1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: cyber

Third-party Downtime Leads to First-party Business Interruption Loss

An HR service provider lost contracts due to a cyber attack suffered by one of its supply chain partners.

Over the past two decades, technology has transformed the way businesses operate, and most now depend on their computer systems in one way or another. Rather than having to deal with everything in-house, many businesses choose to outsource elements of their IT infrastructure to third party providers, whether that be in the form of website hosting, data storage or application level services.

In many cases, outsourcing IT can prove to be a more efficient and cost-effective way of doing things, with businesses benefiting from the expertise of their third-party providers. However, outsourcing is not without risks. In a cyber insurance context, dependent business interruption describes a situation in which a third-party organization that supplies a policyholder with goods or services is affected by unexpected downtime as a result of a cyber event or system failure. Even though the policyholder’s computer systems may not be directly affected by the incident, the loss of the goods or services provided by the third-party can still have a major impact on the insured business’s ability to operate effectively. This means that a business can still suffer a business interruption loss even when its computer systems are unaffected.

One of our policyholders affected by this type of loss was a small company providing outsourced human resources services to a variety of different businesses. The organization provides a range of services to its customers, including payroll processing, employee benefits and health insurance and assistance with compliance and regulatory issues.

Third-party downtime, first-party problems

The business provides its payroll processing services through an online application, which in turn is owned and hosted by a third-party provider. Their customers gain access to the payroll application through a link on their website, which then takes them through to a landing page hosted by the third-party where they can then log in to the application. Once these customers log in to the application, they are effectively operating on the third party’s computer systems, even though their contracts are with our policyholder.

The issue began when the third party responsible for providing the payroll processing application was hit by a ransomware attack. This ransomware attack managed to encrypt the servers hosting the application, which meant that neither our policyholder nor its customers could gain access to the application. As the application was hosted by this third-party, however, our policyholder was powerless to control the situation and had to rely on the application provider to respond to the incident. The only thing they could do was to explain to its customers that the application was unavailable due to a cyber attack affecting the application provider and that regular status updates would be provided.

In the meantime, the third-party provider went about trying to deal with the issue by decrypting the affected servers, removing the ransomware and returning the application to its normal functionality. After three days of downtime, it looked as though the issue had been resolved and the insured and its customers were able to login to the application once again. However, this breakthrough proved to be short-lived. During the encryption process, the ransomware had damaged the application and impaired its underlying functionality. This meant that while customers were able to log into the application and view employee data, they were unable to update the data or process any payments.

To remedy the problems caused by the ransomware, the application was taken down once more and it was only after a further five days of downtime that the application was fully restored. To make matters worse, the downtime occurred at the end of the calendar month, a time during which most of our policyholder’s customers would ordinarily pay their employees.

Frustrated customers lead to lost contracts

With the payroll processing application rendered inaccessible as a result of the ransomware attack, some of their customers were unable to pay their employees on time. Although they were able to pay their employees once the application was up and running again, the delay in payment was a source of great frustration for both the businesses and employees affected. As the customers that were impacted only had contracts with the insured rather than the application provider, it was the insured that bore the brunt of this anger.

Indeed, eight customers chose to cancel their contracts and take their business elsewhere. All of these customers sent individual letters or emails to our policyholder, explaining their reasons for cancelling. In each case, these cancellations came down to a combination of two factors: firstly, the delay in paying employees as a result of the ransomware attack and, secondly, a concern that the ransomware attack meant that sensitive data stored on the payroll application might not be secure. This served as confirmation that these customers were lost as a result of the cyber attack as opposed to regular customer churn.

The total value of these annual contracts came to $72,554 and despite the insured’s attempts to placate these clients and win them back, unfortunately none of these customers decided to reinstate their contracts, meaning that over the course of the 12-month indemnity period, the insured suffered a business interruption loss of $72,554.

While these losses are potentially recoverable from the application provider, this can be a costly and lengthy process and in the meantime the insured would suffer from cashflow issues due to the drop-off in income. Fortunately, however, the income loss from these cancelled contracts was covered under the dependent business interruption section of the company’s cyber policy with CFC, which covers business interruption losses arising as a result of a cyber event or system failure at a policyholder’s supply chain partner.

