Cyberattacks and the resulting data breaches represent significant risks, both financial and reputational, to businesses, with insurance industry estimates stating that the $3 trillion price tag currently could balloon to $5 trillion in 2024. Those figures include lost income and the payment of data breach-related regulatory fines.

According to the Insurance Information Institute*, cost-effective options exist to avoid falling victim to cyberattacks, such as:

1. Understand your cyber risks. Businesses are vulnerable to cyberattacks through hacking, phishing, malware, and other methods. 

2. Train your staff. Those engaged in cyberattacks find a point of entry into a business’ systems and network. A business’ exposure can be reduced by having and enforcing a computer password policy for its employees.

3. Keep software updated. Businesses should routinely check and upgrade the major software they use.

4. Create back-up files and store them off-site. A business’ files should be backed up either to an external hard drive or on a separate cloud account. Taking these steps are vital to data recovery and the prevention of ransomware. 

5. Maintain firewall and antivirus technology. A business should evaluate the security settings on its software, browser and email programs.

6. Establish a Data Breach Plan. A business should remind its employees to review periodically the data breach detection tools installed onto their computers. If a data breach occurs, employees must notify the business immediately to prevent further loss.

7. Secure insurance coverage to address cyber risks. Cyber insurance coverage typically provides protection for costs associated with data breaches and ransomware.  

The threat of cyberattack never goes away, so neither should your defenses against it.  Contact the professionals at The Reschini Group to learn more and take the appropriate steps to protect your business interests 

https://www.iii.org/press-release/is-your-business-cyber-resilient-iii-offers-7-ways-businesses-can-reduce-their-risks-100819

Copyright 2023 The Reschini Group

The Reschini Group provides these updates for information only, and does not provide legal advice.  To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

Cybersecurity risks continue to expand nearly unabated. While it can feel like trying to hold back a tidal wave with a bath towel sometimes, effective tools do exist and can be easily accessed.

What must always be remembered is that a commitment to resilience and pre-emptive mitigation remains imperative. Insurers are well-positioned to serve not only as financial first responders but as partners in managing these evolving hazards, along with their business associates and partners.

According to the Insurance Information Institute, “The first line of defense is creating a robust cybersecurity system, training employees on how to identify a potential attack, encrypting company data, and enabling antivirus protection. With only half of businesses reporting a consistent encryption strategy, and the cost of data breaches continuing to rise, organizations must do more to protect themselves and their customers.”.

Some commonly seen cyber liability risks include:

• Liability—You may be liable for costs incurred by customers and other third parties as a result of a cyber attack or other IT-related incident.
• System recovery—Repairing or replacing computer systems or lost data can result in significant costs.
• Notification expenses—In several states, if your business stores customer data, you’re required to notify customers if a data breach has occurred or is even just suspected.
• Regulatory fines—Several federal and state regulations require businesses and organizations to protect consumer data.
• Class action lawsuits—Large-scale data breaches have led to class action lawsuits filed on behalf of customers whose data and privacy were compromised.

To extend cyber liability insurance coverage requires the purchase a stand-alone cyber liability policy, customized for your business to cover several types of risk, including:

• Loss or corruption of data.
• Business interruption.
• Multiple types of liability.
• Identity theft.
• Cyber extortion.
• Reputation recovery.

Contact the professionals at The Reschini Group for more information and guidance on obtaining the proper level of cyber liability insurance coverage for your situation.

Copyright 2023 The Reschini Group

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

A sharp rise in the number and size of ransomware losses over the past three years is changing the availability and cost of cybersecurity insurance coverage, according to the Insurance Leadership Forum. Annual cyber liability rates have increased more than 40% in recent years, in fact.

Insurance providers are carefully managing the growing risk, with some scaling back coverage options for business customers and others continuing to make coverage widely available because the threat is both ever-present, growing and evolving rapidly.

Some insurers continue to make this coverage available to customers with whom they have a wider relationship. Certain insurers have elected to only write cyber liability for companies with less than $100 million in revenue to reduce the insurer’s exposure.

These factors combine to make the need for cybersecurity insurance more urgent than ever, and to secure adequate coverage at reasonable rates. Contact the professionals at The Reschini Group to learn more about available cybersecurity coverage that’s right for your business.

Copyright 2023 The Reschini Group

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

While it may be tempting to leave the complex, mysterious world of cybersecurity to “the experts,” business leaders cannot fall back on that handy escape hatch any longer. They need to be aware and involved, even to the point of elevating cyber reporting to the CEO directly. According to the federal Cybersecurity and Infrastructure Security Agency*, here are some practical steps that leaders would be wise to follow:

• CEOs should ask the following questions about potential cybersecurity threats:
  How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
• What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
• How can my business create long-term resiliency to minimize our cybersecurity risks?
• What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
• What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

• Elevate cybersecurity risk management discussions to the company CEO and the leadership team. Executives should construct policy from the top down to ensure everyone is empowered to perform tasks related to reducing cybersecurity risk.
• Implement industry standards and best practices rather than relying solely on compliance standards or certifications. Compliance standards and regulations (Federal Information Security Modernization Act) provide guidance on minimal requirements. Businesses should strive to go beyond the minimum, however.
• Evaluate and manage organization-specific cybersecurity risks. Ask the questions necessary to understand your security planning, operations, and security-related goals.
• Ensure cybersecurity risk metrics are meaningful and measurable. For example, reducing the days it takes to patch a vulnerability to directly limit risk to the organization.
• Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery. It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment.
• Retain a quality workforce. It is important to have people who can identify the proper tools for your organization, since new cybersecurity threats are constantly appearing.
• Maintain situational awareness of cybersecurity threats. Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes) and subscribe to the Homeland Information Sharing Network.

Of course, making sure your cybersecurity insurance coverage is sufficient and current remains vitally important, as well. The professionals at The Reschini Group can help.

* https://www.cisa.gov/tips/st18-007

Copyright 2023 The Reschini Group

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

While a majority of U.S. business executives rank cyber risk as their top organizational concern, fewer than half have adopted even basic preventive measures, according to results of an industry survey.

Cyber risk has risen to become the top concern in the U.S. and few risk experts believe governments are equipped to handle the threat. Among 1,200 executives who participated in the survey, 59% said they worry some or a great deal about cyber, and 25% said their company has been a cyber victim, up 150% since 2015.The top three specific concerns cited by survey respondents included security breaches, system glitches, and unauthorized access to bank accounts.Yet only 61% of these leaders said they felt extremely or very confident in their company’s cyber practices. The survey found that 43% said their company has a written business continuity plan in the event of a cyberattack, and 48% said their company has adopted multifactor authentication to mitigate the risk.The need for heightened attention and action regarding cyber protection has only increased with the rise of employees working remotely. An easy way to begin would be to require simple preventative measures, such as requiring multifactor authentication – as in using a one-time dedicated passcode as a secondary verification of identity – to gain access to websites or files.They say the first step in getting yourself out of a hole is to stop digging. The wise business leader acknowledges and addresses issues before they become problems. If the state of your cyber security preparation is troubling you, don’t wait to find out how problematic it can become. Invest the time and resources to fortify your protection now.Contact the professionals at The Reschini Group for guidance on cyber security.

The U.S. Securities and Exchange Commission has begun to crack down on companies it deems to have breached securities laws by making inadequate cybersecurity disclosures, a policy that shows no sign of slowing down.

