Cyber Risks & Liabilities: September/October 2018

In this Issue

Who’s to Blame if a Security Breach Affects Your Organization?

A recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

Acronyms All Businesses Need to Know

As cyber security evolves, it’s easy to become overwhelmed with all the terms and acronyms used. This article lists some of the most common acronyms in cyber security.

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers

Who’s to Blame if a Security Breach Affects Your Organization?

If a security breach affects your organization, your main focus may be to solve the problem as quickly as you can, not point the finger in blame. But your customers want to know why it happened and who was responsible, even if the breach occurred because of their own lax security measures (e.g., sharing passwords or opening suspicious emails). In fact, a recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

The CEO

If an organization doesn’t budget enough for security solutions, the fault will likely be placed on whoever makes the financial decisions, stemming from the CEO. In fact, 29 percent of IT decision-makers who took part in a recent VMware survey thought that the CEO should be held responsible in the event of a large-scale data breach.

The CISO

If a data breach occurs even after your company adequately budgets for cyber security solutions, 21 percent of IT security professionals surveyed would still hold your CISO accountable in the event of a data breach.

IT Personnel

According to a 2014 report, 95 percent of cyber security incidents are due to human error. That’s why personnel who manage IT security on a regular basis are easy targets for blame.

Other Employees

While accountability may start with the CEO and board of directors, everyone in your organization should take responsibility for cyber security. Even if you have the most modern cyber security technology, its return on investment will be nonexistent without full employee participation

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers, according to cyber security firm SecuLore Solutions.

Over half of the attacks involved ransomware, in which hackers used a virus to control the emergency systems and hold them hostage for payment. Most of the remaining attacks were denial-of-service attacks, which involved a flood of fake calls that prevented call centers from addressing valid emergency calls.

Due to the vulnerabilities in the current 911 system and the fact that it doesn’t address the ways people communicate in the modern world—such as through texts—the emergency response industry is encouraging state and local governments to adopt a system called Next Generation 911.

The Next Generation 911 system will have advanced security and be able to seamlessly move incoming calls to other centers when needed. The new system also gives callers the choice of calling from a phone line or sending data through approved telecommunications carriers and internet service providers.

Next Generation 911 is expensive, however, and governments have been slow to adopt it. Plus, its increased connectivity also opens new potential means of attack, according to industry experts. Sophisticated defense systems run by in-house cyber security teams will be vital as the emergency response industry adopts any new technology.

Acronyms All Businesses Need to Know

Newsletter Provided by: Hierl's Property & Casualty Experts

Download the Newsletter


Meeting cybersecurity risks head-on: A guide to breach preparedness

How would you manage a data breach? No company is immune to cyberattacks and data breaches. Read on to learn how you can prepare your business.


Gauging a company’s true data breach risk from the outside is a difficult endeavor for insurers, with challenges both technical and informational. But even less attention has been paid to how companies would manage a breach if it happened, which has an enormous impact on the toll of the final damage.

No organization is immune to breach. If the National Security Agency can lose data, anyone can lose data, yet the scope of the current issue is still astounding.

According to another insurance company's 2017 cyber readiness report, 72% of large U.S. businesses — nearly three out of four — and 68% of small- and mid-sized businesses — about seven in ten — reported cyber incidents in the previous year. Among these, close to half (47%) experienced two or more cyber incidents during that same time.

The largest breaches, affecting big-name companies like Equifax, Target, Home Depot and many others, drew substantial headlines because of the huge number of identities involved. But almost every business holds some sensitive information, either regarding its customers or its own intellectual property, finances or employees. In fact, smaller organizations often lack the internal resources to dedicate towards preparedness, making them very attractive targets for hackers.

Assessing the threats to your business

The first challenge with measuring a company’s risk exposure relates to the industrywide problem of tying compliance and policy to actual security. A company may have checked all the right boxes on paper, but doing so guarantees little about their actual cyber risk position.

The second issue is that people often matter much more than technology.

The public conversation focuses on high-profile hacking events, but data breaches are even more likely to be the result of internal issues, including breakdowns in training, procedure or plain old mistakes.

The overwhelming majority of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers or provide a gateway via a malware link embedded in some form of communication.

One of the most important components of an effective data breach readiness program is mandatory and frequent training to remind employees about the importance of security awareness.

