Cybersecurity Archives - The Reschini Group

Surge in Cyber Attacks Accelerates Need to Secure Coverage

A sharp rise in the number and size of ransomware losses over the past three years is changing the availability and cost of cybersecurity insurance coverage, according to the Insurance Leadership Forum. Annual cyber liability rates have increased more than 40% in recent years, in fact.

Insurance providers are carefully managing the growing risk, with some scaling back coverage options for business customers and others continuing to make coverage widely available because the threat is both ever-present, growing and evolving rapidly.

Some insurers continue to make this coverage available to customers with whom they have a wider relationship. Certain insurers have elected to only write cyber liability for companies with less than $100 million in revenue to reduce the insurer’s exposure.

These factors combine to make the need for cybersecurity insurance more urgent than ever, and to secure adequate coverage at reasonable rates. Contact the professionals at The Reschini Group to learn more about available cybersecurity coverage that’s right for your business.

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

CEO Awareness, Involvement Crucial in Cybersecurity

While it may be tempting to leave the complex, mysterious world of cybersecurity to “the experts,” business leaders cannot fall back on that handy escape hatch any longer. They need to be aware and involved, even to the point of elevating cyber reporting to the CEO directly. According to the federal Cybersecurity and Infrastructure Security Agency*, here are some practical steps that leaders would be wise to follow:

CEOs should ask the following questions about potential cybersecurity threats:
How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
How can my business create long-term resiliency to minimize our cybersecurity risks?
What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

Elevate cybersecurity risk management discussions to the company CEO and the leadership team. Executives should construct policy from the top down to ensure everyone is empowered to perform tasks related to reducing cybersecurity risk.
Implement industry standards and best practices rather than relying solely on compliance standards or certifications. Compliance standards and regulations (Federal Information Security Modernization Act) provide guidance on minimal requirements. Businesses should strive to go beyond the minimum, however.
Evaluate and manage organization-specific cybersecurity risks. Ask the questions necessary to understand your security planning, operations, and security-related goals.
Ensure cybersecurity risk metrics are meaningful and measurable. For example, reducing the days it takes to patch a vulnerability to directly limit risk to the organization.
Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery. It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment.
Retain a quality workforce. It is important to have people who can identify the proper tools for your organization, since new cybersecurity threats are constantly appearing.
Maintain situational awareness of cybersecurity threats. Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes) and subscribe to the Homeland Information Sharing Network.

Of course, making sure your cybersecurity insurance coverage is sufficient and current remains vitally important, as well. The professionals at The Reschini Group can help.

* https://www.cisa.gov/tips/st18-007

Leaders Cite Major Cyber Concerns

While a majority of U.S. business executives rank cyber risk as their top organizational concern, fewer than half have adopted even basic preventive measures, according to results of an industry survey.

Cyber risk has risen to become the top concern in the U.S. and few risk experts believe governments are equipped to handle the threat. Among 1,200 executives who participated in the survey, 59% said they worry some or a great deal about cyber, and 25% said their company has been a cyber victim, up 150% since 2015.

The top three specific concerns cited by survey respondents included security breaches, system glitches, and unauthorized access to bank accounts.

Yet only 61% of these leaders said they felt extremely or very confident in their company’s cyber practices. The survey found that 43% said their company has a written business continuity plan in the event of a cyberattack, and 48% said their company has adopted multifactor authentication to mitigate the risk.

The need for heightened attention and action regarding cyber protection has only increased with the rise of employees working remotely. An easy way to begin would be to require simple preventative measures, such as requiring multifactor authentication – as in using a one-time dedicated passcode as a secondary verification of identity – to gain access to websites or files.

They say the first step in getting yourself out of a hole is to stop digging. The wise business leader acknowledges and addresses issues before they become problems. If the state of your cyber security preparation is troubling you, don’t wait to find out how problematic it can become. Invest the time and resources to fortify your protection now.

Contact the professionals at The Reschini Group for guidance on cyber security.

Source: https://www.businessinsurance.com/article/20210929/NEWS06/912344857?template=printer

SEC Watching Cyber Protections Closely

The U.S. Securities and Exchange Commission has begun to crack down on companies it deems to have breached securities laws by making inadequate cybersecurity disclosures, a policy that shows no sign of slowing down.

As a result, businesses have been advised to establish clear internal communications strategies on cybersecurity issues, and to also examine their directors and officers liability insurance and cyber liability policies to determine whether they have adequate coverage if the issue arises.

Some SEC cyber disclosure actions have resulted in penalties of up to $1 million. Industry experts attribute the increased attention on cyber intrusion preparation to the reality of cyberattacks in the economy today, and an alarming lack proper preparation on the part of organizations to fight it.