As a result, businesses have been advised to establish clear internal communications strategies on cybersecurity issues, and to also examine their directors and officers liability insurance and cyber liability policies to determine whether they have adequate coverage if the issue arises.Some SEC cyber disclosure actions have resulted in penalties of up to $1 million. Industry experts attribute the increased attention on cyber intrusion preparation to the reality of cyberattacks in the economy today, and an alarming lack proper preparation on the part of organizations to fight it.The agency will likely become even more aggressive in the future, as the SEC is expected to have less tolerance for organizations that don’t take the basic steps to protect sensitive data.Companies should develop incident response plans that include how to deal with a vulnerability’s discovery before it becomes an intrusion, then make sure the infrastructure is in place to address that vulnerability. Organizations need to get a clear picture of their own cybersecurity environment and communicate regularly about roles and responsibilities. Also, a well-constructed D&O policy should cover investigation costs in the event of a breach.It pays to invest in solid cyber security plans, whether or not the SEC or any other entity is looking for problems. It’s just good business these days. Contact the professionals at The Reschini Group for guidance on cyber security.

Two years ago, employees across the country and around the world collaborated with their employers to establish ways they could perform their job duties while working from home.  Today, the urgent need for home-based workers has receded, but the popularity of this option remains high.

And while certain trends point to an actual increase in productivity, job satisfaction, and a better work-life balance from working at home, the choice does also come with a few risks, some quite disturbing and potentially very costly.

The Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM Security, reports that 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time required to identify and contain a data breach.  What’s more, 70% of respondents expect remote working to increase the cost of a data breach.Those results should cause business leaders to pause, at least for a moment, to think about what remote work represents regarding risks to your organization’s cybersecurity status.  With the geopolitical upheaval emanating from Eastern Europe currently, the world is getting a first-hand lesson in the power of benign cyber systems to damage economies, influence migration of populations, even wage war.  Just imagine the wreckage a malignant cyber attack could create.Are your remote employees following strict cybersecurity protocols regarding password control?  Tracking and protecting the physical location of their laptops and smartphones?  Accessing only approved downloads and avoiding personal usage or inappropriate personal apps on company equipment?Keep in mind that three out of four business leaders have concerns about cybersecurity regarding remote work.  Being concerned is one thing.  Acting on those concerns by clearly stating acceptable and unacceptable cyber behavior, and enforcing those standards, is what can make a real difference.Contact the professionals at The Reschini Group for more information.

A data breach creates all sorts of havoc, including significant financial costs.  That’s hardly new information.  But what those costs actually total does make news, as captured in the 2020 “Cost of a Data Breach” report, compiled by the Ponemon Institute and IBM Security.

The information from 2020 (the most current results available) provides a detailed glimpse the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences.  The report shows some consistencies with past research.Here are the major highlights:

• The average cost of a breach in 2020 was $3.86 million per breach. This is actually good news, in a way, representing a 1.5 percent reduction from the 2019 cost per breach of $3.92 million.
• The average time to identify and contain a breach in 2020 was 280 days, virtually identical with the 279 days it took on average in 2019.
• Regarding prevention against breaches, 59 percent of organizations now have security automation deployed, up from 52 percent in 2019.

If one takeaway leaps out from these high-level results, it is that time is money.  While a higher percentage of businesses have security automation in place, it still takes nearly 10 months to discover and contain a major breach.  And the financial ramifications, even if slightly lower, remain substantial at nearly $4 million per breach.The need for robust cybersecurity practices and protections continue to grow in importance and relevance.  For more information, contact the professionals at The Reschini Group today.

Feeling lucky?  Like to gamble?

It’s one thing to play a small-potatoes hunch on your smartphone as you watch your favorite professional team on television.  It’s quite another to risk your entire business enterprise on something that never needed to be at risk at all – your cybersecurity protocols.

As the scope and expertise of malicious online operators grows, so is the insistence of insurers that their business clients have adequate cybersecurity controls in place.  A growing consequence for those who have not installed and maintained such controls is that they cannot acquire the needed coverage.An industry leader recently conducted a study that concluded underwriters have adopted a “laser focus” on data security controls when looking at renewal risks, with “even greater underwriting scrutiny” of those controls as time goes on.  The desired preventative controls cited include:

• Multifactor authentication
• Remote desktop protocol
• Segregation of networks
• Encryption

Those without these protocols in place will be increasingly met either with a decline of coverage or rates increased as much as 200 percent or even higher, according to the report.  The threat of hackers successfully breaching cybersecurity protections has become such an issue for businesses, that even best-in-class risk managers – who have all preferred protections in place – may still see their premiums increase, but at a much lower rate.So play those little parlays on your phone all you like.  But don’t leave your entire business enterprise open to such a huge bet.  Survey your cybersecurity protections and make sure they’re in place and working.For more information, contact the professionals at The Reschini Group today.

