Rise in cyber attacks requires increased D&O diligence
It doesn’t take much sleuthing to know that cybercrime is on the rise. Companies around the world are being besieged by would-be cyber criminals of all types, from both inside and outside the organization.
Yet directors and officers often do not give as much attention to cyber security as they do to other corporate risks. Experts say that this failure to recognize the potential impact of a cyber attack not only exposes the company to financial losses resulting from the incident itself, but can also expose the company and individual directors and officers to management liability claims not covered under standard cyber insurance policies.
”Corporate directors need to be as focused on their company’s cyber security as they are on any other significant issue facing the company,” said Bill Kelly, vice president of commercial D&O insurance at The Hartford. “By not properly overseeing cyber security, directors and officers could be subjecting the company and themselves to risk.”
. Corporate directors and officers have a general legal duty to act carefully and with loyalty on behalf of the corporation, explained Kelly. The “duty of care” requires directors and officers to perform their duties in good faith while exercising the level of diligence and care that a prudent person would use under similar circumstances. The “duty of loyalty” requires that directors and officers place the corporation’s best interests ahead of their own. This often includes proper implementation and oversight of the corporation’s system of controls.
“Both of these duties include doing what is required to be informed on important corporate matters and to take appropriate actions when necessary,” said Kelly.
Kelly noted that as companies have become increasingly reliant on digital technology in their operations, the potential damages from a cyber attack have risen as well. These damages can take many forms, including lost productivity, loss of data & intellectual property, business interruption and reputational damage.
“Corporate directors need to recognize that cyber security is an important issue, and that failure to exercise their fiduciary duties on such matters can result in D&O allegations separate from a cyber claim,” Kelly said.
Vice President of Commercial D&O Insurance The Hartford
SEC issues guidelines for cyber risks
In addition to common law claims, a failure to adequately assess and disclose cyber security issues may result in violations of federal securities law.
In 2011, the Securities & Exchange Commission (SEC) issued guidelines for public companies regarding proper disclosures for cyber attack incidents. More recently, the National Institute of Standards and Technology (NIST) released its preliminary cyber security framework for comment.
Yet even with the SEC guidelines and the proposed NIST framework underscoring the need to make cyber security an area of focus, many directors and officers still don’t realize their obligations related to cyber security.
“A number of companies are still trying to determine the right approach,” said Kelly. In the past, management might have believed it would be better to hide a cyber event, given its potential impact to the company’s reputation. However, with the SEC guidelines, directors and officers are learning that they may have an obligation to disclose a cyber incident.
“Management has an obligation to share timely, accurate data about the company for a reasonable investor,” said Kelly. “If information is material to an investor, it should be disclosed.”
“Even though cyber risks are rising every year, some executives have yet to view them the same way that many D&O underwriters see them,” said Tim Marlin, commercial D&O product director at The Hartford. “While an actual cyber incident is not covered under a D&O policy, directors and officers have a fiduciary responsibility to their organizations, and part of that responsibility involves overseeing cyber risk.”
In other words, it is important for companies and their executives to take a holistic approach to cyber risk in accordance with the SEC’s guidance to best address all the exposures they face.
Fortunately, there are strategies that can help corporate leaders protect their company and themselves from losses due to cyber attacks.
First, directors and officers should ensure that the appropriate policies and procedures are in place to minimize the likelihood and potential impact of a cyber incident. “This requires a full understanding of a company’s cyber risk profile, as well as best practices in the industry and current regulatory guidance on cyber security,” said Marlin.
Second, it is important to have a strong cyber insurance program in place to respond if a cyber incident does occur.
And finally, a robust management liability policy is vital in the event that a management team’s judgment is called into question and results in shareholder litigation.
“Cyber risks should be viewed in the same light as any other significant risk to the company,” said Kelly. “Agents, brokers, underwriters and risk managers can play a critical role in raising this issue with directors and officers, so they can take informed action relative to cyber risk.”
Bill Kelly and Tim Marlin can be reached at email@example.com and firstname.lastname@example.org. To learn more about The Hartford’s management and professional liability insurance, visit http://www.thehartford.com/management-professional-liability-insurance/.
The discussion of coverage herein is a summary only. It does not include terms, conditions or exclusions of the policies referenced. Please refer to the actual policies for complete details of coverage. In the event of a conflict, only the terms of an actual issued policy will prevail.
