A data breach creates all sorts of havoc, including significant financial costs.  That’s hardly new information.  But what those costs actually total does make news, as captured in the 2020 “Cost of a Data Breach” report, compiled by the Ponemon Institute and IBM Security.

The information from 2020 (the most current results available) provides a detailed glimpse the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences.  The report shows some consistencies with past research.Here are the major highlights:

• The average cost of a breach in 2020 was $3.86 million per breach. This is actually good news, in a way, representing a 1.5 percent reduction from the 2019 cost per breach of $3.92 million.
• The average time to identify and contain a breach in 2020 was 280 days, virtually identical with the 279 days it took on average in 2019.
• Regarding prevention against breaches, 59 percent of organizations now have security automation deployed, up from 52 percent in 2019.

If one takeaway leaps out from these high-level results, it is that time is money.  While a higher percentage of businesses have security automation in place, it still takes nearly 10 months to discover and contain a major breach.  And the financial ramifications, even if slightly lower, remain substantial at nearly $4 million per breach.The need for robust cybersecurity practices and protections continue to grow in importance and relevance.  For more information, contact the professionals at The Reschini Group today.

When a skilled hacker has the means, the motive, and the opportunity to break into your cyber system and wreak havoc, not much can stop or slow that person down.  With one exception – multi-factor authentication, or MFA.

The only drawback of using this advanced tool, however, comes in the fact that the MFA – because of its comprehensive and in-depth safeguards – can also slow down legitimate users.  But industry experts agree that the benefits in safety and security far outweigh this one minor negative.

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, defines MFA as “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”NIST adds, “MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

• swiped your bank card at the ATM and then entered your PIN (personal ID number)
• logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.”

The Pittsburgh Technology Council cites a professional cybersecurity expert (and former hacker), who said, “It is of the utmost importance to push through any obstacles and enable MFA on your environment.  In addition to the monumental importance of having MFA, it is critical that you review your third-party systems that you do not control, especially those which contain sensitive company data, and find out whether MFA is available.”The added seconds it may require for users to register through two separate channels to access data amounts to virtually nothing in the long-term, when compared with the time, trauma, and treasure it would take to recover from a severe cybersecurity breach.For more insurance-related information on this and other topics, contact the professionals at The Reschini Group.Download these resources about Cyber Liability:• 10 Cyber Security Resolutions to Reduce Your Data Exposures• CI - Cyber Liability InsuranceContact The Reschini Group with your questions or concerns regarding cybersecurity.

Cybercrime is set to cost companies more than $6 trillion per year by 2021.  That’s trillion, with a T.  Nobody wants to be in that pile.  That’s why testing your systems for cyber security makes a lot of sense.

Three main tests are used to safeguard businesses against cyber attacks:Vulnerability scanners – This approach assesses the computers in your business network for weaknesses: entry points that can be exploited by cybercriminals hoping to gain access to your data.  Vulnerability scanners act like hackers to investigate these potential vulnerabilities. The aim of a vulnerability scan is to build a strong sense of the state of your cybersecurity setup from an internal and external perspective, identify weaknesses, and improve your security to better protect against these risks.Penetration testing – Here, cybersecurity experts purposefully ‘attack’ a network to review how secure it is. It simulates a real attack, but in a controlled way. As such, the term ‘ethical hacking’ is sometimes applied to penetration testing. While vulnerability scans highlight any weaknesses in your business network, penetration tests take this a step further by determining what kind of malicious activity is possible if those weaknesses are exploited.Program update checks – These are important because software that is not regularly updated gives attackers more chances of infiltrating your system and your business.  Some program settings may allow automatic software updates, and others will ask your permission. All users should regularly check to ensure that all available updates are accepted (or scheduled for a convenient time) on every device they are responsible for.The continuously and rapidly evolving cyber world offers tremendous competitive advantages and cost efficiencies.  The dark side of cyber operations moves just as swiftly, though.  Check the status of your cybersecurity insurance by contacting the professionals at The Reschini Group.

Hackers and digital saboteurs are here to stay.  But that doesn’t mean surrendering to their threats and actions.  Sometimes the best ways are the tried and true ones, and that is generally true when it comes to cybersecurity, as well.

According to Cybersecurity Insiders*, here are the top five ways to protect your company from a cyber attack:Hardware: Have secure and sophisticated hardware, which is password protected and backed up by two-way authentication. Also, it is better if you don’t overlook the effectiveness of protecting your data storage drivers. Because if neglected, then it gives an opportunity to anyone and everyone to walk away with your firm’s sensitive data.Physical Security: Most data breaches occur when stolen equipment reaches the hands of hackers. For instance, if an employee loses his/her laptop, then sensitive data can easily reach the bad guys.  So, outline physical security strategies storing the data on the cloud, which is protected by multiple security layers, and imposing responsible security policies among all employees.Encrypting Data:  Encrypted data becomes useless to a hacker, most of whom could not break into the encryption in the first place.Backing Up Data: Having a backup copy of the latest data protects you even if a hacker accesses your system.  The backup needs to be done in an effective manner and must be in an immediately retrievable form.Cybersecurity Insurance: Should an attack occur, most cybersecurity policies today not only cover the financial loss caused from data theft but also help in co-paying the costs involved in recovering data, including paying data recovery experts and buying new hardware and software.Don’t let your guard down.  Protect what’s yours.  The professionals at The Reschini Group are available to help determine some appropriate options for your specific circumstances.* https://www.cybersecurity-insiders.com/ways-to-prevent-cyber-attacks-on-your-company/

It’s a natural impulse, especially perhaps when it comes to purchasing insurance coverage.

And even more especially when the insurance coverage is for something as intimidating as cyber security – a vague, nondescript, fuzzy and murky world that many people don’t truly understand, whether they would admit it or not.

The natural impulse in question comes in the form of “making sure.”  Is my policy loaded up sufficiently to safeguard my organization?  Hmm, I can’t be certain.  Let’s load it up, just to “make sure.”  That is not necessarily a bad thing or a wrong decision.  Getting all the facts, of course, can provide greater clarity.One area of cyber security insurance presents an option between first-party and third-party coverage, and the choice in this segment, at least, can be pretty easily understood and acted upon appropriately.First-party cyber insurance covers the costs associated with being the victim of a hack.  That includes everything from notifying clients of the breach, to weathering the storm of lost revenue that typically follows.  Third-party cyber insurance helps cover the risks of being blamed for a breach, particularly if the company in question does assessments of digital security – a fairly narrow area of specialty – or when a gap in one’s own security is responsible for passing on a virus to another organization.Policies have evolved to cover first-party exposures more extensively, but third-party exposures and coverage grants are still present and quite possibly required to be purchased.But think of “third-party” as being the same as a lawsuit.  In that case, if a business is not providing media services for a fee or IT services, its third-party exposures probably revolve around the following typical coverages:

• A Media clause offering coverage for claims alleging liability resulting from the dissemination of online or offline media material, including claims alleging copyright/trademark infringement, libel, slander, plagiarism or personal injury. This could include websites, social media sites, and chat rooms. 
• A Privacy & Network Security clause would involve third party actions or lawsuits involving customer information, vendor information, or employee information.

Do you want to “make sure” when it comes to cyber coverage?  Contact the team of professionals at the Reschini Group for more information on cyber security options that make sense for your organization.

Cybersecurity practices remain a key focus for both the Financial Industry Regulatory Authority (FINRA) and the U.S. Securities and Exchange Commission (SEC).   An article* in Forbes magazine summarizes five best practices cited by these organizations to mitigate the risk of cyber attacks:

1. Governance

FINRA has found that although Boards of Directors are actively focused on cybersecurity, during their regulatory exams up to two-thirds of companies were found to have deficiencies or weaknesses in their policies and procedures.  Cybersecurity policies need to be specific and articulate the procedures necessary for implementation. 

2. Risk Assessment 

Risk assessment should be an ongoing process as opposed to a single point in time. Companies should gather and evaluate indicators of potential risks on a monthly, quarterly and annual basis. They should also look to what’s happening at other organizations and other industries, both to gain best practices ideas and to help thwart attackers’ plans. 

3. Cybersecurity Training

Because employees represent the biggest risk, training needs to be conducted regularly and be varied, both in method (such as in-person, email, blogs) and with different topics (such as passwords or visitor access).  Show employees what good cyber behavior looks like so they may bring those practices home with them to protect their families and personal systems, as well. 

4. Access Management

While the SEC watches how organizations conduct reviews of access rights periodically, it is estimated that about half either do not follow policies and procedures for terminating access rights, or inadvertently provide unauthorized system access to users contrary to established policy.  Best practice is for any remote access to a core network to be protected by two-factor authentication. 

5. Vendor Management

Risk from vendors needs to be addressed and constantly vetted and assessed.  One idea calls for the business to obtain permission before bringing on any new vendor that handles, touches, or stores data. To make it easier, create a list of pre-approved vendors.The team of professionals at The Reschini Group can help assess your cybersecurity exposures and offer comprehensive insurance solutions to transfer cyber risk and protect your company.  Contact us to learn more.* https://www.forbes.com/sites/joannabelbey/2017/06/30/how-to-avoid-cyberattacks-5-best-practices-from-sec-and-finra/#56ae09df1a16

The market for cybersecurity coverage remains competitive, and more business owners have decided to invest in insurance policies to protect from hackers and malware.  That’s the good news.

But the risk still outweighs the precautions taken, according to insurance industry watchers – and that’s the bad news.  Not enough clients are adopting the coverage, especially when proof continues to pile up that no organization is safe from a cyber event.

A 2019 Cyber Readiness Report from specialty provider Hiscox found that 53% of U.S. businesses reported a cyber attack in the previous 12 months, from 38% the previous year.  In all, 45% of those companies experienced three or more attacks in the past year.  Yet 27% of firms have no plans to adopt cyber insurance, according to the report.Considering the potentially devastating cost of recovering from a cyber attack, that statistic becomes especially alarming.  According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion.  But less than 20% of all businesses have purchased cyber insurance.  That rate continues to increase, but not nearly to the degree to guard against harm to the level of exposure that remains.Adopting a line of thinking that “It won’t happen to me” may be the biggest mistake of all, according to industry experts.  Business owners who only think of cyber attacks in terms of data breaches miss the other risks that exist, including extortion and business interruption – all of which represent serious and costly issues that need to be addressed through coverage.The team at The Reschini Group can help put together the best package of cyber protection coverage for your business, regardless of size, scope, or industry.  Contact us to learn more.

The Software Engineering Institute (SEI) at Carnegie Mellon University defines insider cyber threats as “the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

As such, a team from SEI recently issued the sixth edition of its Common Sense Guide to Mitigating Insider Threats, where it lists the following 21 recommendations for businesses to deploy:

• Know and protect your critical assets.
• Develop a formalized insider threat program.
• Clearly document and consistently enforce policies and controls.
• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
• Anticipate and manage negative issues in the work environment.
• Consider threats from insiders and business partners in enterprise-wide risk assessments.
• Be especially vigilant regarding social media.
• Structure management and tasks to minimize insider stress and mistakes.
• Incorporate malicious insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Institute strict access controls and monitoring policies on privileged users.
• Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
• Monitor and control remote access from all end points, including mobile devices.
• Establish a baseline of normal behavior for both networks and employees.
• Enforce separation of duties and least privilege.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Institutionalize system change controls.
• Implement secure backup and recovery processes.
• Close the doors to unauthorized data exfiltration.
• Develop a comprehensive employee termination procedure.
• Adopt positive incentives to align the workforce with the organization.

Many of these guidelines appear to be just common sense business practices, but establishing them firmly, communicating them clearly, and enforcing them consistently makes the difference.  Insuring against internal cyber threats carries its own set of parameters and requirements, as well.The professionals at The Reschini Group can help your organization protect your organization against losses from internal cyber fraud.  Contact us to talk more about this important consideration.* https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf

The major data breaches may get all the press – 150 million accounts exposed at Under Armour, 92 million at genealogy firm MyHeritage, 87 million at Facebook, and 145 million at Equifax, the largest U.S. credit bureau, revealing even Social Security numbers.

But that doesn’t mean small businesses are immune to cyber crime.

According to the Insurance Information Institute’s (III) 2017 report, Protecting against #cyberfail: Small business and cyber insurance, insurers foresee substantial increase in coverage among the small business segment, as these companies become aware of the possibilities of liability, especially due to a breach and the resulting response costs arising out of the possession of private data.According to the III, 10 percent of small businesses have suffered one or more cyber incidents in the prior year, with the average cost of cyber-related losses totaling $188,400. Only about one-third of firms surveyed had cyber insurance, nearly 60 percent of respondents said their company is very concerned about cyber incidents, and 70 percent think that the risk of being victimized by a cyberattack is growing at an alarming rate.Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that continues to rapidly shift in scope and nature. According to the National Association of Insurance Commissioners, 140 U.S. insurers reported writing some cyber insurance premiums in 2016.Online criminals keep adapting their techniques and level of sophistication just as quickly as technology evolves.  Convincing oneself that cybersecurity – and the attendant insurance coverage – is not necessary, just because a business isn’t “big enough” represents a bet that could be incredibly costly if lost.  Just because a danger may be hidden in the shadows doesn’t mean it’s not there.The cyber insurance experts at The Reschini Group can help you fashion a coverage package that makes sense for your business and your budget. Read more and download cybersecurity resources by clicking here or contact us to talk more about this important consideration.