A professional hacker – who has gone straight and now goes by the job title of “Ethical Intruder” – lays out the truth with this simple statement:  “Take it from a hacker, we are not trying to break in through your next-generation firewall when we can simply ask your users for credentials.”

The sloppy, ill-informed, or unthinking release of credentials – the user names and passwords that permit access to your cyber files online – by employees or vendors is the digital equivalent of holding the door open for a thief to stroll into your sensitive operations with little or no resistance.  In the parlance of cyber security, the ways in which legitimate users either control or surrender control of their credentials is known as “Social Engineering.”Social Engineering typically is seen within organizations as either an IT issue or the responsibility of Human Resources.  At its core, Social Engineering is a behavioral and awareness issue that hackers know is the easiest and quickest way to crack a cyber defense and avoid detection.This has become an even more prevalent problem during the COVID-19 pandemic.  Attackers have increased use of their predatory skills against unwitting employees, who simultaneously have become more susceptible to clicking on or downloading files by providing their credentials on nearly anything related to the pandemic.Entering this commonplace, yet incredibly valuable, information without giving a second thought as to who else might be watching can spell real trouble down the line.It becomes incumbent on employers to educate and enforce standards regarding the unauthorized or uncontrolled use of employee credentials.  This single step can actually become one of the most effective ways to convey the very real threats that exist, and to tighten up the business’ cyber security protection.

• Risk Insights - Social Engineering reinforces the information in this article and provides resources for you to share with you staff:  Risk Insights - Social Engineering

For more information on cyber security safeguards, contact The Reschini Group today. 

From days spent in Kindergarten, right up until your most recent fire drill at the office, we have been conditioned to respond to emergencies through repetition.  Walk calmly to the nearest exit, gather in a pre-ordained spot, and account for everyone before notifying first responders of any missing associates.  We have it all down, thanks to muscle memory.

But what about a cyber emergency?  What must be done in that scenario?  Who is responsible for each function?  How do we know we’re being effective?  Those muscles may not have ever been stretched, but it’s imperative that this happen.Knowing what to do in the event of a cybersecurity incident is vital to protect sensitive and crucial data.  Poorly coordinated responses not only have the potential to increase liability, but also can impact how insurance claims are paid following a breach.Properly preparing for a cyber emergency includes:

• Identifying who needs to be on the response team.
• Describing each person’s roles and responsibilities.
• Knowing how to categorize an incident.
• Determining how to track milestones and save key evidence.

While most states require certain businesses to have written policies, actually practicing them is the only way to make those policies meaningful.  Once a plan has been established, the organization should run tabletop drills, presenting various scenarios and measuring how the team responds in real time.  Only through this kind of positive, productive repetition can the required muscle memory be developed to blunt, contain, and successfully recover from a cyber security emergency.For more insurance-related information on this and other topics, contact the professionals at The Reschini Group.

When a skilled hacker has the means, the motive, and the opportunity to break into your cyber system and wreak havoc, not much can stop or slow that person down.  With one exception – multi-factor authentication, or MFA.

The only drawback of using this advanced tool, however, comes in the fact that the MFA – because of its comprehensive and in-depth safeguards – can also slow down legitimate users.  But industry experts agree that the benefits in safety and security far outweigh this one minor negative.

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, defines MFA as “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”NIST adds, “MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

• swiped your bank card at the ATM and then entered your PIN (personal ID number)
• logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.”

