It starts like any other Monday morning at your finishing and coating operation.
After brewing a cup of coffee in the office kitchen, you walk the floor of your shop and then head to your desk and power on your computer. You’re ready to start the workday, but when you click on the file you were working on last week, you’re horrified to find a note demanding that your business pay a ransom to have its most important data unlocked. Worse yet, the note also threatens that if you don’t pay, all of your business’s data will be leaked on the dark web.
You panic for a moment, check a few other files, and find that they are all in this state. Thoughts rush through your mind: Who is responsible for this? How will your business afford the ransom to unlock its critical data? How will you fulfill your obligations to your customers, make payroll, and communicate with the outside world with your systems locked up? What are your legal rights and obligations? All this spells business interruption for days, weeks, or even months on end, damaged business relationships, lawsuits, and fines and penalties.
Cyber Hygiene is Critical to Obtaining Cyber Liability Coverage (oswaldcompanies.com) Notably, 77% of the ransomware attacks involved threats to release stolen data (Cyber Hygiene is Critical to Obtaining Cyber Liability Coverage (oswaldcompanies.com).
This is a situation that businesses of every size—from small mom-and-pop shops to Fortune 500 companies—find themselves in every day. Even organizations that take all the right steps, put the correct safeguards in place, or feel they are too small to be targeted, find themselves waking up to these messages more often than ever. In fact, according to the FBI, there were $4.1 billion reported losses in 2020 (What are my obligations after a data security incident?
Investigate: First and foremost, every business is legally obligated to investigate known or suspected unauthorized access to or theft of data.
Determine your legal notification obligations: The purpose of investigating these incidents is to determine whether any data was compromised and whether a business is obligated to notify consumers, regulators, business partners, and other third parties of such incidents. Whether the law requires such notification is complicated and difficult to determine. This is because the law that governs notification obligations depends on where impacted consumers reside, not where a business is located. For example, a New York business that has consumer data of Michigan, California, and New Jersey residents may be subject to those states' laws governing notification obligations, and not just New York’s law. Each of these state’s notification obligations vary widely. Additionally, a business may also have stricter contracts in place requiring it to notify business partners or other third parties or to take on additional responsibilities in response to security incidents.
Respond to consumer, regulatory, and business partners’ inquiries and litigation: Information security incidents inevitably invite consumer, regulatory, and business partner scrutiny about the nature and scope of the subject incidents, why an organization failed to prevent incidents from occurring in the first place, and steps an organization has taken to improve its cybersecurity posture. Forthcoming, but precise, measured, and delicate responses are key to avoiding additional liability. Additionally, incidents like these are likely to invite litigation against impacted organizations brought by these interested parties. Likewise, victim organizations that experience information security incidents also may be able to sue third parties to recover certain damages. In sum, the legal fallout brought on by information security incidents is enormous. Fortunately, an organization can take a few simple steps to prevent or prepare for such incidents.
What are the best ways I can prevent or prepare for a cyber incident?
- Initiate Employee Cybersecurity Training:An organization should train its employees to recognize common ways that cybercriminals gain unauthorized access to computers and other information technology systems. This will often prevent employees from unintentionally opening the door for cybercriminals.
- Prepare policies and procedures governing information security practices: Implementing proper policies and procedures can help an organization hold itself accountable to best information security practices. Taking this step also shows regulators and would-be plaintiffs that a business took reasonable measures to prevent and mitigate cyber risks, making it harder to assert claims in a lawsuit.
- Get the right insurance Protection:While cyber incidents take many forms, the damage to organizations is consistently immense. Given cyber incident frequency, severity, and impact on organizations of all sizes, insurance carriers have reduced capacity and are less willing to take on risk. Some carriers have even added exclusions to their policies. At the same time, premium increases of 60% are not uncommon (Cyber Hygiene is Critical to Obtaining Cyber Liability Coverage (oswaldcompanies.com)) for this critical line of coverage. While most insurance policies come with limited cyber coverage, they often cause more harm than good. Imparting a false sense of security, the cyber coverage that’s included as a component of other policy types provides small limits, restricted coverage, and many exclusions. Because of this, it’s important to purchase a standalone cyber insurance policy which typically comes with a suite of services and vendors that jump in and lead you through an incident or event. Without a standalone cyber policy in place, chief financial officers, chief executive officers, and business owners are often shocked to hear they are financially responsible for responding to cybersecurity incidents.
- Look for ways to transfer risk before taking it to an insurance carrier:
-
- Implement controls, practice good cyber hygiene, and utilize end point monitoring and Multi-Factor Authentication (MFA).
- Discuss contractual risk transfer which can make a significant impact on premiums and what you’re responsible for in case of a breach.
- Ensure that your broker understands your organization, all the steps you’ve taken to prevent a cyber incident, and why your organization warrants the best possible terms.
- Phase-out end-of-life or end-of-support software.
- Filter emails for malicious content and links.
- Ensure your backups are encrypted.
It’s Not If, It’s When
Taking as many preventative measures as possible will help your organization mitigate the effects of a cyber incident and recover quickly. Investing in the right cybersecurity insurance policy and engaging legal counsel to help you reduce and transfer risk is key to achieving the most favorable outcome possible.
Often people don’t want to talk about what they don’t want to contemplate happening. Yet, the preventive and protective process starts with a conversation to truly understand what your risks look like. We hope you never see the screen described at the beginning of this piece, but taking all the right advanced steps prepares you for the recovery process and assures that your business isn’t critically affected. To get the conversation going, please reach out to insurance and legal professionals who specialize in cybersecurity and know how to best navigate the complexities of protecting your organization.
Hussein Jaward, CIPP/US, is an associate attorney in McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group in Bloomfield Hills, Michigan. Hussein helps small and large businesses in every industry across the United States prevent and respond to cyber attacks. He can be reached at hjaward@mcdonaldhopkins.com or 248-593-2953.
Steve Carey, CAWC is an associate in Oswald Companies’ Property and Casualty division in Bloomfield Hills, Michigan. Steve helps organizations protect their bottom line by providing strategic risk management that draws from a wide range of personalized services, including cyber coverage. He can be reached at scarey@oswaldcompanies.com or 248-530-2483.