that could be affected by the breach that their information has been compromised, even if the information hasn’t been used. In most cases, the notification also includes an option of one year credit monitoring services and a new card or account number for customers.”
More than 40 states have data breach notification laws and insurers expect a federal cyber notification law at some time in the near future. The average per customer cost for a security breach is $15 and this does not include loss of reputation.
Source: http://www.mynewmarkets.com/articles/107853/security-breach-notification-laws-reinforce-need-for-cyber-insurance
Cybercriminals are using pfishing tactics to gain information from social network sites to tap into corporate networks to steal sensitive data that can result in breach of privacy lawsuits and the need for Cyber Liability insurance for both techs firms and regular businesses alike.
Here are the steps in the process:
1. Cybercriminals purchase Facebook user names and passwords on websites at a cost of $75 to $200 per 1000 matching pairs.
2. Cybercriminals enter accounts and get access to friends, emails, dates of birth, mother’s maiden names, home towns, and vital information from profiles and postings to start online conversations.
3. Messages are sent to friends with information of interest (based on postings) that include a link to a website that results in a malicious executable file being placed on the recipient’s PC.
4. Executable files contain keystroke loggers that capture all user keystrokes on a periodic basis that are emailed to free Gmail or Hot Mail accounts that are set up by the Cybercriminal.
5. Eventually, the user logs into the employer’s network through VPN or Citrix and the cybercriminal captures the user name and password.
6. The cybercriminal enters the corporate network and probes for weaknesses such as those caused by failure to update security patches.
7. A vulnerable server is found and breached resulting in the hacking of confidential information.
Source: http://www.usatoday.com/NEWS/usaedition/2010-03-04-1Anetsecurity04_CV_U.htm?csp=N009