Understanding Your Business Cyber Exposure
Simply stated, cyber exposures are directly connected to the responsibility your business has for certain electronic information and the risks associated with this information being compromised or misused. These risks include personal injury, intellectual property infringement, and financial injury, as well as obligations associated with Consumer Protection and Data Privacy Regulations.
Exposures generally fall into two categories:
"Third Party" Liability - the risk of a third party claiming your business caused them damages, typically associated with the company's responsibility to protect certain private or confidential information.
"First Party" Expenses - certain expenses, other than those from a third party's claim, your company may incur as a result of a cyber event. Expenses could be related to notification, credit monitoring, cyber investigation, crisis management, and data privacy regulatory expenses.
Your business doesn't inherently have a higher level of cyber risk simply because it's a technology company. In fact, your business could have a lower cyber risk than your customer(s). The degree of risk depends on the technology products and services offered, as well as the type and amount of private and confidential information you manage, control, store, transfer, and maintain.
Evaluating the Exposure
As an insurance professional, our ability to identify cyber exposures and recommend appropriate coverage will add value to your business.
Asking the right questions is key to evaluating your exposure. A few simple questions can help you identify a potential cyber exposure and open an in-depth discussion with your client.
Helping Your Business Reduce Exposure
As you evaluate cyber risks, you can understand the importance of addressing the items within your control. One such item is the elimination of any unnecessary data. Even better - completely eliminate the collection of data that is not being used.
Many companies collect or maintain sensitive data without having a specific purpose for such information, increasing their cyber risks without a viable business benefit. Other areas to discuss with you include: the tracking of sensitive information, verification information security controls, assessment and monitoring of access privileges for users including remote access, web applications review/testing, and computer systems event log monitoring.
In addition, if you have a cyber exposure, you'll want to understand the nature and costs losses that could result - and the fact that many General Liability policies don't cover them.
These foundation questions can help you determine your extent of cyber risk.
Understanding your business:
What types of technology products or services does your business provide? Who are your direct and indirect customers?
What is the purpose or function of your technology products/services (what does the technology actually do)?
How are third party vendors or service providers involved with your technology products or services? Identify the specific services provided by any third party vendors.
Understanding your customer exposure to risk:
What type of sensitive information (confidential, personal, intellectual property) is associated with the product or service your business sells to its customers?
Does you or any of your vendors have access to or control of this sensitive information at any time? If so, when? How often? How long? How much? Where?
How is sensitive information protected while in your possession or control? Does your business utilize access restrictions, encryption, segregated storage, usage monitoring, password protection?
What policies are in place to ensure proper handling procedures are followed by all employees?
Understanding your customer’s personal information exposure:
Does your business collect or manage personal information of individuals other than its own employees?
If so, what personal information is involved (full name with social security number, medical information, financial account information, driver’s license number, credit card information)?
Could this information qualify as nonpublic personal or personally identifiable information under a Data Privacy Regulation?
Approximately how many individually identifiable names with related personal information are under your business control?
How are the company’s networks and information protected? Does your business utilize access restrictions, encryption, segregated storage, usage monitoring, password protection?
At what point does your business purge personal information that is no longer needed?
Understanding your business third party vendor exposures and controls:
Does a third party vendor have access, manage, store, transfer, control, or maintain any sensitive information for which your company has responsibility?
If so, can you identify the type and amount of this information.
Has your business IT person reviewed the information security policies and procedures of the third party vendors to ensure sensitive information is protected at all times?
Has your business established contractual terms (i.e. indemnification, insurance requirements, notification requirements) with the third party vendors to ensure your business is protected in the event the vendor suffers a breach of sensitive information?
Are other contractual conditions established with the third party vendor to limit vendor’s use of your data, prohibit vendor from disclosing data to others, return or destroy your data at the completion of the contract, require vendor to comply with applicable data privacy regulations/laws, and allow your business to audit the vendor’s data security procedures?
The Billion Dollar Crime That Is Targeting Employers - Why And How?
The Federal Trade Commission (FTC) has been recording the number of identity theft victims in the U.S. since 2003. Today’s number of 12.6 million victims is second only to the highest number recorded, 13.9 million, recorded in 2009.
A recent study found that “criminals made off with $3 billion more than in 2011, as well. Overall, slightly more than 1 in 20 consumers, 5.26 percent, were victims last year ….”
