Cyber Risks for Public Entities
At the 2017 PARMA Conference, a panel discussed cyber liability concerns for public entities. The panel was:
- John Chino – Arthur J Gallagher
- Steven Robinson – Risk Placement Services, Inc.
- Elissa Doroff – XL Catlin
Common Patterns of Cyber /Claims:
- Missing or stolen laptop or storage devices
- Mismailing
- Erroneous data posting
- Willful release based on fraudulent instruction (social engineering, Phishing), this is sometimes not covered under Cyber but instead crime
- Compromised system (hacking)
- Loss or theft of physical documents
- Lost back up data or tape
- Breach caused by third party vendor
- Improper document or equipment disposal
- Insider
These are the most common sources of cyber breaches. You should make sure your policy covers these things.
What is Cyber Liability Insurance:
Cyber risk insurance is evolving. The policies are designed to protect from liability associated with
- Unauthorized release of confidential information.
- Violation of a person’s rights to privacy.
- Personal injury in an electronic/social media environment.
- Intellectual property infringement
- Violations of state or federal privacy laws
Self-incurred expenses incurred to investigate, do credit monitoring, make appropriate notifications, etc are also covered under the cyber liability policy. This includes legal expenses. Cyber insurance has both first party coverage and third party coverage in the same policy. It also could covers property damage associated with a cyber breach. Unlike many other coverages, cyber policies also cover regulatory liability (fines and penalties).
One of the biggest benefits of the cyber policy is the resources that your carrier can provide in managing these issues. They have significant expertise in these areas to help you navigate a cyber breach. Make sure you report the claims immediately to the carrier.
Active Cyber Claims They are Seeing:
The panel gave many examples of public entity claims they are currently responded to.
- Ransom ware claims have been increasing in all industries including public entity. In these claims, systems are inhibited or locked down until payment of the ransom is made. Ransom ware claims usually request payment in bitcoins. Often times paying the ransom is the cheapest option to the hack and will restore your system the fastest.
- Virus encryption attacks have shut down municipal servers including the 911 center.
- School district experienced a denial of service attack which overloads their servers and can shut down your business during the attack.
- Students have hacked into systems to gain access to other students grades, etc or to try and make changes to grades.
The exposure on such claims can be anywhere from a few thousand dollars to several million dollars. It can cost hundreds of thousands of dollars just to investigate a data breach to determine whether any information was compromised.
Mitigating Risks
- Train your employees to recognize threats. People need to know what to be suspicious of.
- Recognizing the signs of electronic threats. If your computer is slow, experiencing pop-ups, or there are performance issues it could be a virus.
- Phishing or social engineering is another common form of cyber hacking. People use a program or even a something as simple as a phone call to get your system password. You usually give this information to them voluntarily and they trick you into giving it to them. These people are professionals and they often do their research into background issues so you trust the message.
- Examine URLs in emails or links they ask you to click. Sometimes one character being off in a URL will reroute you to a rogue site.
- Do not download or open attachments from an unknown sender.