Dependent BI and other takeaways

This claim highlights a few key points. Firstly, it underscores the importance of having dependent business interruption cover in a cyber insurance policy. Some cyber insurers will only provide cover for business interruption losses as a result of cyber events that directly affect an insured’s computer systems. However, in this instance, at no point was the insured’s computer systems directly impacted by the ransomware – it was the application provider’s computer systems that were affected – and yet it still resulted in a sizable business interruption loss. By having dependent business interruption cover in place, the business was able to fully recover its financial loss.

Secondly, it illustrates the value of longer indemnity periods. Many cyber insurers only offer 3-6-month indemnity periods as standard. However, this ignores the fact that the financial impact of a cyber event can be felt for much longer than a 3-6-month indemnity period would allow for. In this case, the cancellation of annual contracts meant that for each cancelled contract, the insured lost 12 months’ worth of income. By having a 12-month indemnity period in place, they were able to reclaim quadruple the amount that they would have been able to claim on a policy with a 3-month indemnity period and double the amount they would have been able to claim under a policy with a 6- month indemnity period.

Finally, it highlights that businesses that receive their income on a contractual basis could be more exposed to business interruption losses, as the cancellation of monthly or annual contracts could very quickly result in sizable financial losses being incurred. Accordingly, businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their cyber policy.

Source: www.cfcunderwriting.com

 


It’s Not Too Late, Start Your Cyber Resolution Today

CFC has put together a few top cyber-related resolutions for this year.  Check them out and have a secure 2019!

  1. I will change all default passwords on my personal and work devices.
  2. I will regularly check for updates to the operating systems of my laptop, computer and mobile phone.
  3. I will install strong anti-virus software and keep it updated.
  4. I will think twice before clicking on unknown links or attachments in emails.
  5. I will authorize payments to new transfer partners via telephone to minimize risk of fraud.
  6. I will not share sensitive information on social media that could be used against me in phishing attacks.
  7. I will back up my entire system at least once a week on an external hard drive.
  8. I will encrypt my mobile phone and all of my other devices.
  9. I will talk to my kids (or parents) about how to stay safe online.
  10. In the event that resolutions 1-9 fail, I’ll have a cyber insurance policy in place to save the day!

Source: www.cfcunderwriting.com


Critical Cyber Exploits Affect Nearly All Computers

Cyber security researchers recently announced the discovery of two major security flaws that could allow hackers to bypass regular security measures and obtain normally inaccessible data. The flaws, referred to as Meltdown and Spectre, are both caused by design flaws found in nearly all modern processors. These vulnerabilities can be exploited to access all of the data found in personal computers, servers, cloud computing services and mobile devices.

Because Meltdown and Spectre are both caused by design flaws, experts believe that they will be harder to fix than traditional security exploits. Additionally, software patches that have already been released to help address the vulnerabilities can cause computer systems to slow down significantly, which may impact their ability to perform regular tasks.

Researchers believe that Meltdown and Spectre may be limited to processors manufactured by different companies, but also warn that the design flaws that contribute to Meltdown and Spectre have been present for years. Here are some key details about each flaw:

  • Meltdown: This flaw can be used to break down the security barriers between a device’s applications and operating system in order to access all of the device’s data. Meltdown can be used to access desktop, laptop, server and cloud computer systems, and can even be used to steal data from multiple users who share one device. Although researchers have only been able to verify that Meltdown affects processors made by Intel, other processors may also be affected. Many software developers have already released updates that prevent hackers from exploiting Meltdown.
  • Spectre: This flaw can be used to break down the security barriers between a device’s different applications and access sensitive data like passwords, photos and documents, even if those applications adhere to regular security checks. Spectre affects almost every type of computer system, including computers, servers and smartphones. Additionally, researchers have confirmed that the design flaw that enables Spectre is present in Intel, AMD and ARM processors that are used by nearly every computer and mobile device. Software developers are currently working on a patch to prevent the exploitation of Spectre, but some experts believe that future processors may have to be redesigned in order to fix the vulnerability.

