Tag Archives: data loss prevention

The Top Data Breaches in 2017 – And It’s Only August

Since January 1 2017, there have been approximately 156,000 data records breached where the disclosure was unintentional or a malicious breach from an insider. These are breaches in all industries, to all kinds of individuals, and all sizes of companies. To put it in perspective, that’s roughly 867 records breached every day, or nearly two records every three minutes. We’ve rounded up the top data breaches for the first half of 2017. Prepare to be unsettled.

Registered voters in America
198,000,000 Americans registered to vote had their personal information exposed in late June this year. The firm responsible, a Republican data analysis company, Deep Roots Analytics, has taken full responsibility for the situation. Included in the breach was basic information such as voter’s first and last names, birth dates, home and mailing addresses, phone numbers, registered party, self-reported racial demographic and voter registration status. Alarmingly, a voter’s likely stance on abortion, gun control, stem cell research and environmental issues was also part of the breach. Fortunately, it appears that only a single Cyber Risk Analyst from another company was able to access the 1.1 terabytes of entirely unsecured data and was able to alert authorities in time.

Educational records at the University of Oklahoma
Also in June, the University of Oklahoma has been found to have violated federal law with their lax privacy settings across their campus file-sharing network. 29,000 educational records were accessed by email users on the system. These records included social security numbers, financial aid information and grades in records dating to at least 2002. The files have now been safeguarded but each breach could constitute a violation of the Family Educational Rights and Privacy Act.

Email addresses of US corporates
Just under 33.7 million unique email addresses were leaked in March this year. The company responsible, Dunn & Bradstreet, is a business services company so, at 30 million, the records represented a large chunk of the United States corporate population. This is the data that can be bought and sold – it’s unknown what the market rate would be, but it is reported that it can cost up to $200,000 to access just half a million records. The largest organizations affected include the Department of Defense, other armed forces, AT&T, Boeing, and the United States Postal Service. Interestingly, it remains unknown how the breach occurred, other than it was internal, although Dunn & Bradstreet stated it was not released through one of their systems.

Thankfully, many of these data breaches were eventually picked up by security companies monitoring for data exposure before the data could get into the wrong hands. While these are three of the most significant data breaches to happen this year, there are tens of thousands more where companies have had their data exposed through internal sources, either with malicious intent or by total accident. Companies that lose data through their own negligence, or lack of correct privacy procedures, can face legal action and be forced to pay damages to the individual’s affected. A data loss protection strategy is essential for a company of any size. It protects the individuals whose data is owned by the company, and it helps protect the company from the ramifications of any internal losses.

How to Use Prioritization to Enhance Your Data Security

Data loss prevention and data security can sometimes feel like a daunting and money draining task, particularly for SMBs. But cyberattacks and loss of data can be some of the biggest risks an organization can face in this modern-day climate. Companies don’t need to be big-name enterprises with large IT departments in order to operate as a top-performer in data loss prevention. When it comes to protecting companies and individuals from data loss, prioritization of data protection is key to successfully managing security, while still operating a well-running company.

  1. Knowledge is power

There are many studies that suggest that around one third of all companies lack sufficient policies for data encryption, classification and security. Knowing the risk and how your company might be affected is the first step towards data security.

  1. Consider the options

What is actually realistic for your business? While it is tempting to get caught up in the sophistication and benefits that some of these security systems hold, it’s important to prioritize what your company really needs for full protection. Extra benefits are nice-to-haves, and most security companies will scale plans up and down, so these can easily be considered once a working plan is in place.

  1. Learn about your company’s data

Back to the first point, knowledge is power – in order to be able to optimally prioritize data for security purposes, you need to know about your company’s data. What it does, who uses it, and how it moves around your computer systems. Depending on the size of your company, there are some mapping tools that can be put into place to assess this but you should also be looking for a general feel. In addition to the sophisticated software that’s out there, there’s an element of common sense to data security – if you think data could escape a particular route, it probably can.

  1. Top down data prioritization

Once you know the ins and outs of your company’s data, it’s important that you begin to assess the risk that a breach in data security poses for the different kind of files your company possesses. The higher the risk, the more priority needs to be given to ensuring that the data security around those files is impeccable.

