CYBER…The ‘Modern’ Threat!!

Release Date: 05/01/2020

The 2019 Official Annual Cybercrime Report predicts that this year businesses will fall victim to ransomware attacks every 14 seconds.

In January 2019 alone, nearly 1.8 billion user records were leaked due to cyber-attacks, representing personal information and passwords for approximately 772 million people. Hackers attack every 39 seconds, on average 2,244 times a day. (Source: University of Maryland)

Every business uses computers to send, receive, or store electronic data, such as: sales projections, tax records, management planning, and any other information owned by the business. If the data is lost, stolen or damaged due to a cyber/security breach, such information could be very costly to replace or restore.

Your computer network might also store sensitive data that belongs to other parties such as your employees, vendors and customers. If such data is lost or compromised by a hacker, you might be sued for damages by them.

Therefore, your firm will need to incur in substantial expenses to notify customers impacted by your data breach as required by law. Additionally, you will need to hire legal, public relations and computer forensics consultants to help mitigate the loss and the possible impact to your brand.

The Cyber Liability policy can protect your business against the costs associated with data breaches. It will cover legal defenses, settlements, crisis response expenses, including notification costs and credit monitoring, and business interruption & extra expense.

What Cyber Liability Covers?

First Party Coverages:

1. Cyber Breach Costs, including notification costs and legal and forensics advisors.
2. Cyber Extortion Costs including payment of ransom.
3. Data Asset Protection for costs to recreate, rebuild or restore information and electronic data.
4. Business Interruption and Extra Expense to recover or respond to a cyber event or technology failure.
5. Contingent Business Interruption from cyber event or failure affecting your vendors (IT, Cloud provider).
6. Social Engineering – Coverage when the insured suffers a loss of money because of spear phishing scam which dupes an employee of the insured into wire funds transferring money to a third party.
7. Telephone Fraud – Coverage for the insured in the event of their telephone system being hacked by a third party.
8. Invoice Manipulation – Coverage for the release or distribution of any fraudulent payment instructions to the Insured’s clients as a direct result of a cyber security breach in order to trick that client into transferring payment intended for paying an Insured invoice to another person or entity.
9. Bricking covers the replacement cost of technology equipment which is rendered useless by a malware attack.
10. Crypto Jacking – increase in service charges or fees from the insured resulting from the unauthorized use of any of the following utilities services: water, electricity, internet access, etc.

Third Party Coverages:

1. Cyber, Privacy and Network Security Liability costs incurred in the investigation and defense of the Insured, including monetary amounts the Insured is legally obligated to pay to others.
2. Media Liability for online copyright infringement, libel, slander, plagiarism.
3. Regulatory Defense and Penalties – protection for the insured in the event they are fined or penalized by a governing body (HIPAA).
4. Payment Card Loss (PCI Fines and Penalties) – protection for the insured in the event they are fined or penalized by the Payment Card Industry.

What federal and local regulations businesses need to comply with?

There are several federal and state regulations that require all kind of businesses to ensure the privacy, security and confidentiality of Personal Identifiable Information. They include, but are not limited, to the following:

Federal Law:

• The Privacy Act of 1974, as amended in 2019, protects records about individuals retrieved by personal indentifiers, such as name, social security number, other identifyin number or symbols.
• Federal Information Security Modernization Act of 2014 (FISMA) requires federal data to be secure.
• Family Educational Rights and Privacy Act (FERPA) prevents institutions from disclosing education records or student PII.
• Gramm-Leach-Bliley Act (GLBA) requires “financial institutions”, including colleges and universities, to ensure the security and confidentiality of customers/students PII.
• Health Insurance Portability and Accountability Act (HIPAA) requires institutions to protect health records and other identifiable health information via privacy safeguards and by limiting use and disclosures without authorization.
• Federal Trade Commission (FTC) provides the gtreatest overall data protection to consumers.
• Fair Credit Reporting Act regulates and protects a consumer’s financial data.
• Computer Fraud and Abuse Act addresses computer hacking and data theft by making it illegal to access computers and taking electronic data.

Local Law (PR) – Law No. 111 of September 7, 2005 (10 L.P.R.A. St §4051)

• Applies to any entity that is owner or custodian of a database that includes PII information of residents of Puerto Rico.
• Within a non-extendable term of ten (10) days after the violation of the system’s security has been detected, the parties responsible shall inform the Department of Consumer Affairs (DACO), which shall make a public announcement of the fact within twenty-four (24) hours after having received the information.