The agency will likely become even more aggressive in the future, as the SEC is expected to have less tolerance for organizations that don’t take the basic steps to protect sensitive data.

Companies should develop incident response plans that include how to deal with a vulnerability’s discovery before it becomes an intrusion, then make sure the infrastructure is in place to address that vulnerability. Organizations need to get a clear picture of their own cybersecurity environment and communicate regularly about roles and responsibilities. Also, a well-constructed D&O policy should cover investigation costs in the event of a breach.

It pays to invest in solid cyber security plans, whether or not the SEC or any other entity is looking for problems. It’s just good business these days. Contact the professionals at The Reschini Group for guidance on cyber security.

Source: https://www.businessinsurance.com/article/20210831/NEWS06/912344206?template=printart

Restricting the Flow: Cyber Attacks Impact Supply Chain

Cyber threats have the potential to impact all facets of the supply chain.

An attack against the Colonial Pipeline in the U.S. in May 2020 illustrated how vulnerable critical infrastructure can be as an attractive target for cybercriminals and even other nations hostile to the American economy. The attack – made possible through a single password breach, as disclosed later – shut key conduits delivering fuel from Gulf Coast refineries to major East Coast markets.

According to industry sources, shipping and logistics companies saw three times as many ransomware attacks in 2020 as in 2019. A spike in malware, ransomware, and phishing emails during the pandemic helped drive a 400% increase in attempted cyberattacks against shipping companies through the first months of 2020, as well.

While shipping represents a major element of overall supply chain operations, the looming threat of cyber attacks remains just as present and prevalent in every other link of that chain.

As the world economy continues to regain its footing in the wake of the coronavirus pandemic, supply chain issues have contributed to inflationary pressures and the less-than-rapid recovery many had hoped to see. Preventing malicious actors from further disrupting the supply chain remains a key priority.

Cybersecurity impacts every business, regardless of size or location or industry. Make sure your business deploys all preventative measures possible, and have regular reviews of your cybersecurity insurance coverage to protect against potential losses.

Contact the professionals at The Reschini Group for more information.

Rates Held Ransom: Increased Breaches Impacting Coverage Terms

As instances and the scope of ransomware events, and losses associated with them, continue to increase, some insurers are tightening their standards in providing cybersecurity coverage.

According to industry experts, insurers are restricting capacity and implementing increases in premiums to accommodate for businesses not keeping pace with the threat of malware and other online attacks.

Ransomware events began to climb in 2019, leading to the continuing response by insurers. On average, insurance rates have doubled since the surge in attacks began, with rising reinsurance costs expected to drive those rates higher.

Insurers certainly are not abandoning cyber liability coverage, but recognize the underlying issue is that while coverage may be adequate today, the rapidly evolving risk means it may not be adequate tomorrow.

Business owners can help their own cause by implementing as many precautions against online attacks as they can, which can contribute to keeping their insurance costs manageable under the circumstances.

The digital universe has opened a world of opportunity for businesses to grow, expand, and succeed. But the flip side of all that openness poses a threat that continues to grow, expand, and succeed as well.

Managing that risk will be a challenge for business owners and their insurers for the foreseeable future. Eternal vigilance may be the price of liberty, but it’s also the price of keeping your data protected online.

Contact the professionals at The Reschini Group for more information.

Unsafe at Home: The Heightened Cyber Risk of At-Home Workers

Two years ago, employees across the country and around the world collaborated with their employers to establish ways they could perform their job duties while working from home. Today, the urgent need for home-based workers has receded, but the popularity of this option remains high.

And while certain trends point to an actual increase in productivity, job satisfaction, and a better work-life balance from working at home, the choice does also come with a few risks, some quite disturbing and potentially very costly.

The Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM Security, reports that 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time required to identify and contain a data breach. What’s more, 70% of respondents expect remote working to increase the cost of a data breach.

Those results should cause business leaders to pause, at least for a moment, to think about what remote work represents regarding risks to your organization’s cybersecurity status. With the geopolitical upheaval emanating from Eastern Europe currently, the world is getting a first-hand lesson in the power of benign cyber systems to damage economies, influence migration of populations, even wage war. Just imagine the wreckage a malignant cyber attack could create.

Are your remote employees following strict cybersecurity protocols regarding password control? Tracking and protecting the physical location of their laptops and smartphones? Accessing only approved downloads and avoiding personal usage or inappropriate personal apps on company equipment?

Keep in mind that three out of four business leaders have concerns about cybersecurity regarding remote work. Being concerned is one thing. Acting on those concerns by clearly stating acceptable and unacceptable cyber behavior, and enforcing those standards, is what can make a real difference.

Contact the professionals at The Reschini Group for more information.

Time Is Money: Results from Latest ‘Cost of a Data Breach’ Report

A data breach creates all sorts of havoc, including significant financial costs. That’s hardly new information. But what those costs actually total does make news, as captured in the 2020 “Cost of a Data Breach” report, compiled by the Ponemon Institute and IBM Security.

The information from 2020 (the most current results available) provides a detailed glimpse the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences. The report shows some consistencies with past research.

Here are the major highlights:

The average cost of a breach in 2020 was $3.86 million per breach. This is actually good news, in a way, representing a 1.5 percent reduction from the 2019 cost per breach of $3.92 million.
The average time to identify and contain a breach in 2020 was 280 days, virtually identical with the 279 days it took on average in 2019.
Regarding prevention against breaches, 59 percent of organizations now have security automation deployed, up from 52 percent in 2019.

If one takeaway leaps out from these high-level results, it is that time is money. While a higher percentage of businesses have security automation in place, it still takes nearly 10 months to discover and contain a major breach. And the financial ramifications, even if slightly lower, remain substantial at nearly $4 million per breach.

The need for robust cybersecurity practices and protections continue to grow in importance and relevance. For more information, contact the professionals at The Reschini Group today.

Source: https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach-report/

Cover Your Bases: Lack of Controls May Limit Cyber Insurance Access

Feeling lucky? Like to gamble?

It’s one thing to play a small-potatoes hunch on your smartphone as you watch your favorite professional team on television. It’s quite another to risk your entire business enterprise on something that never needed to be at risk at all – your cybersecurity protocols.

As the scope and expertise of malicious online operators grows, so is the insistence of insurers that their business clients have adequate cybersecurity controls in place. A growing consequence for those who have not installed and maintained such controls is that they cannot acquire the needed coverage.

An industry leader recently conducted a study that concluded underwriters have adopted a “laser focus” on data security controls when looking at renewal risks, with “even greater underwriting scrutiny” of those controls as time goes on. The desired preventative controls cited include:

Multifactor authentication
Remote desktop protocol
Segregation of networks
Encryption

Those without these protocols in place will be increasingly met either with a decline of coverage or rates increased as much as 200 percent or even higher, according to the report. The threat of hackers successfully breaching cybersecurity protections has become such an issue for businesses, that even best-in-class risk managers – who have all preferred protections in place – may still see their premiums increase, but at a much lower rate.

So play those little parlays on your phone all you like. But don’t leave your entire business enterprise open to such a huge bet. Survey your cybersecurity protections and make sure they’re in place and working.

For more information, contact the professionals at The Reschini Group today.

Source: www.commercialriskonline.com/buyers-without-security-controls-risk-cyber-insurance-refusals-warns-gallagher-report/

Holding the Door Open for a Thief: Controlling Social Engineering Online

A professional hacker – who has gone straight and now goes by the job title of “Ethical Intruder” – lays out the truth with this simple statement: “Take it from a hacker, we are not trying to break in through your next-generation firewall when we can simply ask your users for credentials.”

The sloppy, ill-informed, or unthinking release of credentials – the user names and passwords that permit access to your cyber files online – by employees or vendors is the digital equivalent of holding the door open for a thief to stroll into your sensitive operations with little or no resistance. In the parlance of cyber security, the ways in which legitimate users either control or surrender control of their credentials is known as “Social Engineering.”

Social Engineering typically is seen within organizations as either an IT issue or the responsibility of Human Resources. At its core, Social Engineering is a behavioral and awareness issue that hackers know is the easiest and quickest way to crack a cyber defense and avoid detection.

This has become an even more prevalent problem during the COVID-19 pandemic. Attackers have increased use of their predatory skills against unwitting employees, who simultaneously have become more susceptible to clicking on or downloading files by providing their credentials on nearly anything related to the pandemic.

Entering this commonplace, yet incredibly valuable, information without giving a second thought as to who else might be watching can spell real trouble down the line.

It becomes incumbent on employers to educate and enforce standards regarding the unauthorized or uncontrolled use of employee credentials. This single step can actually become one of the most effective ways to convey the very real threats that exist, and to tighten up the business’ cyber security protection.

Cybersecurity Resources from The Reschini Group

Risk Insights – Social Engineering reinforces the information in this article and provides resources for you to share with you staff: Risk Insights – Social Engineering

For more information on cyber security safeguards, contact The Reschini Group today.