The Pittsburgh Technology Council cites a professional cybersecurity expert (and former hacker), who said, “It is of the utmost importance to push through any obstacles and enable MFA on your environment.  In addition to the monumental importance of having MFA, it is critical that you review your third-party systems that you do not control, especially those which contain sensitive company data, and find out whether MFA is available.”The added seconds it may require for users to register through two separate channels to access data amounts to virtually nothing in the long-term, when compared with the time, trauma, and treasure it would take to recover from a severe cybersecurity breach.For more insurance-related information on this and other topics, contact the professionals at The Reschini Group.Download these resources about Cyber Liability:• 10 Cyber Security Resolutions to Reduce Your Data Exposures• CI - Cyber Liability InsuranceContact The Reschini Group with your questions or concerns regarding cybersecurity.

In the age of COVID-19, platforms like Zoom, Skype, Blackboard Collaborate, Microsoft Teams, and WebEx have been lifesavers for businesses, schools, and families.  But, regrettably, the emergence and widespread adoption of these wonderful tools have also enabled the rise of those who would use them to break in uninvited, to steal information and data for their own purposes.

Such video-conferencing hijackers practice what has been dubbed “Zoom-bombing,” or the act of disrupting a virtual meeting with graphic or threatening messages or actions, including hate speech or pornographic images. Beyond being incredibly annoying and hurtful, such intrusions can also cause liability exposure based on the highly offensive harassment.Protecting innocent users against these disruptions is both a moral and legal obligation, as state and federal civil rights laws require businesses, organizations, and public entities to prevent discriminatory harassment.  So how can you avoid being Zoom-bombed?  Here are some suggestions:

• Know and test the technology first.
• Use options that require authenticated users only.
• Make all meetings private, with controlled admission.
• Only share the link to the room with those invited.
• Disable the "join before host" setting.
• Restrict screen-sharing options to the host only.
• Use the latest technology with updated security enhancements.

Our society, educational system, and business communities have survived the pandemic by leveraging the incredible power of these video-conferencing tools.  Their staying power in a post-COVID world is guaranteed.  That makes it all the more essential for users to remain vigilant in protecting themselves and those who they invite to join them online.Contact The Reschini Group for information on insurance-related matters affecting your organization.Copyright 2021 The Reschini GroupThe Reschini Group provides these updates for information only, and does not provide legal advice.  To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.Source: https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/avoiding-zoom-bombing-in-the-new-age-of-meetings.aspx

Working in IT today is like running a marathon sprint.

Not only do the digital professionals need to keep their systems and users running smoothly at a baseline level, they also need to stay up-to-date on new applications and software packages and how they could be used to advance the growth of their organizations.

And then there’s the ever-present specter of cybercrime – an unending and constantly expanding web of innovative and malicious attempts to steal information, hold data for ransom, and generally take control of the digital identity of companies.  What’s worse, no industry is immune to these dark forces, who can wreak havoc and extort enormous financial damages.According to the Pittsburgh Technology Council, most CEO surveys rank cybersecurity threats as a top-five risk, regardless of industry type.  CEOs care about data breaches and ransomware attacks because those attacks have become so common, regardless of organizational size or IT staff experience.  Furthermore, CEOs know that a ransomware infection or a data breach can put the very life of their organizations at risk.IT teams have trouble keeping a current and standardized set of security best practices, because to do so – with proper patches and policies amid a continuously changing environment – is time consuming, expensive, and downright difficult.  One solution comes in the form of enterprise cloud infrastructure platforms, which offer a secure-by-default cloud experience with best-in-class security features incorporated from the start.Using advanced tools like this can free internal IT staffs, since they only need to work with the cloud infrastructure provider to select and configure features most relevant to the organization’s needs and vulnerabilities.  Those IT professionals can then spend their time more efficiently, working on strategic projects while reducing exposure to cybersecurity issues.Keeping the bad guys at bay online doesn’t have to be a marathon sprint, where the best efforts simply can’t keep running at full capacity.  You can bring your cybersecurity exposure under better control, thereby improving your insurance coverage against losses.The experts at The Reschini Group can provide specific guidance in this area.  Contact us today to learn more.