Tag: insurance.

The Insecurity of Cyber Technology

With piracy active in digital waters, cyber attacks are on the rise and Cyber Liability Insurance is more important than ever.

The Russians are coming, the Russians are coming! That movie is before my time, but watch the nightly news and it seems Putin and his posse of cyber terrorists are constantly on the attack. Whether he is leading the charge or not, we have seen a dramatic increase in malicious attempts to damage or disrupt computer networks through data breaches, ransomware, fraud and Denial of Service (DoS) attacks. Most people are familiar with computer viruses now and know not to click on a suspicious link emailed to fifty of their closest friends, but rather than a costly appointment with a Geek Squad member, these attacks can be significant. Just last month, we saw what happens when a gas company’s computer system is compromised and held hostage for a short time. What would happen to your company or business if the computer system was taken hostage? What’s at stake?

“Online threats are varied and they don’t discriminate organizations from individuals when looking for a target. . .it’s not an exaggeration to say that cyber threats may affect the functioning of life as we know it.”

from preyproject.com
Photo by Mateusz Dach on Pexels.com

10 Most Common Types of Cyber Threats

[From preyproject.com]

Malware

Software that performs a malicious task on a target device or network, e.g. corrupting data or taking over a system.

Phishing

An email-borne attack that involves tricking the email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.

Spear Phishing

A more sophisticated form of phishing where the attacker learns about the victim and impersonates someone he or she knows and trusts.

“Man in the Middle” (MitM) attack

Where an attacker establishes a position between the sender and recipient of electronic messages and intercepts them, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another. A MitM attack might be used in the military to confuse an enemy.

Trojans

Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the malicious code once inside the host system.

Ransomware

An attack that involves encrypting data on the target system and demanding a ransom in exchange for letting the user have access to the data again. These attacks range from low-level nuisances to serious incidents like the locking down of the entire city of Atlanta’s municipal government data in 2018.

Denial of Service attack or Distributed Denial of Service Attack (DDoS)

Where an attacker takes over many (perhaps thousands) of devices and uses them to invoke the functions of a target system, e.g. a website, causing it to crash from an overload of demand.

Attacks on IoT Devices

IoT devices like industrial sensors are vulnerable to multiple types of cyber threats. These include hackers taking over the device to make it part of a DDoS attack and unauthorized access to data being collected by the device. Given their numbers, geographic distribution, and frequently out-of-date operating systems, IoT devices are a prime target for malicious actors.

Data Breaches

A data breach is a theft of data by a malicious actor. Motives for data breaches include crime (i.e. identity theft), a desire to embarrass an institution (e.g. Edward Snowden or the DNC hack), and espionage.

Malware on Mobile Apps

Mobile devices are vulnerable to malware attacks just like other computing hardware. Attackers may embed malware in app downloads, mobile websites, or phishing emails and text messages. Once compromised, a mobile device can give the malicious actor access to personal information, location data, financial accounts, and more.

Photo by Magnus Mueller on Pexels.com

What are your cyber liability risks?

If your computer systems are hacked or customer, employee or partner data is otherwise lost, stolen or compromised, the costs of response and remediation can be significant. According to iii.com, your business may be exposed to the following costs:

  • Liability—You may be liable for costs incurred by customers and other third parties as a result of a cyber attack or other IT-related incident.
  • System recovery—Repairing or replacing computer systems or lost data can result in significant costs. In addition, your company may not be able to remain operational while your system is down, resulting in further losses.
  • Notification expenses—In several states, if your business stores customer data, you’re required to notify customers if a data breach has occurred or is even just suspected. This can be quite costly, especially if you have a large number of customers.
  • Regulatory fines—Several federal and state regulations require businesses and organizations to protect consumer data. If a data breach results from your business’s failure to meet compliance requirements, you may incur substantial fines.
  • Class action lawsuits—Large-scale data breaches have led to class action lawsuits filed on behalf of customers whose data and privacy were compromised.

What cyber liability insurance covers

Some standard business insurance policies, such as a Business Owners Policy (BOP), may provide coverage for certain types of cyber incidents and may pay recovery or replacement costs. To extend coverage for a fuller range of cyber liability risks, you will need to purchase a stand-alone cyber liability policy, customized for your business. This type of policy can cover several types of risk, including:

  • Loss or corruption of data.
  • Business interruption.
  • Multiple types of liability.
  • Identity theft.
  • Cyber extortion.
  • Reputation recovery.

Steps to reduce cyber liability risks

  • Installing, maintaining and updating security software and hardware.
  • Contracting with an IT security services vendor.
  • Using cloud computing services.
  • Developing, following and publicly posting a data privacy policy.
  • Regularly backing up data at a secure offsite location.

New Cybersecurity Law in Tennessee Takes Effect July 1, 2021

Friday, May 21, 2021 | 10:28am | tn.gov

NASHVILLE — Tennessee insurance consumers will gain new protections for their personal, medical and financial information with the recent passage by the Tennessee General Assembly of the Insurance Data Security Law. Signed by Tennessee Governor Bill Lee, the law takes effect July 1, 2021.