  1. Balance it out

Bear in mind that often the more security and process you place around data, the more administration you are placing on your employees. Policies and verification processes all take time, and this adds up if it is manual time on each and every file the employee is using. Consider the effect that the loss of a particular piece of data will have on your company if it is released from your secure system. If the consequences are not high, and it’s much more effective for your business to run efficiently without cumbersome processes around those files, then go with that.

Prioritizing the kind of security that you employ to protect your company, and how you implement it, can sometimes mean the difference between being able to install security and data loss prevention plans in your company, or becoming like the one-third of businesses that have not done so. With these simple techniques, you should be able to efficiently breakdown and prioritize how to effectively go about protecting your company through data security.

Why a Data Breach Could Change Your Life – And What to Do About It

data loss preventionThe sensitive information of individuals is big business in the criminal world. An individual’s medical record can collect up to $50 on the black market, 50x that of a credit card record, and that’s before money has been elicited by using the record itself. Data breaches aren’t just confined to medical and financial though, in the modern world we are seeing trade secrets, intellectual property and other identification information being viewed or stolen by unauthorized individuals. Data breaches can dramatically affect your life, both as an individual citizen, but also as an employee or business owner. Fortunately though, there are ways to protect yourself.

Getting down to business

From a business perspective, data breach can be hugely damaging, to a company’s reputation as a whole as well as the consequences of what that data breach will bring. Particularly for companies that trade in knowledge sectors, data breaches can have hugely impactful and long-lasting effects if intellectual property or trade secrets are obtained by an unauthorized source. Companies have seen their long-term earning capacity significantly reduced, or even wiped out, from data breaches.

While the media generally highlights data breaches that happen on a mass scale to large and well-known brands, it is small to medium enterprises that can be hit hugely as their technology and processes are often not strong enough. Some studies suggest that almost 30% of SMEs have no plans in place to deal with security threats.

How to turn things around

A data breach response plan is crucial to maintaining the safety of your business. Sometimes it’s helpful to think about the digital risk of a data breach in the same way as a physical risk to your company, such as fire or theft. No company would operate without basic policies around high-risk areas, and data breach should be considered in this group.

A good data loss protection plan and state-of-the-art security will equip your company with the right tools and software to protect against ransomware, and inadvertent loss of data. But a truly great data loss protection plan is one that pre-empts the catastrophe by ensuring that all employees understand the level of risk associated with a data breach and are committed to putting in place best data loss protection practice in order to minimize the risk.

On an individual level

Whether you’re a business that holds sensitive information regarding individuals, or from an individual perspective, it is important to know the risks associated with having your personal data compromised. Of course, the consequences of stolen financial and medical records are fairly evident, but with the rise of sophisticated ransomware and malware techniques, criminals can embed themselves on your computer and commit serious crimes identity theft that you may not even be covered by in your insurance.

What to do about it

Firstly, look into how you’re currently protected on an insurance and a digital level and make the appropriate changes. Contact your bank and talk about options to protect your credit card online and fully understand their policies if your details are compromised. Shop around – protection isn’t standardized and different financial companies will offer different types of protection. That goes for your medical insurance also, contact your provider and get a clear understanding of what will happen if there is some kind of breach.

Then it’s time to look into your cybersecurity. Cyber criminals have gone from strength to strength in recent years so it is imperative to update your security and ensure the settings don’t ever have it sitting in an idle state. It’s also an excellent idea to look into password storage facilities like LastPass that enable you to have a different password on websites, particularly those you are sharing sensitive information with. Opt for a two-step verification process on any website that has it and use different security questions on different websites, where they are offered.

Data breach can have far-reaching and long-lasting effects on both individuals and companies. Put simply, the only way to combat this kind of criminal activity, as a citizen and as an SME or SMB, is through protection. For businesses, this involves a strategic data loss protection plan, as well as a crisis management plan if the worst happens and sensitive information, particularly that of individuals, gets into the wrong hands. For both businesses and individuals, computer security and prevention techniques when it comes to websites where your data could be compromised, are essential to mitigating the life-changing risk of a data breach.

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.

Examples

In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.

Conclusion

It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Retail Data Breaches – Lessons Learnt


For the past couple of months we have been talking about data breaches across different sectors, their implications and best practices that can be implemented. In this blog, we will talk about retail.

Enhanced Digital Experience Drives Need for Enhanced Data Security

While the percentage of breaches in retail is low as compared to other sectors (as per Verizon, 1 in every 13 breaches is in retail), the cost of breach per record is very high. This is because a standalone breach in retail can account for thousands of accounts being comprised.

Retail is at the forefront of implementing customer-facing digital applications. As retailers create a seamless customer experience through an omni-channel strategy, the threat to data loss either because of employee error or malicious intent, or because of external factors such as hacker, malware etc. is also increasing. Another type of breach that retailers face is Denial of Service (DoS), which can heavily harm goodwill of the company. In this kind of breach, hackers overload the server and explicitly force the website to go down due to overloading.

While regulatory requirements have been set up to ensure organizations that process sensitive personal or financial information are in compliance, the threat from newer sources and methods is always there. According to IBM, the cost of breach per record in retail is US$ 165. Retailers not only have to pay a heavy price for these breaches in terms of penalties, but they also face the imminent threat of losing their loyal customers to competitors.

Best Practices in Retail for Proactive Data Loss Prevention

Zecurion recommends the following best practices that retailers should implement to thwart data loss threats from their endpoints, servers and networks:

  • Invest and install comprehensive data loss prevention solutions, developed from the ground up, rather than piecemeal solutions. The former provide more robust security features against internal and external threats of data loss
  • Involve end-users of technology in purchase decisions. Getting their feedback on issues they face helps identifying the right need and the right security solution that users are more willing to adopt
  • Educate the staff and conduct regular training sessions on data access policies. Make sure employees are aware of roles, restrictions and permissions assigned
  • Keep firewalls, anti-virus up to date. Make sure that there is no obsolete software running and all updates are current
  • Encryption should be the rule of thumb when exchanging any classified information. Two factor authentication comes very handy in high data volume environments
  • Secure the connection between networks and monitor endpoints regularly
  • Follow strict regulations and policies for Bring Your Own Devices (BYOD)
  • Generate awareness about POS RAM scrappers. These scrappers are used to steal data from infected POS machines. They can be easily installed remotely and the payment card data can then be reproduced within minutes, paving way for fraudulent transactions
  • Implement policies around safe removal of POS machines so no data can be misused
  • Set up regular checkup of POS machines to ensure there are no skimming devices that have been installed to get the payment card information
  • Implement and test a robust post-attack mitigation plan in case a breach does happen

It is worth mentioning here that the National Retail Federation has been actively campaigning for “Chip and Pin” cards. Payment cards have all the sensitive data stored in a microchip, with nothing embossed on the card. A “Chip and Pin” card will require a secret number to get approved instead of a signature. The requirement of having a pin number will aid in countering a lot of breaches, especially in case of stolen cards.

The “Chip and Pin” cards are in practice in other countries but are still not available in the US. While the initial set up cost for these kind of cards may be high, the security benefits offered will still outweigh the risk of a large data breach.

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Top Breaches in Healthcare in 2015-16

 

Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.

Conclusion

In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.

Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.

Conclusion

The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.

Data Loss Prevention: Protection Beyond the Antivirus

Installing antivirus is no more adequate unless organizations have taken proactive actions and implemented other end-point security solutions to protect data loss arising from internal and
external threats. This traditional end-point security provision was sufficient in yesteryears when cyber-attacks were simpler and few. With the ever-changing technology and advancement in the nature of cyber-attacks, the antivirus as a security measure alone will not hold the fort for a long time.

Corporate data is mostly digital now. And sensitive data is accessed over multiple devices and networks. Telecommuting is rapidly growing and is favored in both private and governmental organizations, prompting employees to bring their own devices. Unfortunately, antivirus software is perceived to be the default security mechanism expected to protect against most IT threats. This, in turn, can be disastrous as it gives IT administrators a false sense of security, making critical data loss a harsh reality. IT administrators, therefore, need additional forms of protection such as end-to-end encryption and data loss prevention ((DLP) solutions.

What should an organization do to protect its critical data? We have some recommendations for organizations to consider in order to safeguard themselves against vulnerabilities of data loss:

  • Administer multiple layers of security instead of implementing just the antivirus.
  • Keep business continuity in mind while installing the endpoint security tool.
  • Encrypt data whether it is static or in transit.
  • Constantly monitor data coming in and leaving endpoints of the network.
  • Define user roles clearly, so employees are aware of who can access what kind of information.
  • Provide regular training to the workforce about security measures that need to be followed at all times.
  • Have a robust backup and risk mitigation plan ready in case of a breach.
  • Implement device management/ monitoring as an essential practice, particularly with the BYOD culture becoming a key workplace trend.
  • Install zero-day malware detection/analysis and content-aware DLP solutions.