When Meltdown and Spectre were originally discovered in 2017, researchers immediately reported them to major hardware and software companies so work on security fixes could begin without alerting hackers. As a result, services and applications offered by companies like Microsoft, Google, Apple and Amazon have already been updated to help defend against the flaws. However, you shouldn’t rely solely on a software patch to protect against these vulnerabilities. Here are some steps you can take to protect your computer systems and devices from Meltdown and Spectre:

  • Update all of your devices immediately, and check for new updates regularly. You should also encourage your friends, family members and co-workers to do the same.
  • Contact any cloud service providers and third-party vendors you use to ensure that they are protected against Meltdown and Spectre. Cloud services and computer servers are especially vulnerable to the exploits, as they often host multiple customers on a single device.
  • Install anti-virus and firewall systems to protect against regular malware. Researchers believe that hackers need to gain access to a device in order to exploit Meltdown or Spectre, so keeping your devices free of malware can help prevent data theft.

© Zywave, Inc. All rights reserved


5 Cyber Risk Questions Every Board Should Ask

When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, fines and serious financial losses. In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members.

To help oversee their organization’s cyber risk management, boards should ask the following questions:

  1. Does the organization utilize technology to prevent data breaches? Boards should ensure that the management team reviews company technology at least annually, ensuring that cyber security tools are current and effective.
  2. Does the organization have a comprehensive cyber security program that includes specific policies and procedures? Boards should ensure that cyber security programs align with industry standards and are audited on a regular basis to ensure effectiveness and internal compliance.
  3. Has the management team provided adequate employee training to ensure sensitive data is handled correctly? Boards can help oversee the process of making training programs that foster cyber awareness.
  4. Has management taken appropriate steps to reduce cyber risks when working with third parties? Boards should work with the company’s management team to create a third-party agreement that identifies how the vendor will protect sensitive data, whether the vendor will subcontract services and how it will inform the organization of compromised data.
  5. Has the organization conducted a thorough risk assessment and considered purchasing cyber liability insurance? Boards, alongside the company’s management team, should conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.

Contact your insurance broker to learn more about cyber risk mitigation strategies that you can start using today to keep your business secure.

© Zywave, Inc. All rights reserved


3 Business Lessons from the HBO Hack

HBO, an American premium cable and satellite television network, was the victim of a data breach. On July 31, 2017, HBO revealed that a group of hackers had stolen 1.5 terabytes of data from the network. Following the breach, the cyber criminals were systematically leaking spoilers and unaired episodes of “Game of Thrones,” one of HBO’s flagship shows.

This hack demonstrates that intellectual property can be just as valuable to cyber criminals as personal identifiable information. To avoid falling victim to a similar cyber attack, organizations should keep in mind the following business lessons learned from the HBO hack:

  1. Having a communications plan in place is critical. Following the breach, HBO was quick to ease the concerns of stakeholders, assuring the public that no internal emails had been stolen. However, this turned out not to be the case, and HBO publicized misinformation. This can be damaging to a brand, as balancing transparency and authenticity following a cyber event is crucial. Having a formal communications strategy can help organizations map out what information is shared to the public and at what time.
  2. Cyber attacks can be damaging to an organization’s reputation. Even if the financial impact of the HBO breach ends up being minimal, the reputational damage has been done. The breach jeopardizes HBO’s image and undermines customer loyalty and trust that took years to build up.
  3. To protect your business from a cyber attack, you need to understand your vulnerabilities. It’s been reported that the HBO hackers used multiple points of entry to get into the company’s system and steal data. Organizations should understand their vulnerabilities to protect against attacks. Entry points can differ depending on the business, but often include employees connecting to networks, online printers and employees using a virtual private network while working remotely.

While you can never predict when a data breach will occur, keeping in mind the lessons above will ensure that your organization is adequately prepared.

© Zywave, Inc. All rights reserved


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn