Cyber Risk Hits Home: 4 (true) Stories

by P. Andersen

I wanted to share 4 Cyber stories – these are actual stories that have happened in the past year or so, most caught before the problem escalated.  Each story represents a core problem businesses and individuals face every day in this fast paced world, and no company is immune from the dangers.  What do we recommend for our business clients?

 

Education: Educate your staff, and have policies and procedures to prevent opening or sending/forwarding of potentially corrupt emails/attachments/web-links.   There are now services available that can send your employees fake emails to test how well they avoid clicking on potential viruses.

Invest: Invest in technology and expert staff or consultants, to ensure you have effective and up-to-date protection (firewalls, email scanning software, etc.)

Insure: Purchase a cyber-liability and data-breach insurance policy, which can help pay for expenses your company incurs as a result of a cyber/data breach event, and/or expenses for which your company is liable, if you accidentally cause a cyber/data-breach event affecting others.   Annual premiums can range from around $1,000 to $10,000 or more, depending on your company’s size, operations, number of personnel/client files, and amount and type of coverages… perhaps well worth it, given the increasing threat of cyber/data-breach events for companies of all sizes.

 

Story 1: Small Business Beware

First, we discuss a firm that was nearly tricked into a substantial wire transfer, why they didn’t fall for the scam, and what coverage would have responded had they sent the money…  A small business client of ours nearly fell victim to a “spear phishing” campaign, a targeted email request based on intimate knowledge of the key players in the business.  The wife and bookkeeper received an email that appeared to be from her husband, asking her to wire money to a seemingly known recipient.  The instructions were not unusual – the wiring of funds and how the email was received were both “normal”, and the recipient was familiar.  The wife took the extra step of calling her husband to verify that the wire transfer request was real, and was grateful she did.  The husband verified that he had made no such request.

As in this case, your firm should ALWAYS double check any financial email request, BY PHONE, before acting.  Note that if an email has been compromised, replying to the email may get you a response from the hacker, telling you that the bogus payment is acceptable.  Always get a verbal response before proceeding.  This “spear phishing” scam has been responsible for countless millions of dollars being sent to cyber criminals.  In the heat of the moment, when time is short, a seemingly accurate email may be acted upon without any verification, and money sent to untraceable sources.  If you do not have proper cyber coverage, the money is lost and there is no recourse.

What Cyber Coverage Applies?  Social Engineering

“Spear Phishing” is considered “Social Engineering”, because cyber criminals invest time to learn about an individual before approaching them.  “Social Engineering” coverage is an available option on certain cyber liability policies – see your Cyber Liability quotation or policy for details.

 

Story 2: The Inadvertent Infection

It is said that the greatest cyber risk to a company is not a hole in a firewall, server, or anti-virus program, but employees sitting at their computers.  When you mix technological holes with human error, the risks rise considerably.

A Levitt-Fuirst client, through an unknown series of events, received a virus on an employee’s workstation.  When that employee inadvertently sent an email containing the virus to another company, and the virus infected that business partner’s network, a potential liability was created.  At the very least, a company whose employee sends a virus to another company may be expected to pay to correct the cyber damage caused.  Experts agree – if you send a virus to another individual or firm, even if you have no idea you are doing it, you can be held liable for the damages incurred by your mistake.

What Cyber Coverage Applies?  Security & Privacy Liability

Security & Privacy Liability protects your company from liability resulting from a security and privacy wrongful act, including failure to safeguard electronic or non-electronic confidential information, failure to prevent virus attacks, denial of service attacks or the transmission of malicious code from your computer system to the computer system of another party.

 

Story 3: Sharing Private Information

In today’s fast paced world of deadlines, we sometimes do things too fast, without double checking the details.  A financial services client, under deadline, emailed payroll accounts to the wrong client.  These payroll reports contained extensive “Personally Identifiable Information” (PII) including names and social security numbers.  Federal law requires any entity that shares PII, or has files containing stolen PII, to identify those impacted by the breach, notify all impacted individuals or parties, and an offer credit monitoring to those impacted individuals or parties.

In this case, the list of individuals was clear, but forensic expense to find out if data was stolen and who is impacted, could have run into the hundreds of thousands of dollars – simply to understand who the impacted individuals or groups were!

What Cyber Coverage Applies?  Breach Event Costs

Breach Event Costs is coverage for reasonable mitigationcosts and expenses incurred as a result of a privacy breach, security breach or adverse media report, including legal expenses, public relations expenses, advertising and IT forensic expenses, postage, and the cost to provide call centers, credit monitoring and identity theft assistance.  The coverage also includes coverage for Proactive Privacy Breach Response Costs – public relations expenses incurred in response to a privacy breach, but prior to the publication of an adverse media report, in an effort to avert or mitigate the potential impact of such an adverse media report on the insured’s reputation. Coverage also includes Voluntary Notification Expenses – expenses incurred in notifying affected parties of a privacy breach where there is no requirement by law to do so.

 

Story 4: The Non-Profit and The Board

Recently, a non-profit client of Levitt-Fuirst suffered a spear phishing, or social engineering, attack that almost bore fruit.  We have all seen emails that appear to be from someone we know, but realize (by good sense or a note of warning) that it is a scam.  Most often, these are “Spoofed” email addresses – the user wasn’t hacked, but their email address was faked to entice you into clicking.

The board president of our non-profit client had his email address spoofed, and an email was sent to other board members “from” the board president.  The note asked each board member to pay some vendors this month because the non-profit didn’t have the cash available.  The email said the board members would be reimbursed once dues were collected.   One board member, knowing the financial challenges the non-profit sometimes faced, surmised that the request was not unreasonable, and sent a check via overnight delivery.  Luckily, this board member realized her mistake and quickly put a stop payment on her check and called the overnight company to stop delivery of the check…  Crisis (barely) averted.

What Cyber Coverage Applies?  Social Engineering

“Spear Phishing” is considered “Social Engineering”, because cyber criminals invest time to learn about an individual before approaching them.  “Social Engineering” coverage is an available option on certain cyber liability policies – see your Cyber Liability quotation or policy for details.