In a previous article, we discussed what consumers should do in the wake of the breach of data at Equifax. But what about its effects on businesses? The Equifax breach is a lesson for both consumers and business owners when it comes to the importance of data security. Businesses have a significant responsibility to protect their customers’ personally identifiable information (PII). Failure to do so could lead to lawsuits, loss of trust, loss of revenue, and even loss of the business.
This issue addresses the top trends in cyber risk that businesses are facing today.
The headlines are replete with examples of third-party data breaches, including vendors mishandling data, compromised credit card payment processors and other multiple access points of vulnerability. Listing the “Top Financial Services Cyber Security Trends for 2017,” the firm Booz Allen Hamilton put third-party risk at the top of the list of concerns, recognizing that in financial services, like in many sectors, there is a “huge mesh of intertwined capabilities.” Vast capabilities and connections create additional portals of vulnerability that must be managed. Fortunately, companies can take certain steps to reduce the likelihood that vendors will fail to adequately safeguard their data and minimize their exposure in the event of a breach.
Contractual provisions. Contract clauses addressing data privacy and security can be the subject of intense negotiation, with each party seeking to minimize its risk of exposure. Service agreements should be customized to reflect the sensitivity of the PII involved and the employer’s need for security, as well as the size, nature and resources of each party. It is critical to consider the following:
Safeguards. The service contract should require the vendor to implement specific, reasonable administrative, technical and physical safeguards and regularly test and monitor their effectiveness. What constitutes “reasonable” will vary, depending on the size of the business and the nature of the PII. Massachusetts and California, for example, require vendors to agree to implement security safeguards when entering into service provider agreements. Such contractual provisions may also reduce the risk of exposure to an enforcement action under Section 5 of the Federal Trade Commission (FTC) Act or similar state laws.
Breach notification. Ideally, the vendor should notify its clients of any potential or suspected breach, not just after it is certain that PII has been compromised. A company will also want to retain control over how employees are informed. If the vendor simultaneously notifies employees and management of a possible breach, the organization will miss out on crucial opportunities to prepare employee communications and ascertain the company’s own responsibilities under applicable laws.
Remediation. It is also important to expressly provide that the vendor will reimburse the business for costs incurred in notifying affected individuals and mitigating damages, particularly when highly sensitive PII is involved. These costs may not be covered under standard indemnification provisions.
Insurance. More commercial general liability policies exclude coverage for electronic data. Consider whether it is appropriate to contractually require vendors to maintain technology errors and omissions insurance and coverage for cyber risks, including data security breaches.
Oversight. Push for the right to conduct or oversee an audit of the provider’s facilities and practices, particularly if highly sensitive PII is involved. At a minimum, reserve the right to require the vendor to provide information addressing its security practices at specified intervals throughout the term of the agreement. High-risk vendors should be evaluated more frequently.
For most organizations, a threat to their electronic data is also a threat to their business income. Therefore, a growing need exists in business income coverage when an organization suffers a data breach or a network corruption that shuts down automated systems.
A study by the Chartered Institute of Loss Adjusters concluded that 40% of policy holders with business income insurance had a limit of insurance that was deemed to be 45% lower than needed. This statistic is alarming because business income insurance will provide the income flow for a business at the time of a disaster to allow it to get back in business and meet its financial obligations while trying to rebuild its business. Any business owner or risk manager responsible for structuring an insurance program should spend time learning about and understanding business income coverage so the program is structured properly from both a breadth of coverage and limit standpoint.
Studies show that organizations have inadequate cyber insurance as well. A report by the Insurance Information Institute shows that less than half of all business owners carry cyber insurance, with small and mid-sized businesses lagging behind, largely because they don't see themselves as vulnerable to attacks. However, breaches aren't always the result of a cyber attack — many data breaches stem from something as simple as the loss or theft of an unencrypted laptop or USB stick.
There is an array of concerning statistics when it comes to cyber breaches, and some of these include the following: the average cost of recovery from a small business data breach ranges between $36,000 to $50,000, yet only 31% of small businesses take active steps to guard against cyberattacks and data loss. Even fewer — just 21% — are committed to reviewing and improving their data security strategies on an annual basis.
Don’t let your business become one of these sad statistics. The time is now to review your current practices and commit to protecting your business from a malicious data breach. For more information about cyber liability and other risk management issues, please contact us.
Jake Omann specializes in providing clients with risk management and executive risk services that cover their liabilities as a corporation, as well as the personal liabilities of their directors and officers. He started his career over 10 years ago in sales at a multinational financial services co
Jake Omann specializes in providing clients with risk management and executive risk services that cover their liabilities as a corporation, as well as the personal liabilities of their directors and officers. He started his career over 10 years ago in sales at a multinational financial services corporation before beginning his broker career in managing executive risk programs for Fortune 500 companies. Jake currently sits on the board for ACES for Kids.
The world is different than it once was. It used to be that you needed a 30-foot phone cord to take the phone into another room just so you could have a little privacy, and that when you left work, you really left work, since there wasn’t any way to login remotely.
Nowadays, technological advances have made us truly mobile by enabling us to stay connected 24/7/365. While the workplace impact of 24/7 connectivity has meant that employee productivity has been on the rise, along with it comes challenges that couldn’t have been imagined even 15 years ago.
With massive data breaches at organizations such as Target, Dairy Queen, and JPMorgan, businesses are becoming more aware of the threat of hackers and external threats to their data. And while it’s important to protect yourself from such exposures, history has shown that the real enemy lies within our own companies. Don’t believe it?
Send a Message
Find a Location