It shocks absolutely no one that cybersecurity remains a growing threat to businesses, large and small, and that breaches of that security have increased both in number and in the resulting financial impact.  What may be surprising, however, are statistics compiled by various governmental and industry sources surrounding cybersecurity, including the following:

• Cybersecurity remains a priority risk concern among all businesses.
• The three largest areas of concern within the scope of cybersecurity are: falling victim to a security breach, discovering unauthorized access to financial accounts, and suffering an internal system glitch.
• Concerns on the rise among businesses include: outsiders hacking into systems used for business operations, cyber extortion, and questions about having sufficient resources to recover from a cyber event.
• One in five businesses have suffered a data breach or cyber attack over the past year, double the number recorded in 2015.
• 52% of businesses say becoming a cyber victim is inevitable.
• Only 36% of businesses worry about their employees being tricked into transferring funds, despite a 2,370% increase in losses from such scams over the past two years.
• 95% of businesses say their operations depend on computer systems running flawlessly.
• 23% of businesses report that they are unfamiliar with their cyber insurance options.
• 55% of businesses have not done a cyber risk assessment, 62% do not have a business continuity plan, and 63% have not assessed the cyber security of vendors with access to their data – but 91% of these same businesses say they are prepared to weather a cybersecurity event.
• 50% of businesses have not purchased cyber insurance.

 The professionals at The Reschini Group can help businesses across all categories and sizes get a true, accurate, realistic picture of their cyber exposure and fashion an insurance approach to safeguard against attack or malfunction.  Contact us to talk more about your cybersecurity situation.

As defenses and insurance coverages against cybercrime improve, so do the methods and the frequency of cybercriminals, it seems.  That only makes the battle more important than ever.

The Insurance Information Institute reports that, according to 2018 Identity Fraud: Fraud Enters a New Era of Complexity from Javelin Strategy & Research, 2017 saw 16.7 million victims of identity fraud, a record high that followed a previous record the year before. Criminals are engaging in complex identity fraud schemes that are leaving record numbers of victims of cybercrime in their wake. The amount stolen hit $16.8 billion last year as 30 percent of U.S. consumers were notified of a data breach last year, an increase of 12 percent from 2016. For the first time, more Social Security numbers were exposed than credit card numbers.Cyberattacks and breaches have grown in frequency, and losses are on the rise. Breaches again hit a new record in 2017, with 1,579 breaches tracked, up 44.7 percent from 1,091 in 2016, as business and government entities move toward timely reporting, according to the Identity Theft Resource Center (ITRC). The number of records exposed rose to about 179 million, compared with 37 million in 2016. The majority of the data breaches in 2017 affected the business sector, with 870 breaches or 55 percent of the total.The business category has suffered the most breaches for the third year in a row. Medical/healthcare organizations were affected by 374 breaches (23.7 percent of total breaches). The banking/credit/financial sector ranked third as it sustained 134 breaches (8.5 percent of all breaches). These figures do not include the many attacks that go unreported and undetected.In 2018 the ITRC tracked 522 breaches through the month of May. The number of records exposed totaled 17.6 million. The business category continues to be the most affected sector, with 228 breaches, or 44 percent of all breaches detected. The business sector breaches affected 10.9 million records, or 62 percent of all records affected. The ITRC noted that in May 2018, hacking was the most commonly used method for breaching organizations, accounting for 37 percent of all breaches in that month.The team of professionals at The Reschini Group can help you create a cybersecurity insurance package to protect your assets, even amid these complex and serious trends.

Cybersecurity has crossed from being an IT issue to being a business issue, and 2018 promises to see a significant ratcheting up of cybersecurity coverage as a result.

The growing cyber threat and stricter cybersecurity regulations will boost the growth of cyber insurance policies this year, according to industry sources.  According to NetDiligence, whose data is based on actual cyber insurance claims, the average cost of a cyber breach in 2017 was $349,000 for small companies, reaching an average cost $5.9 million for major organizations.As senior decision-makers understand the level of financial exposure, cyber insurance will need to answer the call more and more.  Allianz predicts that global cyber insurance premiums will grow to $20 billion by 2025, up from around $4 billion currently.According to a 2017 Ponemon Institute survey, while 87% of companies view cyber liability as one of their top 10 business risks, only 24% admit to having cyber insurance.  That may be due to a lack of clarity about how this coverage works.  Cyber insurance differs from auto or home insurance, where the risks are known and the products haven't changed that much. It is much more complex and potentially more dangerous than traditional risk.Organizations need to demonstrate that they have followed best practices to protect consumers and employees. They will also need to shift their approach to cyber-risk management, with a focus on accountability, to identify their threats and insurance needs through a deep technical diagnostic linked to realistic business impact.The team at The Reschini Group is here to help you assess your need, and assemble the most cost-effective package, for increased cyber coverage to meet your particular situation.Because it’s not just an IT issue any longer.  Protecting your cyber security is now a front-and-center business survival issue.

Extortion is a nasty business.  It can be performed all too easily, though, if one is well-versed in the dark online arts.

Ransomware is a type of malicious software that cyber criminals use to extort money from organizations all over the world. The cyber attacker injects ransomware into a victim’s computer network, when a user opens an infected email attachment or clicks a link on an infected website.  Once on the user’s computer, the ransomware receives an encryption key from the criminal’s Command & Control (C&C) server, which it uses to encrypt files.The encryption then blocks user access to files the organization needs. In many cases, ransomware also quickly spreads to other computers on the network, where it finds more files to encrypt. After ransomware locks the files, it posts a note that tells the victim how to pay a ransom to the attacker.When the victim pays, the cyber criminal’s C&C server tells the ransomware to unlock the victim’s files. The victim can then resume normal operations. However, some ransomware does not decrypt files after a victim pays the ransom, leaving the victimized organization crippled.Ransomware is becoming very popular with cyber criminals because it can attack any business in the world and is relatively simple to create and use. This was the case with WannaCry ransomware in 2017, which quickly impacted more than 200,000 computers in 150 countries.One element of a comprehensive strategy to address data security is customized cyber risk insurance. Organizations should carefully review their existing liability policies, such as kidnap and ransom policies, and consider stand-alone cyber risk coverage.Most cyber insurance policies are modular, which means an organization has a menu of coverages to choose, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.The experts at The Reschini Group can help you determine the need for ransomware insurance as part of a total cyber security package.  Extortion is a nasty business, but protection can be provided to control the impact on your organization.

 Periodically, The Reschini Group will focus on a particular topic related to Risk Management or Property and Casualty issues. This month, we focus on Cybersecurity. Read on, and be sure to check out the resources available through the links.

Worth the Investment: Defining Cybersecurity Insurance

Insurance coverage is meant to protect one’s assets in the event of theft, damage, or disruption.  When your online information gets hacked, all three factors come into play.  So why not carry insurance to protect yourself from this potential disaster?

Cybersecurity insurance does just that.  The U.S. Department of Homeland Security defines it as follows:“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. In recent years, the Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area.”The 2017 Cost of Data Breach Study, conducted by the Identity Theft Resource Center, has stated that:

• The overall cost per data breach worldwide decreased from $4 million to $3.62 million over the past year, but those same costs increased in the U.S. by 5 percent, to $7.35 million per data breach.
• Having an incident response team reduced the cost of a data breach by nearly $1 million.
• Health care is the most costly industry for data breaches, costing organizations $380 per compromised record.

Having a cybersecurity protocol, backed by the proper level of insurance coverage, is not only smart business – it could keep your business from disappearing altogether.  The National Cybersecurity Alliance reported that nearly 60 percent of small businesses victimized by cyber attack closed permanently within six months.  Putting the right protection in place is not difficult, and can be achieved more cost-effectively than might be assumed.Fitch Ratings said that cybersecurity insurance policies in the U.S. have risen by 35 percent, reflecting a growing awareness and appreciation of the risks and how to reduce them.  The cybersecurity insurance specialists at The Reschini Group can work with you to help safeguard your organization in the same way.

More About Cybersecurity

Read The Reschini Blog: Protecting Yourself from Online Data Breaches

Read The Reschini Blog: Guiding Parameters for Preparedness in Cybersecurity

Get: Cyber Risk Exposure scorecard

Get: Cybersecurity for Small Business

Get: Cybersecurity for Healthcare Organizations