CybersecurityInsurance Archives - The Reschini Group

Time Is Money: Results from Latest ‘Cost of a Data Breach’ Report

A data breach creates all sorts of havoc, including significant financial costs. That’s hardly new information. But what those costs actually total does make news, as captured in the 2020 “Cost of a Data Breach” report, compiled by the Ponemon Institute and IBM Security.

The information from 2020 (the most current results available) provides a detailed glimpse the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences. The report shows some consistencies with past research.

Here are the major highlights:

The average cost of a breach in 2020 was $3.86 million per breach. This is actually good news, in a way, representing a 1.5 percent reduction from the 2019 cost per breach of $3.92 million.
The average time to identify and contain a breach in 2020 was 280 days, virtually identical with the 279 days it took on average in 2019.
Regarding prevention against breaches, 59 percent of organizations now have security automation deployed, up from 52 percent in 2019.

If one takeaway leaps out from these high-level results, it is that time is money. While a higher percentage of businesses have security automation in place, it still takes nearly 10 months to discover and contain a major breach. And the financial ramifications, even if slightly lower, remain substantial at nearly $4 million per breach.

The need for robust cybersecurity practices and protections continue to grow in importance and relevance. For more information, contact the professionals at The Reschini Group today.

Source: https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach-report/

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

The Reschini Blog: Slow Hackers Down with MFA

When a skilled hacker has the means, the motive, and the opportunity to break into your cyber system and wreak havoc, not much can stop or slow that person down. With one exception – multi-factor authentication, or MFA.

The only drawback of using this advanced tool, however, comes in the fact that the MFA – because of its comprehensive and in-depth safeguards – can also slow down legitimate users. But industry experts agree that the benefits in safety and security far outweigh this one minor negative.

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, defines MFA as “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”

NIST adds, “MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

swiped your bank card at the ATM and then entered your PIN (personal ID number)
logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.”

The Pittsburgh Technology Council cites a professional cybersecurity expert (and former hacker), who said, “It is of the utmost importance to push through any obstacles and enable MFA on your environment. In addition to the monumental importance of having MFA, it is critical that you review your third-party systems that you do not control, especially those which contain sensitive company data, and find out whether MFA is available.”

The added seconds it may require for users to register through two separate channels to access data amounts to virtually nothing in the long-term, when compared with the time, trauma, and treasure it would take to recover from a severe cybersecurity breach.

For more insurance-related information on this and other topics, contact the professionals at The Reschini Group.

Download these resources about Cyber Liability:
• 10 Cyber Security Resolutions to Reduce Your Data Exposures
• CI – Cyber Liability Insurance
Contact The Reschini Group with your questions or concerns regarding cybersecurity.

Testing Cyber Security Systems

Cybercrime is set to cost companies more than $6 trillion per year by 2021. That’s trillion, with a T. Nobody wants to be in that pile. That’s why testing your systems for cyber security makes a lot of sense.

Three main tests are used to safeguard businesses against cyber attacks:

Vulnerability scanners – This approach assesses the computers in your business network for weaknesses: entry points that can be exploited by cybercriminals hoping to gain access to your data. Vulnerability scanners act like hackers to investigate these potential vulnerabilities. The aim of a vulnerability scan is to build a strong sense of the state of your cybersecurity setup from an internal and external perspective, identify weaknesses, and improve your security to better protect against these risks.

Penetration testing – Here, cybersecurity experts purposefully ‘attack’ a network to review how secure it is. It simulates a real attack, but in a controlled way. As such, the term ‘ethical hacking’ is sometimes applied to penetration testing. While vulnerability scans highlight any weaknesses in your business network, penetration tests take this a step further by determining what kind of malicious activity is possible if those weaknesses are exploited.

Program update checks – These are important because software that is not regularly updated gives attackers more chances of infiltrating your system and your business. Some program settings may allow automatic software updates, and others will ask your permission. All users should regularly check to ensure that all available updates are accepted (or scheduled for a convenient time) on every device they are responsible for.