Education information security best practices can help arm a team against threats such as phishing, man-in-the-middle attacks, malware, and ransomware, substantially lowering the long-term risk.

An accurate understanding of a company’s sector-specific risks is another important point of departure in corporate cybersecurity. Healthcare employees, for instance, need to be especially on guard for EHR-related attacks and RDP server breaches, like the ones instigated by the SamSam virus (which took down Allscripts last month).

Other industries are more vulnerable to loopholes in common business apps; still, others are more frequently victims of point-of-sale malware or e-mail phishing scams. Once businesses understand where and how they are most likely to be targeted, they can begin providing training that takes into account the need for added vigilance in these specific areas.

The final challenge in correctly identifying breach risk involves understanding the extent to which recovery costs can vary. Discrepancies in cost depend not only on the severity of the breach, but also on how well the organization responds. Globally, the average cost to recover from a security breach is $158 per impacted individual, but that varies from of $60 to $400 per person.

While more companies than ever before are now either considering or have taken out some form of cyber insurance, this should not be considered an unloadable risk. Smart organizations are increasingly focusing on proactively identifying data breaches and preparing to efficiently react to them in advance of a data breach crisis.

Proper preparation means more education

The most devastating impacts of a data breach can only be avoided by coupling breach awareness and prevention efforts with readiness and response planning ahead of a cybersecurity incident.

Comprehensive breach readiness plans break down both pre-emptive and retrospective action steps by department: it’s sensible, for example, to task IT personnel with monitoring cloud connectivity and identifying network loopholes while entrusting financial staff with detecting suspicious activity along company bank and credit accounts.

Customer relations experts and account managers, on the other hand, are likely the best resources for overseeing client communications during and after a data breach, helping to re-establish trust and informing their consumer-facing workforce.

Here, inter-departmental communication is paramount: all workers should understand how and to whom they are to report possible breaches or scams, and when such breaches occur, the entire company should know what to expect employees in every department to do next.

Even for the most cyber-savvy corporations, however, internal resources alone are not enough these days. Outside resources are often critical to mitigating the threat of cyber attacks; Stop them once they start and restore company functions in a breach’s aftermath.

Establishing relationships and negotiating agreements with external subject matter experts is better done far in advance of an actual data breach. Contractual terms can be negotiated without the chaos and urgency of a crisis situation. The same is true for interfacing with law enforcement and regulatory agencies.

Knowing whom to contact and having an established communication chain can pay off when trying to execute an urgent data breach response.

Both internally and externally, the human element of cybersecurity remains a business’s best defense across an ever-widening threat landscape. With the right planning and a rapid response team, companies should be able to withstand a breach with the least damage possible, limiting losses – and claims.

SOURCE: Thompson, J. (2 March 2018) "Meeting cybersecurity risks head-on: A guide to breach preparedness" (Web Blog Post). Retrieved from https://www.propertycasualty360.com/2018/03/02/meeting-cybersecurity-risks-head-on-a-guide-to-bre/


6 ways HR can help prevent a data breach

Employees are often an organization's first line of defense against cyberattacks. Continue reading to learn the 6 ways HR can play a critical role in preventing data breaches.


Employees are an organization's first line of defense against and response to cyberattacks—which have become widespread in recent years. HR, in particular, can play a critical role in protecting sensitive information and minimizing employer liability.

Data breaches can lead to enormous liability, said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston. Some losses are easy to calculate, such as time spent on help desk activities, investigations and legal defense. Other losses are harder to quantify, such as reputational damage to the business. But it's clear that the costs can be staggering: The average total organizational cost of a data breach in the United States is $7.35 million, according to a 2017 study.

Whether a worker intentionally sold customer data, unintentionally left a laptop on a train or carelessly left boxes of medical records unattended in a high-traffic area of a hospital, employers can wind up paying millions of dollars in damages.