Banks, for example, admit they do not have control over “new account fraud.” New account fraud occurs when a criminal opens new credit cards or takes out loans using the personal information stolen from a victim. Despite the increase in new account fraud, two-thirds of all ID theft is still simple credit card fraud. Bob Sullivan, “ID theft on the rise again: 12.6 million victims in 2012, study shows,” redtape.nbcnews.com (Feb. 20, 2013).
Employers are targets for identity thieves because employers retain employee names, addresses, phone numbers, e-mail addresses, emergency contact numbers, past employers, and social security numbers. Many employers also store bank account numbers for payroll purposes.
All employers must take precautions to protect their employee’s confidential information. Employees should exercise the same precautions.
Here are some suggestions to keep personal information safe from identity thieves:
Always perform appropriate background checks on employees with access to other employees’ personal information.
Do not allow employees to store their personal information or that of other employees on laptops or other portable memory devices.
Make certain that any sensitive employee information stored in a database is protected from hackers.
Do not store sensitive employee information unnecessarily.
If you work with a payroll provider or other employee service provider, make certain that they have security procedures in place to protect your employees’ information.
Review the contract with your payroll provider and determine if the provider accepts responsibility for your employees’ sensitive information.
Be certain that your managers and supervisors are not storing or filing sensitive employee information outside of your human resources department.
Train your staff on the importance of safeguarding employee information and why identity thieves want that information.
AIG Survey Shows Top Executives’ Concerns with Cyber Risk
February 12, 2013
A survey of perceptions about cyber risk sponsored by the American International Group Inc. (AIG) found that among corporate executives, more are oncerned about cyber threats than about other major business risks.
More than 85 percent of the 258 decision-makers surveyed said they were very or somewhat concerned about cyber risks to their organizations, compared with the group’s response to six other areas of risk, including income loss (82 percent of executives were very or somewhat concerned), property damage (80 percent), and securities and investment risk (76 percent).
Additional survey results, which include input from insurance brokers, found high demand among executives and brokers for information about cyber threats, with 80 percent indicating that they find it difficult to keep pace because the cyber threat is evolving so rapidly. In response AIG has developed a mobile app for cyber risk management and will introduce other tools its CyberEdge risk management portfolio.
Other findings provide further insight into the pervasiveness of cyber risk concern among executives and brokers:
More than two out of three (69 percent) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk.
More than seven in ten (75 percent) executives and brokers say legal compliance issues are making companies think more about cyber risks.
The vast majority of brokers and executives (82 percent) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71 percent) also perceive human error as a significant component of cyber risk.
“These new survey findings confirm that business leaders view cyber risk as a top business concern, with great potential for reputational and financial loss,” said John Gambale, head of professional liability and Lexington financial lines executive, U.S./Canada Financial Lines, AIG.
Cyber App for Cyber Threats
AIG has launched CyberEdge mobile app for the iPad, which is in response to demand for information about cyber risk and how to help mitigate and respond to it. The app is available as a free download to anyone at the Apple iTunes Store.
The app features the latest cyber news, real-time information on country-wide data breaches, a breach cost calculator, an events calendar and a glossary of common cyber terms. More than 20 claims narratives are included in the app to help brokers and clients better understand how other companies are handling breaches.
CyberEdge policyholders that qualify now also have access to AutoShun, a third-party hardware device that sits between a customer’s firewall and the external Internet, to help stop a cyber attack in real-time by blocking inbound and outbound communication with known bad IP addresses.
In addition, AIG has launched the CyberEdge RiskTool, a web portal enabling qualifying CyberEdge policyholders to proactively manage risk management policies, training and compliance to mitigate cyber exposure.
About the Survey
On behalf of AIG, Penn Schoen Berland (PSB) conducted the survey of 323 risk managers, IT decision makers, C-suite executives, and brokers in the United States and Canada who play a role in selling insurance policies or determining insurance programs within their organizations. The survey includes a mix of AIG customers and other companies, including 60 companies with revenue between $1 billion and $10 billion, mid-market businesses with revenue between $10 million and $1 billion, as well as large and mid-sized broker partners. These interviews took place October through November 2012. Overall, margin of error is +/-5.45% and larger for sub-audiences.
The first step in information security risk management for any industry is to identify loss exposures. The key to identifying loss exposures is to focus on relevant questions that will expose them. There are several main questions to answer to begin this process when trying to identify cyber and privacy risks:
What information is collected? In answering this question, think about the sensitivity of the collected information. Would its release upset clients and customers? Would customer notification be required under any state law? The answers will vary by industry and location. Also, don't overlook employee information.
