1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Liability

3 Network Security Threats to Watch Out for in 2019

Cyber security attacks continue to increase in both size and severity. In order to truly protect themselves, businesses must remain informed on the latest cyber security trends. While it can be difficult to predict the emergence of new risks, the following is a list of major threats experts have identified for 2019 and ways to protect your business:

  1. Viruses and worms—Computer viruses and worms are malicious programs designed to infect core systems and destroy essential data. What’s more, viruses and worms can replicate themselves, infecting an entire network quickly. To protect your system, install anti-malware on all network devices.
  2. Drive-by download attacks—Drive-by download attacks generally refer to the unintentional download of malicious code from an app, operating system or browser, which, in turn, opens you up for an attack. What’s most concerning about these attacks is users don’t have to click, download or open anything to become infected. The best way to avoid these types of attacks is to keep your web browsers updated and ensure users don’t navigate to potentially dangerous sites.
  3. Phishing attacks—Phishing scams are a common strategy for hackers—one that requires minimal technical know-how and can be deployed via email. With every opened email, users risk becoming the victim of monetary loss, credit card fraud and identity theft. Successful phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses, particularly for businesses. To avoid becoming the victim of an attack, organizations need to train users on how to identify and avoid common phishing scams.

For more information on network security threats and prevention strategies, contact your insurance broker today.

© Zywave, Inc. All rights reserved


5 Tips to Make Your Passwords More Secure

Because identity theft and data breaches are becoming an ever-growing problem, it’s important to not only have a different password for each account, but to make those passwords easy to remember and hard to guess. The following are tips you can use to make your password harder to crack:

  1. Change your passwords every 90 days. This might seem like a hassle at first, but hackers have a better chance at cracking your passwords if they never change. It’s also a good idea to avoid reusing passwords.
  2. Make your passwords at least eight characters long. Generally, the longer a password is, the harder it is to guess.
  3. Don’t use the same password for each account. Hackers target lower security websites and then test cracked passwords on higher security sites. Make sure each account has a different password.
  4. Include uppercase letters and special characters in your password. Special characters include symbols like “#,” “*,” “+” and “>.” These symbols can make your password more complex and harder to guess.
  5. Avoid using the names of spouses, kids or pets in your password. All it takes for a hacker to crack passwords that include these things is a little research on social media sites like Facebook and Twitter.

© Zywave, Inc. All rights reserved


Choosing the Right Type of Cyber Testing for Your Business

Taking the initiative to invest in cyber security and improve employee security awareness is vital for defending a business from cyber attacks. However, it may be necessary for businesses to re-evaluate their efforts on occasion to make sure their security measures are effective. Vulnerability scans, penetration testing and red team exercises are three types of tests that businesses can use to assess their cyber security.

Vulnerability Scans

Vulnerability scans and assessments use automated tools to identify cyber weaknesses. They’re typically used to find known or common vulnerabilities, such as those used in past breaches and those that provide paths of least resistance for attackers trying to enter the network. Vulnerability scans are most useful for small and mid-sized organizations with limited cyber security resources.

Penetration Tests

Penetration tests are simulated attacks that use information acquired from vulnerability scans in an effort to access or penetrate the enterprise network. When a penetration test occurs, enterprises and security professionals may or may not know of the test in advance. Penetration tests can be performed by internal staff or external vendors. They’re most beneficial for organizations of medium maturity looking to uncover gaps in security.

Red Team Exercises

When using a red team to assess security, employees assume the exercise is a real-life situation and do not know about it in advance. Red team exercises help organizations gauge realistic responses to attempted attacks by mimicking attackers and attempting to break into the organization in any way possible. Mature organizations with specialized cyber security skills would benefit most from red team exercises, which can uncover security gaps both inside and outside of the network. Red team exercises can be conducted by internal staff or by external vendors.

Once an organization identifies which type of testing is appropriate, it should also assess the frequency of the testing. Ultimately, every new or updated technology should be subjected to thorough testing to detect and address new vulnerabilities before outside attackers find them.

© Zywave, Inc. All rights reserved


Benefits of Cyber Liability Insurance

As technology becomes increasingly important for successful business operations, the value of a strong cyber liability insurance policy continues to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses.

In an age where a stolen laptop or data breach can instantly compromise the personal data of thousands of customers, protecting your business from cyber liability is just as important as some of the more traditional exposures businesses account for in their commercial general liability policies.

Claims Scenario: Outsourcing Gone Wrong

The company: A national construction company that outsources some of its cyber security protections

The challenge: A construction firm partnered with a third-party cloud service provider in order to store customer information. While this service helped the company save on server costs, the third-party firm suffered a data breach.

As a result, the construction firm had to notify 10,000 of its customers and was forced to pay nearly $200,000 in incident investigation costs. The incident was made worse by the fact that the firm did not have a document retention procedure, which complicated the incident response process.

Cyber liability insurance in action: Following a data breach or other cyber event, the right policy can help organizations recoup a number of key costs. Specifically, cyber liability policies often cover investigation and forensics expenses—expenses that can easily bankrupt smaller firms who forgo coverage.

What’s more, when third parties are involved, managing litigation concerns can be a challenge. By using cyber liability insurance, organizations have access to legal professionals well-versed in cyber lawsuits and response.

Claims Scenario: Pardon the Interruption

The company: An online retail store that relies heavily on e-commerce

The challenge: A small-sized, online retailer partnered with a data centre to host its website and store its data. This is not uncommon, as many small businesses don’t have the IT infrastructure to host products, process payments and fulfil orders on-site.

Unfortunately, the data centre was targeted in a distributed denial-of-service (DDoS) attack. As a result of this attack, the retailer’s website went down for several days. While functionality was eventually restored, business interruption costs from lost sales and website downtime was over $165,000.