So what can HR do to mitigate these costs? In large part, data security is an issue for the technology department, but HR professionals can help ensure that effective programs are in place, Vanderzanden said at the 2018 Society for Human Resource Management Employment Law & Legislative Conference. Specifically, HR can lead the way by:

  1. Knowing who is hired. Protecting personally identifiable information (PII) starts with properly vetting job candidates who will have access to sensitive information: those being considered for HR, payroll and finance positions, to name a few.
  2. Accounting for equipment. During the onboarding process, employers should complete a checklist so that they have a record of all the equipment each employee receives. Then, at the time of separation, the checklist should be consulted to ensure that all equipment is returned and workers don't walk out of the building with sensitive information.
  3. Training employees to spot issues. Workers may not always know how to identify an issue—such as a phishing scam through which a cybercriminal sends an e-mail that looks like it came from someone in the company. An employee may quickly respond to the message and divulge personal information that can be used to access payroll and other information. Employees should be trained on how to identify scams and also should know what to look for in a legitimate company e-mail, such as a standard signature line, a photo of the sender and a company e-mail address.
  4. Encouraging workers to speak up. When a breach or attempted breach occurs, employees who handle PII must feel comfortable stepping up and notifying the appropriate staff. This is essential for resolving the situation, but also because employers must provide certain notices when information is compromised.
  5. Carefully crafting BYOD policies. Bring-your-own-device (BYOD) policies may turn into bring-your-own-breach policies in practice, Vanderzanden said. The more mobile the device, the easier it is for an unauthorized person to walk away with the device and any sensitive information that is stored on it. If employers are going to have a BYOD policy, they should have written policies about what will happen if the device is lost or stolen and what will happen upon termination of employment. Among other things, they should also have a procedure for remotely wiping data from the device.
  6. Building a culture of compliance. Representatives from different business functions—such as IT, HR, security and finance—should work together to ensure that data security measures are ingrained in the organization's practices. Moreover, compliance and cooperation must start in the C-suite. HR can play a role in influencing senior management about the importance of having everyone in the organization follow security procedures.

Check State Laws

HR professionals should note that state laws are the primary source of potential identity-theft liability for employers. "State laws in this area are a patchwork collection and are neither uniform nor completely consistent," said Patrick Fowler, an attorney with Snell & Wilmer in Phoenix, in an interview with SHRM Online. California and Massachusetts have been more active than other states in passing data privacy legislation, but virtually all of the states have data breach notification laws at this point, he noted. Employers should make sure they know what is required under relevant state laws.

SOURCE: Nagele-Piazza, L. (14 March 2018) "6 ways HR can help prevent a data breach" (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/6-ways-hr-can-help-prevent-a-data-breach.aspx


Your Cyber Liability Policy & Handling Data Breaches Like A Pro

In the digital age we live in, it has never been more critical to have a focused, working cyber liability policy. A data breach for a company is a bad dream but having to tell their customers they’ve undergone a data breach is a nightmare. For this month’s CenterStage, Hierl’s wonderful VP of Property & Casualty, Cathleen (Cathy) Christensen, has brought you some helpful, informative advice on securing a reliable cyber liability policy, enabling you to handle data breaches like a pro.

About Cathleen

Cathleen Christensen is the current Vice President, Property & Casualty of Hierl Insurance, Inc. Cathy’s expertise lends itself well to helping local businesses with their commercial insurance and risk management needs. She attended Alverno College in Milwaukee, WI before her career in insurance. In her 25 years of experience in the industry, she has worked on the insurance company side as an underwriting manager, as well as on the agency side as an account executive. Cathy has also been an entrepreneur herself, which enables her to understand the demands businesses face today.

So, let’s get into it: how do you choose a successful cyber liability policy and avoid business fatal data breaches?

The 3 Big Issues of a Data Breach & How a Cyber Liability Policy Comes In Handy

When it comes to cyber liability, three issues plague business. First, there are 47 states in the United States that have separate data breach laws that regulate what business owners must do when a data breach has occurred. Companies that stretch across more than one state have the complication of knowing and going by these laws. Second, there is the public relation issue – attempting to share you’ve had a data breach with customers in a way that won’t completely destroy your company. The leak of private, customer information can lead to lawsuits, too, which leads us to what’s next. Finally, there is the price tag:

“In 2016, the average cost for each lost or stolen record containing sensitive and confidential information is a hundred and forty-one dollars. This is down ten percent from the previous year, but still incredibly significant.” -Ponemon Data Breach Study

When all three of these issues become a certain reality for your business, you are past the point of being able to protect yourself. You need third-party cyber liability experts to step in and help you handle the laws, the PR, and the price tag. Cyber liability insurance policies are tailored to meet your company’s specific needs and as part of their data breach coverage can include forensic, legal and public relations support. It is important to remember that in today’s environment, no company is immune to the possibility of being a victim of cyber crime. However, there are some things you can do to lower your risk of a data breach.

  1. Employee Corporate Security Policy Education. Did you know it’s more common for an employee to unintentionally leak information than it is to be hacked? This is why it’s crucial to educate your employees on cyber risks, but also to have a clear, focused Corporate Security Policy in place.
  2. Encrypt ALL Confidential Data. Even the simplest of things should be encrypted. Plus, don’t use the same password on EVERYTHING. Have different passwords or codes for as many things as possible. That way, if someone were to hack you, then they can’t unlock everything. If you’re someone who forgets your passwords easily, have a notebook or binder where your company information resides and keep it under lock and key without expressed permission to use.
  3. Backup, Backup, Backup. Let’s say your company’s entire computer system is shut down by a virus and you lose everything. That’s a frightening scenario, right? So, avoid it by having backups and many of them. A general rule of thumb is having three solid backup methods. Perhaps you have a couple online storages where you keep files and an external hard drive. It doesn’t matter – just make sure you have it backed up!

There are also a couple of relevant, key issues Cathy wanted to update employers on:

  • Ransomware & Social Engineering Fraud. The biggest scams of today are these two cyber crimes. Both work to steal company information by acting as perfectly normal requests, surveys or even Facebook personas. Employees fall into their traps, giving out company information freely, not realizing it was under false pretenses. Never, ever give out company information – even on something that seems like an official document – without consulting your manager or boss, first.
  • Federal Communications Commission (FCC). The FCC provides a tool for small businesses that can create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. It can be found at www.fcc.gov/cyberplanner.

Don’t sit back and wait for cyber doomsday. Take your policy into your own hands, set company standards, and consider cyber liability insurance to help protect your business from the cost of a cyber attack.

At Hierl, Property & Casualty coverage is a partnership; not a product. We look at your entire organization, listen to you, assess your risk, develop a complete strategy and deliver a full-service solution. Our team of experts start by looking at your risk and helping you to gain Insight™ into what is in store for tomorrow. If you have any questions or are interested in knowing if Hierl’s cyber liability solutions is a good fit for you, please contact Cathy at 920.921.5921.


FBI Urges Consumers to Reset Their Routers to Prevent a Malware Attack

Your cyber security is important to us. Consider protecting yourself from the recent growing malware attacks and keep your data safe with these recommendations.


Recently, researchers at Talos—a cyber intelligence unit of Cisco—warned consumers of malware (malicious software) that specifically targets networking devices. The malware, which is known as VPNFilter, impacts an estimated 500,000 routers worldwide, particularly targeting devices from the following manufacturers:

VPNFilter Could Collect Your Information Without Your Knowledge

Once on your equipment, the malware could stop your router from working, collect information from any systems that run through it and even block network traffic. Experts are concerned over the scope of the attack, as anyone owning a router from the affected manufacturers could be at risk, including businesses and individuals.

Agencies like the FBI have also expressed concern over VPNFilter, as this particular brand of malware can be used in espionage attacks on military, security and other government organizations.

Reduce Your Risk by Resetting Your Router

Unfortunately, there’s no simple way to tell if your router is infected. To protect yourself, it is recommended that you:

  • Reset your router to disrupt the malware. This can be done by simply turning the router off and on or holding the reset button down on your device. For further protection, you may want to consider doing a factory reset of your router.
  • Install any firmware updates. These updates are typically found on the manufacturer’s website. You may need to search by your router’s model number, which can be found on the back of the device.
  • Create a new, secure password for your router.
  • Disable remote management settings.

For help performing any of the above steps, contact your router manufacturer or click the links provided in this News Brief.


Protect Yourself From Cyber Attacks

In today's world, a day does not pass without a large company being featured on the news because they are suffering from a data breach or hacking incident that has threatened personal information.

Cyber security is a concept that has become a high priority in the past five years. Since this issue is fairly new, demand for cyber insurance is emerging, since most cyber related claims are currently not covered under a standard insurance program. The questions that arise the most regarding cyber security and liability are about understanding the level of exposure a company's data faces and knowing what cyber coverage encompasses.

VP, Property & Casualty

Large companies are not the only ones at risk, it is often small businesses that are most vulnerable simply because they are not prepared. Most small (under 250 employees) businesses do not have the IT staff necessary to help protect a business. Even manufacturing companies are at risk because while credit card information is a large component, it is not the only type of attack. can you afford the risk of not protecting your employee, client and company data?

