Technology
Avoiding the crosshairs
Travelers' new cyber insurance product helps bullet-proof small businesses
By Nancy Doucette
Talk about overkill! In response to a suspected malware attack, a federal agency destroyed some $170,000 worth of desktop computers, printers, keyboards and mice. The total price tag: $2.7 million, taking into account the cost of the security contractor (whose advice was ignored—the agency faced no significant threat and could have resolved its problem with some simple repairs, according to the contractor), the acquisition of temporary infrastructure, the expense associated with actually destroying the equipment, and the cost for more contractors to develop a long-term response.
While the main character is this "dramedy" is certainly deserving of a Chicken Little award, this article isn't about government waste. Our focus is on cyber threats, and we're not alone.
Last March the House Small Business Subcommittee on Health and Technology held a hearing titled "Protecting Small Businesses Against Emerging and Complex Cyber-Attacks." Among those providing testimony was Dr. Phyllis A. Schneck, public sector chief technology officer for McAfee, Inc., a provider of security for systems and networks. In her remarks she observed that cyber threats are intensifying and becoming more innovative. "Everybody is a target," she declared.
Noting that small business comprises over 95% of the U.S. "business fabric," she added, "Small businesses have personal information stored, operational requirements and valuable intellectual property. They need strong cyber security as much as large enterprises."
Schneck recommended that small businesses understand what data they have, where it resides in their systems, and the value and sensitivity of the data. With this knowledge, she said, business owners can then develop security policies and procedures tailored to their needs.
For the last six years, Verizon has produced its "Data Breach Investigation Report" (DBIR) which, as the title suggests, provides insights into the nature of data breaches as well as recommendations for spotting and preventing data security incidents. (A free download of the report is available at www.verizonenterprise.com/DBIR/2013.) The 2013 report is based on the analysis of more than 47,000 security incidents as well as studies of 621 confirmed data breaches. Verizon notes that since it started publishing the DBIR in 2008, its partners in the studies have contributed information on more than 2,500 confirmed data breaches—totaling more than a billion compromised records.
The 2013 DBIR notes that most breaches could easily be prevented. "While most breaches are deliberate, many involve an unintentional element," the report explains. "Taking information home, copying data onto a USB drive, leaving a laptop in a cab can all lead to a data breach."
And while there is often concern about data that is being transmitted, the 2013 Verizon sample revealed no breaches while data was "in transit." However, two-thirds of breaches involved data "at rest"—in databases and on file servers.
Verizon observed in an earlier DBIR that almost 72% of its sample of worldwide data breaches were at companies with 100 employees or fewer.
Cyber protection for small businesses
Travelers has also been keeping tabs on cyber threats. At last year's America's Small Business Summit, the carrier surveyed some 300 small business owner attendees and learned that only 29% were "very confident" that they had adequate coverage to protect their business against cyber liability.
For more than 15 years Travelers has provided cyber-related coverages. Its initial offerings include CyberFirst® for technology and public entity customers, and CyberRisk for public and private companies, nonprofits, and financial institutions. In light of the 2012 Small Business Summit survey, Travelers added CyberFirst Essentials®—Small Business to its cyber protection offerings earlier this year.
Travelers' Enterprise Cyber Lead Tim Francis explains that this new product is specifically meant for small businesses that have modest cyber exposure. CyberFirst Essentials is a stand-alone product with separate limits that can be added directly to the Travelers MasterPacSM. It includes information security liability coverage (for lawsuits that may occur following a data breach) and breach essentials coverage (remediation, notification, payment card penalties, and crisis management or public relations).
Francis notes that agents as well as their small commercial clients have cyber exposures. "Think about cyber as a category of insurance that is addressing both the liability and the first-party expenses associated with the obligation of a company to keep confidential the personally identifiable information (PII) they have on employees, customers, etc.," he notes.
"It's not just the information that's used in the financial exchange—the bank account number or credit card details. Agencies gather a fair amount of health information and if they're taking in claim information, they could have sensitive details relative to an insured's medical condition," Francis continues. "If the agency writes life/health or comp products, they may have PII on individual claimants."
Francis says agents need to counsel clients on their cyber exposures as well. "Cyber is no longer an esoteric, boutique specialty coverage," he observes. "Cyber needs to be part of the regular discussion with small commercial clients." He acknowledges that some clients may not recognize the need for this coverage because they don't aggregate PII or sell products online.
"That doesn't mean these clients don't have exposure; they just have less exposure," Francis emphasizes. The point being, every small business these days should be carrying cyber insurance.
Small businesses tend to have fewer IT resources to determine whether there's been a breach, he points out, so an outside consultant might be needed. If a breach does occur, affected clients should be offered some level of credit monitoring, and some PR expertise may be needed to maintain the reputation of the business. "CyberFirst Essentials—Small Business offers coverage for these necessary expenses, subject to policy limits," Francis says.
He suggests that agents recommend that their small business clients do a data inventory. "Having more data on your customers is good—whether you're selling widgets or insurance. It helps the marketing teams," he notes. "But the more data you have, the more exposure you have if that data is compromised."
This point was also made in Verizon's 2013 DBIR. "A common finding is that 30% to 50% of data in an environment has no business reason to exist. Delete what isn't essential and a by-product is reduced storage costs."
In short, businesses need to determine what data they truly need and eliminate the rest. According to Francis, job applications for individuals who weren't hired don't need to be retained, especially if they contain Social Security numbers. "If you keep them and your data is compromised, now you are obliged to find that person you didn't hire and let them know their Social Security number was compromised," he says.
Building on a point made in the 2013 DBIR—that most breaches could easily be prevented—Francis recommends that agencies and their commercial clients develop a security culture. "Educate employees on their role in protecting the organization and its data. Use passwords and keep them secure—don't tape the laptop password to the laptop," he says with a chuckle. "Management needs to establish procedures and enforce them."
And while management is establishing those policies and procedures, it's also a good time to investigate cyber insurance—just in case.