Despite heightened awareness of cyberthreats and increased spending on technology-based solutions, businesses throughout the country continue to fall victim to a range of cyberattacks and data breaches. Many organizations, including insurance agencies, turn to cyberinsurance as a solution to cover both first-party loss and third-party liability. These insurance policies often have the added benefit of proactive cyberrisk management tools and offer access to the industry’s top-breach response vendors. Yet given the time-sensitive nature of cyberevents, it’s important to understand how the policies work and come up with a plan ahead of time. Consider the following three scenarios:
- It’s 3 p.m. on a Friday and your human resources director receives an urgent email from the agency president requesting copies of each employee’s W-2 form to conduct a quick payroll review. While the request seems odd (especially since the president is on vacation) the HR director replies to the email, attaching the requested forms in a zip file. Only upon clicking “send” does he realize that the email recipient’s address differs slightly from the president’s. In fact, her email had been “spoofed” or forged to appear to come from her. At this point, the HR director realizes he has sent the confidential W-2 information for over 100 employees–including full names and Social Security numbers–to an unknown third party.
- An account executive logs onto her computer to begin working on a client’s upcoming renewal. When she attempts to open the current policy and prior years’ applications, a message appears indicating that the file has been encrypted and the only way to obtain the encryption key (to unlock or decrypt the file) is to pay a ransom of 7 bitcoin (at the time of writing, equivalent to approximately $8,500). She calls the agency’s in-house IT manager who informs her that other users are experiencing the same issue. It seems that the entire internal agency management system has been infected with a new type of ransomware, most likely downloaded unknowingly by an employee clicking a malicious link in an email. Without access to critical client files, the agency’s operations come to a standstill.
- While traveling to meet with a large client to discuss its group health insurance, your benefits specialist leaves his briefcase–containing his laptop–in the back seat of his car. When he returns, he finds that the briefcase is missing and realizes he forgot to lock the vehicle. Although his initial concern is the cost of the stolen laptop, he quickly remembers that he had downloaded files containing summary health information onto his desktop to easily share with the client, despite an agency policy mandating that such information only be accessed via a secure VPN. Although the laptop was password-protected, the IT department confirms that the hard disk is not encrypted- accordingly, this situation must be treated as a potential breach of protected health information.
Although the fact patterns vary, these scenarios all point to the central role of data and information in the daily operations of the business. With your agency’s time, money and reputation on the line, you must act swiftly, but responsibly. In understanding the following three steps to cyberincident response, your agency will be better equipped to react and recover.
No. 1: Discovery
This is the moment that an employee, manager or customer suspects that there has been some type of data breach, unauthorized access, or other cyberevent. Whether it’s a lost laptop or ransomware, all agency personnel should be instructed on how to report such incidents so they can be evaluated as quickly as possible. Ideally, your agency will have a predetermined incident response team that can be called upon when required. It also is recommended that you notify your cyberinsurance carrier so it may guide you through the subsequent steps; advise you on what is and is not covered; or otherwise connect you with outside experts. Particularly, in cases when there is a suspected breach of sensitive client; customer or employee information; an experienced data and privacy attorney should be engaged to guide the subsequent investigation; preserve evidence; and coordinate notification.
No. 2: Investigation
Once an incident has been discovered, the incident response team, or other designated individual(s) can begin the investigation process. In the case of a data breach involving sensitive customer or employee information, you’ll want to determine how the information was accessed; the type of information compromised; and the number of affected individuals. In the W-2 fraud incident above, this information is obvious, but in other situations, you may need to engage computer forensic experts to conduct a thorough investigation; remove malware; and remediate vulnerabilities. For ransomware, your internal IT team or outside experts should determine which files, applications and systems are affected and whether those assets can be restored from backups. In any event, it’s important to work with your insurer to confirm the available limits of coverage and seek the approval to use outside vendors.
No. 3: Response/Remediation
For breaches of personally identifiable information, your attorney (sometimes known as a breach coach) will evaluate your legal obligations under any applicable breach-notice laws. When necessary, specialized vendors are engaged to mail notification letters and set up a call center to answer questions from affected clients. The attorneys also provide legal representation in response to regulatory investigations or proceedings. In cases of ransomware (when you are unable to restore the data from backups), you may need to weigh the options of paying the ransom or finding another (possibly more expensive) means to restore or recreate your data. As mentioned above, you should coordinate with your carrier and seek approval for any such costs when necessary.
While all cyberincidents are unique and require different responses and solutions, this basic three-step approach remains the same. Preparedness begins with understanding your exposure; identifying a team to respond to incidents; and having a process to follow in the event of a crisis. Through effective incident response planning, your agency can be better prepared to handle a breach with confidence and minimize monetary loss or business disruption.
Written by Evan Fenaroli, Product Manager
IMPORTANT NOTICE – The information and suggestions presented by Philadelphia Indemnity Insurance Company in this E-Brochure is for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other, laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.