“Tennessee’s adoption of the bill is critical for the Commissioner and the Department to have the tools they need to better protect Tennesseans’ sensitive consumer information.”

Assistant Commissioner for Insurance, Bill Huddleston.

The law modernizes, defines and toughens existing security measures that Tennessee insurance carriers must take to protect consumer information. Under the new law, insurance carriers must:

  • Identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse or destruction of consumers’ private information.
  • Develop, implement and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program.
  • Investigate any cybersecurity breach and notify the Insurance Commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.

Spearheaded by the National Association of Insurance Commissioners (NAIC), the creation of model legislation that formed the basis for Tennessee’s law was created with the input of national regulators after a succession of data breaches exposed millions of Americans’ personal information. The NAIC made cybersecurity and consumer data protection top priorities. The model legislation was the result of a two year collaborative process that resulted in a model law that could be adopted by various states.

In an effort to raise greater awareness among consumers about cybersecurity, TDCI reminds consumers to familiarize themselves with the NAIC’s Cybersecurity Consumer Protections.

As an insurance consumer, you have the right to:

  1. Know the types of personal information collected and stored by your insurance company, agent or any business it contracts with (such as marketers and data warehouses).
  2. Expect insurance companies/agencies to have a privacy policy posted on their websites and available in hard copy, if you ask. The privacy policy should explain what personal information they collect, what choices consumers have about their data, how consumers can see and change/correct their data if needed, how the data is stored/protected, and what consumers can do if the company/agency does not follow its privacy policy.
  3. Expect your insurance company, agent or any business it contracts with to take reasonable steps to keep unauthorized
    persons from seeing, stealing or using your personal information.
  4. Get a notice from your insurance company, agent or any business it contracts with if an unauthorized person has (or likely has) seen, stolen or used your personal information. This is called a data breach. This notice should:
    • Be sent in writing by first-class mail or by e-mail.
    • Be sent soon after a data breach and never more than 60 days after a data breach is discovered.
    • Describe the type of information involved in a data breach and the steps you can take to protect yourself from identity theft or fraud.
    • Describe the action(s) the insurance company, agent or business it contracts with has taken to keep your personal
    information safe.
    • Include contact information for the three nationwide credit bureaus.
    • Include contact information for the company or agent involved in a data breach.
  5. Get at least one year of identity theft protection paid for by the company or agent involved in a data breach.
  6. If someone steals your identity, you have a right to:
    • Put a 90-day initial fraud alert on your credit reports. (The first credit bureau you contact will alert the other two.)
    • Put a seven-year extended fraud alert on your credit reports.
    • Put a credit freeze on your credit report.
    • Get a free copy of your credit report from each credit bureau.
    • Get fraudulent information related to the data breach removed (or “blocked”) from your credit reports.
    • Dispute fraudulent or wrong information on your credit reports.
    • Stop creditors and debt collectors from reporting fraudulent accounts related to the data breach.
    • Get copies of documents related to the identity theft.
    • Stop a debt collector from contacting you.

To learn more about the protections in your state or territory, contact your consumer protection office at:

Your state or territory’s insurance department at http://www.naic.org/state_web_map.htm.

Questions about your insurance policy or need to file a complaint? Contact the TDCI team at 1-800-342-4029 or 615-741-2218.

Standard Definitions Under This Bill of Rights
Data Breach: When an unauthorized individual or organization sees, steals or uses sensitive, protected or confidential
information—usually personal, financial and/or health information.


Credit Bureau (Consumer Reporting Agency): A business that prepares credit reports for a fee and provides those reports to consumers and businesses; its information sources are primarily other businesses.


Credit Freeze (Security Freeze): A way you can restrict access to your credit report and prevent anyone other than you from using your credit information.


Personal Information (Personally Identifiable Information): Any information about a consumer that an insurance company, its agents or any business it contracts with maintains that can be used to identify a consumer.
Examples include:
• Full name.
• Social Security number.
• Date and place of birth.
• Mother’s maiden name.
• Biometric records.
• Driver’s license number.

Helpful Links:
“Credit Freeze FAQs” (Federal Trade Commission—FTC) – http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
“Disputing Errors on Credit Reports” (FTC) – http://www.consumer.ftc.gov/articles/0151-disputing-errors-credit-reports
“Taking Charge: What to Do If Your Identity Is Stolen” (FTC, May 2012). Tri-fold brochure; online PDF; can order bulk
copies at no cost – https://bulkorder.ftc.gov/system/files/publications/pdf-0009-taking-charge.pdf
“Know Your Rights” (FTC) – https://www.identitytheft.gov/know-your-rights.html
“What Is Identity Theft?” (video; FTC) – http://www.consumer.ftc.gov/media/video-0023-what-identity-theft
“When Information Is Lost or Exposed” (FTC) – https://www.identitytheft.gov/info-lost-or-stolen.html
State Consumer Protection Offices (USA.gov) – http://www.usa.gov/directory/stateconsumer/index.shtml
Directory of State Insurance Regulators (NAIC) http://www.naic.org/state_web_map.htm
World’s Biggest Data Breaches (information is beautiful) – http://www.informationisbeautiful.net/visualizations/worlds-biggestdata-breaches-hacks/