The continuously and rapidly evolving cyber world offers tremendous competitive advantages and cost efficiencies. The dark side of cyber operations moves just as swiftly, though. Check the status of your cybersecurity insurance by contacting the professionals at The Reschini Group.

Excerpted from: https://blog.avast.com/cybersecurity-tests

Back to Basics: Top Five Ways to Avoid a Cyber Attack

Hackers and digital saboteurs are here to stay. But that doesn’t mean surrendering to their threats and actions. Sometimes the best ways are the tried and true ones, and that is generally true when it comes to cybersecurity, as well.

According to Cybersecurity Insiders*, here are the top five ways to protect your company from a cyber attack:

Hardware: Have secure and sophisticated hardware, which is password protected and backed up by two-way authentication. Also, it is better if you don’t overlook the effectiveness of protecting your data storage drivers. Because if neglected, then it gives an opportunity to anyone and everyone to walk away with your firm’s sensitive data.

Physical Security: Most data breaches occur when stolen equipment reaches the hands of hackers. For instance, if an employee loses his/her laptop, then sensitive data can easily reach the bad guys. So, outline physical security strategies storing the data on the cloud, which is protected by multiple security layers, and imposing responsible security policies among all employees.

Encrypting Data: Encrypted data becomes useless to a hacker, most of whom could not break into the encryption in the first place.

Backing Up Data: Having a backup copy of the latest data protects you even if a hacker accesses your system. The backup needs to be done in an effective manner and must be in an immediately retrievable form.

Cybersecurity Insurance: Should an attack occur, most cybersecurity policies today not only cover the financial loss caused from data theft but also help in co-paying the costs involved in recovering data, including paying data recovery experts and buying new hardware and software.

Don’t let your guard down. Protect what’s yours. The professionals at The Reschini Group are available to help determine some appropriate options for your specific circumstances.

* https://www.cybersecurity-insiders.com/ways-to-prevent-cyber-attacks-on-your-company/

Making Sure: When Is Third-Party Cyber Insurance Needed?

It’s a natural impulse, especially perhaps when it comes to purchasing insurance coverage.

And even more especially when the insurance coverage is for something as intimidating as cyber security – a vague, nondescript, fuzzy and murky world that many people don’t truly understand, whether they would admit it or not.

The natural impulse in question comes in the form of “making sure.” Is my policy loaded up sufficiently to safeguard my organization? Hmm, I can’t be certain. Let’s load it up, just to “make sure.” That is not necessarily a bad thing or a wrong decision. Getting all the facts, of course, can provide greater clarity.

One area of cyber security insurance presents an option between first-party and third-party coverage, and the choice in this segment, at least, can be pretty easily understood and acted upon appropriately.

First-party cyber insurance covers the costs associated with being the victim of a hack. That includes everything from notifying clients of the breach, to weathering the storm of lost revenue that typically follows. Third-party cyber insurance helps cover the risks of being blamed for a breach, particularly if the company in question does assessments of digital security – a fairly narrow area of specialty – or when a gap in one’s own security is responsible for passing on a virus to another organization.

Policies have evolved to cover first-party exposures more extensively, but third-party exposures and coverage grants are still present and quite possibly required to be purchased.

But think of “third-party” as being the same as a lawsuit. In that case, if a business is not providing media services for a fee or IT services, its third-party exposures probably revolve around the following typical coverages:

A Media clause offering coverage for claims alleging liability resulting from the dissemination of online or offline media material, including claims alleging copyright/trademark infringement, libel, slander, plagiarism or personal injury. This could include websites, social media sites, and chat rooms.
A Privacy & Network Security clause would involve third party actions or lawsuits involving customer information, vendor information, or employee information.

Do you want to “make sure” when it comes to cyber coverage? Contact the team of professionals at the Reschini Group for more information on cyber security options that make sense for your organization.

Staying Safe: Five Tips to Greater Cybersecurity

Cybersecurity practices remain a key focus for both the Financial Industry Regulatory Authority (FINRA) and the U.S. Securities and Exchange Commission (SEC). An article* in Forbes magazine summarizes five best practices cited by these organizations to mitigate the risk of cyber attacks:

Governance

FINRA has found that although Boards of Directors are actively focused on cybersecurity, during their regulatory exams up to two-thirds of companies were found to have deficiencies or weaknesses in their policies and procedures. Cybersecurity policies need to be specific and articulate the procedures necessary for implementation.

Risk Assessment

Risk assessment should be an ongoing process as opposed to a single point in time. Companies should gather and evaluate indicators of potential risks on a monthly, quarterly and annual basis. They should also look to what’s happening at other organizations and other industries, both to gain best practices ideas and to help thwart attackers’ plans.

Cybersecurity Training

Because employees represent the biggest risk, training needs to be conducted regularly and be varied, both in method (such as in-person, email, blogs) and with different topics (such as passwords or visitor access). Show employees what good cyber behavior looks like so they may bring those practices home with them to protect their families and personal systems, as well.

Access Management

While the SEC watches how organizations conduct reviews of access rights periodically, it is estimated that about half either do not follow policies and procedures for terminating access rights, or inadvertently provide unauthorized system access to users contrary to established policy. Best practice is for any remote access to a core network to be protected by two-factor authentication.

Vendor Management

Risk from vendors needs to be addressed and constantly vetted and assessed. One idea calls for the business to obtain permission before bringing on any new vendor that handles, touches, or stores data. To make it easier, create a list of pre-approved vendors.

The team of professionals at The Reschini Group can help assess your cybersecurity exposures and offer comprehensive insurance solutions to transfer cyber risk and protect your company. Contact us to learn more.

* https://www.forbes.com/sites/joannabelbey/2017/06/30/how-to-avoid-cyberattacks-5-best-practices-from-sec-and-finra/#56ae09df1a16

It CAN Happen To You: Cybersecurity Claims Impacting All Levels of Business

The market for cybersecurity coverage remains competitive, and more business owners have decided to invest in insurance policies to protect from hackers and malware. That’s the good news.

But the risk still outweighs the precautions taken, according to insurance industry watchers – and that’s the bad news. Not enough clients are adopting the coverage, especially when proof continues to pile up that no organization is safe from a cyber event.

A 2019 Cyber Readiness Report from specialty provider Hiscox found that 53% of U.S. businesses reported a cyber attack in the previous 12 months, from 38% the previous year. In all, 45% of those companies experienced three or more attacks in the past year. Yet 27% of firms have no plans to adopt cyber insurance, according to the report.

Considering the potentially devastating cost of recovering from a cyber attack, that statistic becomes especially alarming. According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. But less than 20% of all businesses have purchased cyber insurance. That rate continues to increase, but not nearly to the degree to guard against harm to the level of exposure that remains.

Adopting a line of thinking that “It won’t happen to me” may be the biggest mistake of all, according to industry experts. Business owners who only think of cyber attacks in terms of data breaches miss the other risks that exist, including extortion and business interruption – all of which represent serious and costly issues that need to be addressed through coverage.

The team at The Reschini Group can help put together the best package of cyber protection coverage for your business, regardless of size, scope, or industry. Contact us to learn more.

Inside Job: Safeguarding Against Internal Cyber Threats

The Software Engineering Institute (SEI) at Carnegie Mellon University defines insider cyber threats as “the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

As such, a team from SEI recently issued the sixth edition of its Common Sense Guide to Mitigating Insider Threats, where it lists the following 21 recommendations for businesses to deploy:

Know and protect your critical assets.
Develop a formalized insider threat program.
Clearly document and consistently enforce policies and controls.
Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
Anticipate and manage negative issues in the work environment.
Consider threats from insiders and business partners in enterprise-wide risk assessments.
Be especially vigilant regarding social media.
Structure management and tasks to minimize insider stress and mistakes.
Incorporate malicious insider threat awareness into periodic security training for all employees.
Implement strict password and account management policies and practices.
Institute strict access controls and monitoring policies on privileged users.
Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
Monitor and control remote access from all end points, including mobile devices.
Establish a baseline of normal behavior for both networks and employees.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
Institutionalize system change controls.
Implement secure backup and recovery processes.
Close the doors to unauthorized data exfiltration.
Develop a comprehensive employee termination procedure.
Adopt positive incentives to align the workforce with the organization.

Many of these guidelines appear to be just common sense business practices, but establishing them firmly, communicating them clearly, and enforcing them consistently makes the difference. Insuring against internal cyber threats carries its own set of parameters and requirements, as well.

The professionals at The Reschini Group can help your organization protect your organization against losses from internal cyber fraud. Contact us to talk more about this important consideration.

* https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf

The Shadow Knows: Cyber Insurance Needed for Small Businesses Too

The major data breaches may get all the press – 150 million accounts exposed at Under Armour, 92 million at genealogy firm MyHeritage, 87 million at Facebook, and 145 million at Equifax, the largest U.S. credit bureau, revealing even Social Security numbers.

But that doesn’t mean small businesses are immune to cyber crime.

According to the Insurance Information Institute’s (III) 2017 report, Protecting against #cyberfail: Small business and cyber insurance, insurers foresee substantial increase in coverage among the small business segment, as these companies become aware of the possibilities of liability, especially due to a breach and the resulting response costs arising out of the possession of private data.

According to the III, 10 percent of small businesses have suffered one or more cyber incidents in the prior year, with the average cost of cyber-related losses totaling $188,400. Only about one-third of firms surveyed had cyber insurance, nearly 60 percent of respondents said their company is very concerned about cyber incidents, and 70 percent think that the risk of being victimized by a cyberattack is growing at an alarming rate.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that continues to rapidly shift in scope and nature. According to the National Association of Insurance Commissioners, 140 U.S. insurers reported writing some cyber insurance premiums in 2016.

Online criminals keep adapting their techniques and level of sophistication just as quickly as technology evolves. Convincing oneself that cybersecurity – and the attendant insurance coverage – is not necessary, just because a business isn’t “big enough” represents a bet that could be incredibly costly if lost. Just because a danger may be hidden in the shadows doesn’t mean it’s not there.

The cyber insurance experts at The Reschini Group can help you fashion a coverage package that makes sense for your business and your budget. Read more and download cybersecurity resources by clicking here or contact us to talk more about this important consideration.

Preparing for the Threat: Attitudes and Actions on Cybersecurity

It shocks absolutely no one that cybersecurity remains a growing threat to businesses, large and small, and that breaches of that security have increased both in number and in the resulting financial impact. What may be surprising, however, are statistics compiled by various governmental and industry sources surrounding cybersecurity, including the following:

Cybersecurity remains a priority risk concern among all businesses.
The three largest areas of concern within the scope of cybersecurity are: falling victim to a security breach, discovering unauthorized access to financial accounts, and suffering an internal system glitch.
Concerns on the rise among businesses include: outsiders hacking into systems used for business operations, cyber extortion, and questions about having sufficient resources to recover from a cyber event.
One in five businesses have suffered a data breach or cyber attack over the past year, double the number recorded in 2015.
52% of businesses say becoming a cyber victim is inevitable.
Only 36% of businesses worry about their employees being tricked into transferring funds, despite a 2,370% increase in losses from such scams over the past two years.
95% of businesses say their operations depend on computer systems running flawlessly.
23% of businesses report that they are unfamiliar with their cyber insurance options.
55% of businesses have not done a cyber risk assessment, 62% do not have a business continuity plan, and 63% have not assessed the cyber security of vendors with access to their data – but 91% of these same businesses say they are prepared to weather a cybersecurity event.
50% of businesses have not purchased cyber insurance.

The professionals at The Reschini Group can help businesses across all categories and sizes get a true, accurate, realistic picture of their cyber exposure and fashion an insurance approach to safeguard against attack or malfunction. Contact us to talk more about your cybersecurity situation.

[Sources: 2018 Travelers Risk Index and FBI PSA https://www.ic3.gov/media/2017/170504.aspx]