These recommendations are the fundamentals to a strong IT security strategy. With antivirus no longer being the magic potion to deal with all threats, it is time organizations start implementing a more robust solution that encompasses various techniques aimed as data loss prevention.

Cyber Insurance –Driving Demand for Data Loss Prevention

No matter how robust and agile the system is, how efficient the organization’s policies and regulations are and how secure the network connections are, there is always a daunting risk of data loss either maliciously, by human error or due to system glitches. The total monetary loss after a cyber-attack encompasses both tangible and intangible elements such as loss of direct monetary gain, expenses related to specialist lawyer, IT forensics experts, investigators, various fees and penalties, digital disruption, credit monitoring, slump in good will etc. – all of which can be humongous.

This is enough justification for companies – large, medium or small – to get Cyber Liability Insurance Cover or CLIC. Of course, the coverage will not be the same for all but has to be customized as per the entity and therefore will have various terms and conditions and pricing. The major factors that dictate the type of CLIC are the type of data aggregated, size of the company and extent of the potential risk.

Cyber insurance companies offer add-on services with CLIC to custom build policies for organizations. Be it lawyers, forensic experts, spend on crisis management solutions, notification and restoration expenses – all become an intrinsic part of the coverage.

Cyber insurance companies that provide the best fit will typically have the following elements covered as part of their packages:

  • First party as well as third party coverage
  • Premium pricing
  • Claims payout
  • Underwriting risks
  • Ability to offer coverages ( policies, term and conditions) over a wide spectrum of cyber risks which include theft of intellectual property, data and software loss, network failure liabilities, data destruction, DoS, etc.

Similarly, underwriters at cyber insurance companies look for the following factors while setting premium rates for CLIC:

  • Check if data loss prevention (DLP) solutions are implemented. Also check for types of encryption, security for access points in the system. A comprehensive DLP solution could typically result in lower risk and hence lower premiums.
  • Understand awareness level of employees around access policies. This includes checking if regular trainings are held to keep employees updated on systems and policies in place. How well educated employees and vendors are about regulations and compliance has a significant bearing on CLIC.
  • Check what risk mitigation plan is in place in case of a data breach incident.

As in the case of any traditional insurance, if there is a rise in the number of claims and payouts, the CLIC deductible and premium increases. Or, the payout is cancelled completely when capped. As a result, organizations looking for CLIC usually demand more comprehensive data loss prevention solutions. When an underwriter sees and is convinced that the organization has taken good measures to prevent data losses, it may result in in lower deductibles and premiums.

What is the state of cyber insurance market in the US?

According to RnRMarketResearch.com, the cyber insurance global market was at an estimated US$ 2.5 billion in terms of gross premiums in 2014. In the US specifically, 46 states have made it a law that data breach incidents be notified publicly resulting in exponential demand for cyber insurance. Although 90% of the global cyber insurance policies are bought by US companies, yet only one-third of the US companies are covered. PwC predicts the market will grow to an estimated US$ 7.5 billion in annual premiums by 2020. Allianz, a German insurer, predicts the market to grow to US$ 20 billion by 2025. This will be a driving force in putting forth better policies and measures for DLP in companies.

Following are some of the key cyber insurance trends that were seen in 2015:

About 60% of brokers say that there has been a significant increase in the number of companies seeking cyber insurance in 2015, resulting in greater demand for DLP solutions.

Healthcare has seen the highest growth in cyber insurance demand due to its high vulnerability. Use of DLP could drastically reduce insurance-related costs.

Overall, awareness and news about data breaches accounted for more than 70% of CLIC sales.

Wrapping up, one can say that embracing cyber insurance at the correct time is imperative rather than taking the burden of monumental payoff in case of data breaches. The transfer of risk to a third-party gives an edge over competitors in the long-term by unlocking the potential for sustained growth. Simultaneously, reforming current policies and/ or pushing in for better and more effective DLP solutions is equally vital to keep cyber insurance related costs under control.