Where is the information stored? Is it paper or electronic data? Is the information stored onsite or backed up offsite? Is it encrypted? How secure is it?
Who has access to the information? Think about internal and external operations as well as any third-party services or outsourced activities. Answering these questions is just the beginning. Other cyber and privacy topics to consider include wireless networks, the use of credit cards, online portal capabilities, laptop use, and employee and operational controls. It is important to remember that information can be accessed both electronically and physically, it can be released accidentally or maliciously, and you can react proactively or reactively to this exposure. Good risk management means thinking proactively about cyber and privacy exposures.
Questions every business owner with a Web presence should ask:
What type of information are they collecting on their sites? Are they storing names, contact information, credit card information? Are they tracking where people go on their site, and if so what do they do with that information? Do they sell customer information to other sites without the customer's permission? Who in the company has access to the social media sites? Who is posting on the social media sites and are they authorized to speak on behalf of the company? Is there a process for checking what is posted on the social media sites beforehand so that no defamatory, copyrighted or libelous information is published?
Protecting Your Business from Cyber Threats By Ilya Leybovich
Increasing computerization of production methods and greater reliance on digital data systems have madecyber security a significant concern for manufacturers. How can businesses deal with the new wave of cyber threats?
Incorporating information technology (IT) systems and infrastructure into day-to-day operations allows manufacturers to access and distribute data more efficiently, helping them make sound business decisions and improve their companies' competitiveness. However, the advantages conferred by networked data systems and information-sharing technology also increase the risk of data theft, hacking, virus infection and other cyber-security threats.
For this reason, companies are beefing up their digital defenses to protect themselves from the latest cyber hazards.
"In past years, plants haven't worried about cyber security because they didn't connect to the outside world," Automation World acknowledges. "New data systems have changed that for most plants. Software and devices share data, and where data is shared, there is always the possibility of a breach."
The complexity and variety of cyber-security threats can be daunting, particularly due to the rapid rate at which new risks develop as well as the increasingly sophisticated methods of cyber criminals. According to the recently released Cisco 2009 Mid-Year Security Report, cyber criminals "are aggressively collaborating, selling each other their wares and developing expertise in specific tactics and technologies. Specialization makes it tougher to shut down illegal activity, because there are many players in this ecosystem."
Loss, theft or interception of sensitive business data are some of the largest cyber threats for commercial and industrial enterprises. A study from the Ponemon Institute found that the average cost of a data breach in 2008 was $202 per customer record. The information security firm also determined that breaches lost U.S. companies an average of $6.7 million and that the expense has continued to rise, by 38 percent between 2004 and 2008.
Among the major data-breach incidents recorded in its database, the Open Security Foundation reports that 48 percent derive from businesses. Sixty-five percent of security violations are perpetrated by external sources, while 30 percent come from within the company, either accidentally or maliciously.
How can manufacturers protect their businesses from the proliferation of cyber threats?
Although there is no single comprehensive defense strategy capable of shielding every type of company, Manufacturing Business Technology recommends taking a "defense-in-depth" approach for protecting industrial assets. This method entails both physical and electronic defense layers at separate manufacturing levels coupled with effective security policies designed to meet a variety of threats.
Security policy development requires a consistent plan involving "physical and electronic
procedures that define and constrain behaviors by personnel and components within the
manufacturing system," but without introducing excessive restrictions. This can mean building a resilient network infrastructure to provide information to necessary sources while limiting widespread access, or evaluating the risk potential of how data is used and deployed within the company.
Management Business Technology also suggests "computer hardening," which relies on IT best practices to shield computers from danger. The hardening process includes replacing direct Internet access with a "barrier zone" to secure shared data and service, enforcing tougher password and terminal access settings, uninstalling any components or protocols unnecessary for performing manufacturing tasks and implementing antivirus and antispyware programs.
Similarly, "controller hardening" may be used to better protect machinery and production
equipment controls from tampering. This involves the use of authentication and authorization programs to verify a user's identity, electronic safety features to prevent configuration changes and physically restricting access to sensitive devices.
Depending on a business's size, however, some security measures may not be practical or even necessary.
Microsoft's Small Business Center offers the following tips for small-business owners to protect themselves from cyber threats:
Set up your defenses; Stay abreast of the threat; Encrypt everything; Get help from your employees; Don't store credit card numbers; Buy a shredder — and use it; Mind your mobile devices; Run your updates; Research your Internet service provider; and Know what to do when it happens.