Cyber liability insurance in action: DDoS attacks are one of many weapons cyber criminals use to infiltrate and disrupt businesses. These attacks can impact any organization that owns a website, regardless of where it’s hosted.

Cyber liability insurance is one of the only protections organizations have against costly DDoS attacks and similar disruptions. This is because cyber policies offer business interruption loss reimbursement. Following a disruption caused by a cyber event, policies kick in and help organizations recover from any financial losses.

Benefits of Cyber Liability Insurance

  • Data breach coverage—In the event of a breach, organizations are required by law to notify affected parties. This can add to overall data breach costs, particularly as they relate to security fixes, identity theft protection for those impacted by the breach and protection from possible legal action. Cyber liability policies include coverage for these exposures, thus safeguarding your data from cyber criminals.
  • Business interruption loss reimbursement—A cyber attack can lead to an IT failure that disrupts business operations, costing your organization both time and money. Cyber liability policies may cover your loss of income during these interruptions. What’s more, increased costs to your business operations in the aftermath of a cyber attack may also be covered.
  • Cyber extortion defence—Ransomware and similar malicious software are designed to steal and withhold key data from organizations until a steep fee is paid. As these types of attacks increase in frequency and severity, it’s critical that organizations seek cyber liability insurance, which can help recoup losses related to cyber extortion.
  • Legal support—In the wake of a cyber incident, businesses often seek legal assistance. This assistance can be costly. Cyber liability insurance can help businesses afford proper legal work following a cyber attack.

Learn More About Cyber Liability Insurance

When cyber attacks like data breaches and hacks occur, they can result in devastating damage. Businesses have to deal with business disruptions, lost revenue and litigation. It is important to remember that no organization is immune to the impact of cyber crime. As a result, cyber liability insurance has become an essential component to any risk management program.

Cyber exposures aren’t going away and, in fact, continue to escalate. Businesses need to be prepared in the event that a cyber attack strikes. To learn more about cyber liability insurance, contact your insurance broker today.

© Zywave, Inc. All rights reserved


Federal Data Breach Regulations Take Effect Nov. 1, 2018

Overview

Starting Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to:

  1. Report the breach to the Privacy Commissioner of Canada (Commissioner).
  2. Give notice of the breach to affected individuals.
  3. Maintain records of data breaches that affect personal information.

In order to avoid fines and penalties, organizations will need to understand PIPEDA and its basic requirements.

Background

PIPEDA is Canada’s federal privacy law that governs the collection, use and disclosure of personal information in the course of commercial activities by private sector organizations and federally regulated businesses. In 2015, PIPEDA was amended by the Digital Privacy Act (DPA), an act that made a number of important changes to PIPEDA.

While most of the amendments contained in the DPA came into force in 2015, the mandatory data breach notification, reporting and record-keeping provisions weren’t initially enforced. Instead, the law indicated that they would be brought into force only after corresponding regulations were finalized.

On Sept. 1, 2017, the Canadian government published draft regulations relating to these requirements. The government accepted public comments on the draft regulations until Oct. 2, 2017, after which time the government completed its consultation process. The government recently published and announced that mandatory breach notifications under the PIPEDA will be enforced beginning Nov. 1, 2018.

The amended PIPEDA applies to organizations’ commercial activities across all provinces, except in provinces where equivalent privacy laws exist. To date, Alberta, British Columbia and Quebec have implemented laws deemed to be substantially similar to PIPEDA. Moreover, New Brunswick, Newfoundland and Labrador, Nova Scotia and Ontario are partially exempt from PIPEDA, as these provinces have adopted similar legislation with respect to personal health information.

Overview of the Regulations

There are effectively three major sections of PIPEDA to be aware of—reports to the Commissioner, notifications to affected individuals and record-keeping. The following is an overview of the requirements that employers need to consider:

Reports to the Commissioner

If an organization suffers a breach of security safeguards involving personal information under its control and it is reasonable to believe that the breach creates a real risk of significant harm to an individual, then the organization must report the breach to the Commissioner after the organization determines that the breach has occurred. According to the regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause.
  • The day on which, or the period during which, the breach occurred.
  • A description of the personal information that is the subject of the breach.
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm.
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach.
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Communications to the Commissioner should be made via a secure means. Companies are encouraged to refer to the key steps in responding to a privacy breach released by the Commissioner. These steps, as well as supplementary information on responding to breaches, can be found here.

Requirements for Notifying Affected Individuals of a Data Breach

If an organization suffers a breach of security safeguards involving an individual’s personal information under the organization’s control and it is reasonable to believe that the breach creates a real risk of significant harm to the individual, then the organization must notify the individual of the breach. Notifications must be given as soon as possible after the organization determines a breach has occurred.

Notification to an affected individual must contain sufficient information to allow the individual to:

  1. Understand the significance of the breach.
  2. Take any available steps to reduce the impact of the breach.

Per the regulations, a notification to an affected individual must contain the following:

  • A description of the circumstances of the breach.
  • The day or time frame the breach occurred.
  • Descriptions of the type of personal information that was compromised during the breach.
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm.
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm.
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner. Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual.
  • The cost of giving a direct notification is prohibitive for the organization.
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

PIPEDA requires organizations to maintain a record of every breach of security safeguards. The regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

An important distinction here is that records must be maintained for every data breach, and not just those that create a real risk of significant harm. This means that organizations will be required to keep records of data breaches even if they don’t have to report the breach to the Commissioner or notify affected individuals.

Next Steps

Organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrative burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact. Some general preparations to consider include the following:

  1. Ensure you are informed on all the new requirements.
  2. Prepare for data breach scenarios.
  3. Train your employees.
  4. Update your internal processes.
  5. Assess your data storage and response strategies.
  6. Obtain the proper insurance coverage.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn