Submitted by: John F. Barrett, Member ERM, Bennett Bricklin & Saltzburg LLC

Every day brings a new story of a crippling cyber-attack.   Some breaches, such as the Marriott International breach, involve the loss of private information belonging to customers.  In the Marriott breach, personal information and many credit card numbers of over 500,000,000 customers were stolen by unknown hackers.  Other attacks, like the one on global transporter Maersk, rendered its global computer network unusable, bringing the company’s business to a complete halt.  It has since estimated that the losses from Maersk the attack could exceed $300,000,000.  In a “phishing” attack, a criminal typically gains access to a company’s internal email communications and defrauds an employee into transferring funds to them.

Many businesses believe that they are adequately insured against such losses.  However, while many policies provide coverage, there are often strict limits on such losses.  When reporting claims, many companies are unpleasantly surprised to learn that their all-encompassing commercial business insurance policies do not cover such losses or provide very strict limits on cyber losses. While purchasing stand-alone cyber coverage can certainly be a “fix”, a company’s long term solution must also include “Cyber-Hygiene.”  Good cyber hygiene includes employee training, information system protection, safe operating procedures and good corporate governance.

Of course, employee training, hiring and infrastructure investment are all expensive propositions for small to medium enterprises (SMEs).  Thus, it is important to ask:  Is my business one that is likely to be targeted?  While all businesses are vulnerable to attack, some are more likely to be attacked than others which must drive investment in protection.  Businesses which engage in large and frequent electronic funds transfers are sought-after targets, because criminals can directly try to divert those funds through fraudulent means.  Businesses that store credit card information are at great risk, because the credit card information can be either used or resold by the criminals.

Intellectual property in the form of new technology or research is very valuable.  Finally, companies that hold large amounts of personal information are at risk.  Even a database of employee information can pose as a valuable target, as proven by the attack on the University of Pittsburg Medical Center which resulted in the theft of data on all of its 32,000 employees.

Businesses must first consider their own threat profile and vulnerabilities.  While insurance can mitigate the damage done to businesses, insurance alone is never sufficient to protect businesses from cyber-attack.  Businesses must protect themselves.