In addition, the Better Business Bureau recommends that managers tell their employees the following:
Not to open e-mail from unknown sources; What to do when they receive suspicious e-mail (when in doubt, delete!);
To disconnect from the Internet when not online; To consider the risks of file-sharing; How to perform data back-up procedures; and Actions to take if their computers become infected.
Regardless of a company's size or the scale of threats to which it may be exposed, implementing and maintaining a thorough cyber-security policy is a crucial step in succeeding in today's increasingly online business community.
START WITH THE BASICS
1. Lock and Secure Sensitive Information Stored in Paper Files and on Removable Storage Devices
Theft or loss, and the subsequent unauthorized release, of sensitive data, or Personally Identifiable
Information (PII) (eg: social security number, credit/debit card information, medical records/
charts), stored in paper files and/or a removable storage device (eg: computer disk, thumb drive)
may constitute a data breach. Never leave sensitive information unattended. Store it in a locked drawer,
cabinet, safe or other secure container when not in use. Also consider installing an alarm system that
alerts law enforcement if you have a break-in on your premises.
2. Restrict Access to Data
Restrict access to sensitive data, whether physical or electronic, to those who have a “need to know.”
Most employees do not need unrestricted access to your company’s entire network. Remember to limit
network access on computer stations located in public spaces, such as the reception area.
3. Properly Dispose of Sensitive Data When No Longer Needed or Required
Shred documents containing sensitive data prior to recycling. Remove all data from computers and
electronic storage devices – including those on copy machines – prior to disposing of them.
4. Record and Regularly Review Data Practices
Distribute and explain data protection practices to all employees. Review and revise these practices on
a regular basis – at least annually. Make sure to retrain staff as changes to your data practices are made.
STRENGTHEN YOUR TECHNOLOGY PRACTICES
5. Password Protect Systems
Password protection helps to prevent unauthorized access to sensitive information, protect security of
personal information and prevent unauthorized access to user and email accounts. All users should be
assigned unique user names and strong passwords for access to systems – changed at least quarterly.
Conduct a password audit on a regular basis.
6. Encrypt Data
Encryption helps protect the security and privacy of files as they are transmitted or while on your
computer. Install encryption onto all laptops, mobile devices, flash drives and back-up tapes, and encrypt emails that contain sensitive information.
7. Ensure That Remote Access to Your Network is Secure
Remote access to your network should be made through appropriately enabled Virtual Private
Network (VPN) connections and multi-factor authentication (e.g. soft tokens or fingerprints
in addition to passwords). Passwords should be changed on a regular schedule and meet minimum
complexity and length requirements.
8. Keep Software and Operating Systems Current
Keeping your software and operating systems current by installing software and security updates
is your first line of defense against hackers, who often take advantage of unprotected systems to
gain access to sensitive data stored on a computer. You should also have a firewall and up-to-date
anti-virus programs. A firewall helps to prevent your system from being attacked, while anti-virus
software inspects the files and programs on your system to ensure they are not infected. Both are
critical in helping to protect sensitive information stored electronically.
To maintain the most up-to-date protection, download recently issued system and security updates
and antivirus and anti-malware updates to help protect you against the newest forms of viruses,
Trojan horses and other malicious software.
NOTE: If your network security functions are outsourced to a 3rd Party, obtain documentation to
understand how your company’s data is protected, and, when appropriate, perform on-site due diligence.
It’s also important to have contract language that specifies privacy and data security expectations
While these data protection policies, procedures and training can help reduce the likelihood of a data breach, no company can becompletely certain that its customer, patient or employee data could never be at risk. For this reason, it is important for companies to also have appropriate data breach insurance coverage in place. To learn more, visit www.hartforddatabreach.com.
1. Outsource payment processing. Avoid handling card data on your own. Reputable vendors, whether it’s for Point-of-Sale or web payments, have dedicated security staff that can protect that data better than you can.
2. Separate social media from financial activity. Use a dedicated device for online banking. Use a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and your savings account.
3. Think beyond passwords. Never reuse them and don’t trust any website to store them securely. You can never tell when a website has already been hacked and your password has been exposed. Set up a two-factor authentication; this sends a secret code to your phone verifying your identity.
4. Educate and train employees. Establish a written policy about data security, and communicate it to all employees. Educate employees about what types of information are sensitive or confidential and what their responsibilities are to protect that data. Also, most scams and malicious attacks arrive through email so be sure your team is prepared and alerts others when they are received.