With 10+ years of experience addressing cyber risks, Hierl's process of approaching cyber security begins with an assessment of client's risk and exposure. This involves knowing what data a client has, who has access to it, how it's stored and how they are backing it up. Hierl can expertly evaluate the coverage that is necessary to keep an organization secure. 

Because it is an emerging coverage, cyber insurance plans are not standard. Hierl advises a three-fold type of coverage including:

  • Business coverage for customers and employees
  • Protection for your company and the data it houses
  • PR assistance of a security breach occurs 

The best policies offer assistance to help you to work through things if something was to ever happen, as well as forensic and technical assistance to determine how the breach occurred.

"Many Organizations that have suffered cyber-crime are sophisticated, big businesses. If they can't stop these attacks from happening, most other businesses can't either."

If it determined quickly that a breach has happened and a good backup exists a company can recover quickly and the attack is much less damaging. However, when a company's data gets out in the wild is when attacks become most expensive.

The 2016 Ponemon Institute Cost of Data Breach study reported that the average cost of a los record rose form $154 in 2015 to $158 in 2016. Even if, you only have 20 employees now and that doesn't seem all that bad... you need to think about how many employee records do you have from the past 10 years? Cyber-attacks don't just affect current records nor do they only target employee data  but client and company data too. This type of insurance is becoming a must have coverage for businesses because of how sophisticated these attacks have become.

Three reasons to explore cyber coverage for your business:

  1. There is a higher incidence of cyber crime
  2. The longer it takes to detect an contain a data breach, the costlier it becomes
  3. Effects of a cyber-attack extend beyond monetary and data losses to losing businesses and customers 

If you'd like to know more about protecting your company from a cyber breach, please reach out to Cathleen at 920.921.5921 or send her an email via cchristensen@hierl.com.

To download the full PDF click here.


Cyber Risks & Liabilities Newsletter - March/April 2018

Cyber Criminals Stole Almost $20 Billion from U.S. Consumers in 2017

According to Symantec’s 2017 Norton Cyber Security Insights Report, more than one-half of the adult internet population in the United States was affected by some form of virus, malware, spyware or phishing scam in 2017. That accounts for roughly 143 million Americans. From those attacks, consumers lost $19.4 billion, and the average cyber crime victim spent 23.6 hours dealing with the aftermath.

Many of the crimes resulted from consumers making basic security mistakes. For example, 60 percent of victims made the mistake of sharing at least one of their passwords for their online accounts or devices with another person. Another cyber mistake was using a single password across multiple online accounts, which is something 24 percent of U.S. consumers made the mistake of doing, according to the survey.

The group of U.S. consumers with the best password management was the baby-boomer generation, with 69 percent ensuring they used a different password for each online account. However, 24 percent of them made the mistake of writing down their passwords on a piece of paper.

Prevention is Key

Symantec recommends following these basic cyber security best practices to ensure safety online:

  • Change your passwords every few months.
  • Don’t use the same passwords for multiple accounts.
  • Don’t share your passwords.
  • Use an anti-virus program.
  • Use due diligence when opening emails, clicking on links or downloading attachments online.

Cyber Criminals Stole Almost $20 Billion from U.S. Consumers in 2017

According to Symantec’s 2017 Norton Cyber Security Insights Report, more than one-half of the adult internet population in the United States was affected by some form of virus, malware, spyware or phishing scam in 2017. That accounts for roughly 143 million Americans. From those attacks, consumers lost $19.4 billion, and the average cyber crime victim spent 23.6 hours dealing with the aftermath.

Many of the crimes resulted from consumers making basic security mistakes. For example, 60 percent of victims made the mistake of sharing at least one of their passwords for their online accounts or devices with another person. Another cyber mistake was using a single password across multiple online accounts, which is something 24 percent of U.S. consumers made the mistake of doing, according to the survey.

The group of U.S. consumers with the best password management was the baby-boomer generation, with 69 percent ensuring they used a different password for each online account. However, 24 percent of them made the mistake of writing down their passwords on a piece of paper.

Prevention is Key

Symantec recommends following these basic cyber security best practices to ensure safety online:

  • Change your passwords every few months.
  • Don’t use the same passwords for multiple accounts.
  • Don’t share your passwords.
  • Use an anti-virus program.
  • Use due diligence when opening emails, clicking on links or downloading attachments online.

Download the PDF