5. Stay informed. Evaluate the entire chain of events in a potential attack. From assessing your email infrastructure to your users’ responsiveness to your browser’s vulnerability, identify where your organization is most at risk. Then, question the security posture of your business lines, vendors, suppliers or partners.
6. Stop transmission of data that is not encrypted. Mandate encryption of all data. This includes data at “rest” and “in motion.” Also consider encrypting email within your company if personal information is transmitted. Avoid using Wi-Fi networks; they may permit interception of data.
7. Secure your browser. With the growing popularity of watering holes – malicious code installed on trusted websites – how do you know which websites you can trust? Forget individual patches. Focus on keeping up to date with the latest version of your browser. Then, test your browser’s configuration for weakness.
8. Secure your operating system. It’s far easier to break into older operating systems like Windows XP or OS X 10.6. Take advantage of major security improvements baked into newer operating systems.
9. Secure your router. It connects your computer to the Internet. Make sure someone can’t intercept all the data sent through it. It’s important to set a strong admin password on your router and a WPA2 password on your Wi-Fi.
10. Secure your data. Whether you lose data to an accident or an attack, you’ll always be glad to have a backup. Ideally, your backups should be encrypted and off-site in case there’s a fire or burglary.
Get "Encryption-ited!" How Encryption May Save Your Organization...The FTC Weighs In.
If you are not paying attention, you should be. Data security is a staggering problem. Statistics for 2012 alone indicate there were 470,000 banking institution data breaches, 4,615,893 business institution data breaches, 2,304,663 educational institution data breaches, 2,237,873 health care institution breaches, and over 7 million military/government data breaches. www.idtheftcenter.org
Computer security and encrypting workplace files may seem like a hassle, but it's a simple process, especially when compared to cleaning up the mess hackers might create if your laptop disappears while you wait for your connecting flight or you leave your smartphone in a taxi.
Why should you encrypt your data?
Encryption can prevent thieves from gaining access to the data stored on your laptop, tablet, or phone. To protect sensitive information, store your files in encrypted form.
Cloud storage is an option many organizations use. It can help employers work more efficiently by syncing files across all mobile devices, and it allows files to be shared by several people at the same time. An added value of cloud storage systems is that a backup copy can be stored on your system's servers to help prevent data loss. Just using cloud storage, however, will not protect users from data theft-use encryption, too.
When sensitive data is encrypted, no one can access the information without the encryption key even if "your cloud storage provider's security fails or someone else gains access to your account." Additionally, sharing sensitive information over the Internet can be more secure through encryption. All you need to do is agree on the encryption key before sending the information.
Encryption can prevent hackers from viewing your conversations with other people and seeing which websites you visit.
Hackers have several ways of stealing sensitive information. This may happen when you use public Wi-Fi or if you are sending sensitive data through email.
If possible, use a VPN (Virtual Private Network), a method that links two locations as if "they are on a local private network" before using public Wi-Fi. When sending data through email, encrypt your file before sending it. Chris Hoffman, "Not Just For Paranoids: 4 Reasons To Encrypt Your Digital Life," www.makeuseof.com (Mar. 29, 2013).
Commentary and Checklist
Most organizations depend on digital storage and communication. Securing digital data can be crucial to an employer's success.
Although security threats can escalate quickly, there are steps employers can take to avoid security breaches.
Employers should create a baseline of security measures. Next, IT professionals should routinely monitor these efforts and increase or modify them as threats change.
The Federal Trade Commission provides employers with guidance on employer data security. Use these guidelines to provide a baseline of network security and data protection measures for your organization:
Take inventory of the type of information you collect.
Assess your network vulnerability at each IT entry point and connection for possible security attacks.
Make sure of compliance with state security breach laws, as well as with industry standards like HIPAA and Sarbanes-Oxley.
Train employees about your data security plan and its rules, such as the consequences for giving out passwords, etc.
Provide orientation training for new employees and periodic review training for all employees when your data or network security plans change.
Security breaches often happen the old-fashioned way, such as laptop theft. Create rules and a policy for the physical security of data, laptops, and any other computer-related equipment. Use locked files and video cameras in appropriate places.
Consider login credentials, encryption for wireless and remote access to your network, and limit the number of employees who have access.
Set up and use a firewall to detect intrusions.
Regularly update anti-virus and malware applications.
Properly destroy sensitive information that is no longer needed. Use paper shredders, and wipe utility programs before disposing of old computers and storage devices.
Data breaches in 2013 exposed 14% of all debit cards
Financial institutions weathered the Target data breach and are looking for solutions to enhance security, with many issuers now planning to implement EMV debit, according to PULSE. Debit program performance continues to improve, as active cardholders increase their usage of debit. Key findings include:
Consumers continue to shift to electronic payments, with transactions per active card increasing to 20.1 per month from 19.4 a year earlier.
84 percent of financial institutions reissued all exposed cards in response to Target, compared to only 29 percent that typically reissue all exposed cards as a standard response to breaches.
86 percent of financial institutions stated that they plan to begin issuing EMV cards in the next two years, a significant increase from 50 percent in 2012.
Target breach was watershed event
The Target breach impacted every financial institution that participated in the study, causing fraud loss rates to increase in 2013 and compelling issuers to re-evaluate their strategies for improving card security in 2014, the study found.
Overall, 14 percent of all debit cards were exposed in data breaches in 2013, compared to 5 percent in 2012. The resulting 2013 fraud losses to financial institutions amounted to 5.7 basis points for signature debit and 0.7 basis points for PIN debit. Compared with the prior year, PIN debit fraud loss rates remained constant at 0.3 cents per transaction, on average, while signature debit loss rates increased to 2.2 cents per transaction, up from 2.0 cents.
Issuers also reported on fraud loss rates by payment usage point. International transactions caused loss rates of 51 basis points, compared to 8 basis points for domestic card-not-present transactions and 2 basis points for domestic card-present transactions.
Data breaches heightened attention to issues of debit card security. Prior to the Target incident, many financial institutions were hesitant to commit to EMV because of uncertainty around retailer adoption of chip card point-of-sale terminals, questions about the viability of the business case for migrating from magnetic stripe cards to chip cards, as well as unresolved issues related to regulation and support for merchant routing choice. In many ways, the Target breach served as a catalyst for the resolution of these issues.
Although issuers report different opinions regarding the business case for EMV, the study found that 86 percent of participating U.S. issuers plan to start issuing EMV debit cards within the next two years, and most will begin EMV debit issuance in 2015.
The most common strategy among financial institutions is to provide account holders with an EMV debit card as part of their regular card reissuance cycle. Migration to EMV debit cards will begin in earnest in early 2015 and will span approximately three years, with many issuers attempting to provide chip cards to their international travelers and heavy debit users in advance of the liability shift in October 2015.
“We were quite surprised by the across-the-board embrace of EMV by debit issuers,” said Tony Hayes, a partner at Oliver Wyman who co-led the study. “There has been a dramatic shift from issuers’ tepid interest last year to their active plans to implement EMV beginning in 2015.”
Debit continues to grow, as issuers focus on growth strategies
Outside of the challenges caused by data breaches, debit continued its growth trajectory in 2013. On the consumer side, the primary performance improvement was in transactions per active card per month, which rose to 20.1 in 2013 from 19.4 in 2012. Other metrics, such as penetration, active rate and ticket size, remained consistent year-over-year. There was an uptick in usage of business debit cards: transactions per active card per month grew to 14.5 from 13.5.
Continuing historical trends, signature debit declined in share of total transactions between 2012 and 2013, falling to 62 percent from 64 percent for consumer cards, and to 70 percent from 72 percent for business cards. As regulated issuers (those with more than $10 billion in global assets) receive equivalent interchange for signature and PIN transactions but incur lower costs on PIN transactions, large debit issuers now tend to prefer PIN transactions.
To foster continued debit growth, issuers reported working both to improve current performance and to make their debit offering more attractive. Rewards program incidence has rebounded from its decline following Regulation II implementation. Because traditional debit rewards programs have unsustainable economics in the post-Reg II environment for regulated issuers, many financial institutions have moved to merchant offers. Forty-eight percent of regulated issuers now offer debit rewards programs, and most of these utilize merchant offers.
As issuers continue to promote the migration of cash payments to cards, PULSE expects overall ATM use to naturally decline. In 2013, ATM withdrawals reached a study-wide low of 2.3 per active card per month. Large banks expect ATM transactions to continue to decline, but community banks and credit unions project increased ATM transaction volume as they seek to drive traffic from the branch to the ATM.
PCI Costs Coverage: What Business Really Needs
As the barrage of data breaches reported in the press continues unabated, many executives are awakening to the risks a breach of their customer data poses to the financial health of their organizations. While their focus is often on the costs of notification and credit monitoring, a much overlooked liability is the financial risk arising from Payment Card Industry (PCI) fines, penalties or assessments.
Every organization, in order to process card transactions for payment, must sign a Merchant Services Agreement with either a merchant acquiring bank or a payment processor. This agreement contractually binds the organization to complete compliance with established Payment Card Industry Data Security Standards (PCI-DSS) established by the payment card brands at all times. Unfortunately, ongoing compliance is actually rare, as a firm's compliance may fluctuate from day to day. When a data breach involving payment card information occurs and the organization is found not to be PCI compliant at the time of the breach, the organization may be shocked to learn that the PCI contractual damages it has assumed in the Merchant Services Agreement may potentially equal or exceed any notification or credit monitoring expenses.
An organization often first learns of a data breach upon receipt from their merchant bank or a card brand of a Common Point of Purchase Report, which indicates that a certain amount of payment cards had incurred fraudulent charges after last being used legitimately at one common point: the organization in question may be contractually required to immediately hire a forensic firm or a PFI (PCI-Certified Forensic Investigator) to conduct a forensic investigation to determine the extent and scope of the compromise, if any, and to determine if the organization was PCI-DSS compliant at the time of the breach. The costs of the PFI can be extreme, quickly escalating into the six or seven figures range.
Upon a finding of non-compliance in any area of the PCI-DSS, the ramifications for an organization are grim. Depending on the circumstances of the breach and the size of the organization, fines can range up to $500,000. Moreover, in many cases, the payment card brands will also look to recoup operational expenses (including card reissuance costs) and counterfeit fraud recoveries incurred in connection with the event from the merchant bank if the number of cards affected exceeds the card brand's minimum threshold for assessments, which may range up to 15,000 cards in a single breach. The merchant bank will pass these costs downstream to the organization responsible for the breach. The sum of the operational expense and counterfeit fraud recoveries often amounts to a total assessment of $3 to $5 per affected card, though higher amounts are common. The organization's merchant bank often collects these assessments, fines and penalties by directly withholding a portion of the payment due to the organization from its routine settlement accounts at the bank until fully repaid. And while an appeal is possible, it also carries additional costs and is rarely successful.
For a small organization, these costs could prove fatal to their financial health. And of course, failure to pay these amounts, or remediate the applicable PCI-DSS deficiencies can result in potentially the worst outcome of all: the inability for an organization to process credit and debit card payments, the lifeblood of most consumer facing organizations.
For those organizations choosing to purchase Cyber liability coverage, not all insurers offer PCI coverage but for those that do, the PCI coverage offered can vary significantly. Some insurers offer coverage for PCI fines or penalties only via a sublimit. Others recognize the significant PCI exposure beyond fines and penalties and are now expanding coverage to include fraud assessments, card reissuance costs, case management fees and PFI investigation expense at either full policy limits or via a sublimit. However, it is important to note that the organization must be able to attest in writing that they are PCI compliant at the time of applying for the coverage.
Please talk to us for further information on this potential exposure to your company and any other questions you may have as it relates to securing or enhancing your Privacy and Network Security Liability coverage.
Please review carefully!
Information is not an offer to sell insurance. Insurance coverage cannot be bound or changed via submission of this online form/application, email, voice mail or facsimile. No binder, insurance change, addition, and/or deletion to any insurance policy coverage goes into effect unless and until confirmed directly with a licensed agent. Note any proposal of insurance we may present to you will be based upon the values developed and exposures to loss disclosed to us on this online form/application and/or in communications with us. All coverage is subject to the terms, conditions and exclusions of the actual policy issued. Not all policies or coverage is available in every state.
Please contact our office at 918-346-6973 or 918-660-0090 to discuss specific coverage details and your insurance needs. In order to protect your privacy, p/ease do not send us your confidential personal information by unprotected email. Instead, discuss that personal information with us by phone or send by fax.
Statements on this website as to policies and coverage and other content provide general information only and we provide no warranty as to their accuracy. Clients should consult with their licensed agent as to how coverage pertains to their individual situation. Any hypertext links to other sites or vendors are provided as a convenience only. We have no control over those sites or vendors and cannot, therefore, endorse nor guarantee the accuracy of any information provided by those sites or the services provided by those vendors.
Information provided on this website does not constitute professional advice. If you have legal, tax or financial planning questions, you need to contact a qualified professional.