The New York Times published an article today predicting that there will be a surge in the purchase of what it refers to as “cyber insurance” – insurance covering a range of exposures relating to the breach of privacy and network security. The article has some significant exaggerations and misleading statements, and it quotes extensively from people whose livelihood depends upon cybersecurity breaches and the sale of insurance policies, but it provides a useful window on the current environment. The article places great importance on the recent guidelines issued by the SEC’s Division of Corporation Finance. Click here for WGA’s blog post and downloadable White paper discussing these new guidelines and their potential impact Read more…
The recent rash of cyber breaches at public companies and an outcry from federal lawmakers has prompted U.S. securities regulators to issue guidance for when companies must disclose cyber attacks to investors. The guidelines issued by the U.S. Securities and Exchange Commission are to help reporting companies determine whether they need to disclose the risks they face in protecting their electronic data, as well as the costs they have incurred or could incur because of cybersecurity breaches.
The increase in corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Breaches are now more frequent and severe. Public companies and their advisors should focus greater attention on how disclosure obligations under the Read more…
Six-figure losses common for even small businesses
A survey by Symantec of more than 3,000 businesses provides useful information about the current state of corporate cybersecurity. Symantec’s 2011 State of Security Survey found that 73% of small and midsize companies had suffered a cyber attack in the past year, and that 30% of the attacks were “somewhat/extremely effective” in compromising the victims’ data. Companies are on alert. According to the study, in fact, companies considered cybersecurity their greatest threat — greater than criminal activity, natural disasters, and terrorism.
Many companies are already bristling with perimeter weaponry designed to prevent external attacks, but their defenses are not impregnable. More than 70% of the respondents experienced cyber Read more…
Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.
Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial Read more…
The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.
The Facts
The breach occurred after various state agencies and entities transferred information about individuals to the Comptroller’s office for use in verifying unclaimed property records. The information was required to be provided to the Comptroller by state law. Unfortunately, there were several missteps in how the data was transferred and handled. For starters, the transferred files were required to be encrypted — but they weren’t. Then, Read more…
On April 27, 2011, Sony publicly disclosed that hackers had breached its PlayStation Network (which includes its Qriocity video and music-streaming services) and had gained access to 77 million consumer records. This revelation came several days after Sony had shut down the Network, saying at the time only that an outage had been responsible for the interruption. On the 27th Sony disclosed that the compromised consumer information included names, addresses, email addresses, birth dates, login and password information, purchase history, and possibly credit card information. A statement indicated that the credit card information was encrypted, and that there was no evidence it had been taken.
The massive size of the breach has caused much speculation about the expenses that Sony will incur in dealing with the matter. One article said that the costs could rise as high as $24B (yes, billion) Read more…
The recent extended outage of Amazon’s “cloud computing” business has generated many questions about what insurance policies would be likely to provide indemnification for losses caused by the crash.
Amazon has a significant cloud computing business, which it calls Amazon Web Services (AWS). AWS rents data storage and web services to its customers. These customers use the outsourced services to avoid the expense and distraction of providing those services for themselves. As a risk management matter, cloud computing customers should make sure that their data is stored in different locations and that they have adequate backup and disaster recovery options in the event of outages or crashes. As such “redundancy” services can be expensive, some of Amazon’s smaller corporate customers did not purchase them. When Amazon’s data center in Northern Virginia experienced an extended outage, these customers did not have effective contingency plans, and their websites performed slowly or crashed. Read more…
Much has been written about the recent settlement by the Massachusetts Attorney General with the Briar Group in connection with a significant data breach that occurred in 2009. Some of the early postings are very helpful (see links below), some have important mistakes, but I haven’t yet seen any that address a key insurance issue raised by the matter.
The Facts
Some of the basic information, as gleaned primarily from the complaint filed by the Massachusetts Attorney General, is as follows:
- The Briar Group, LLC owns and operates several bars and restaurants in the Boston area.
- In April 2009, hackers breached Briar Group’s network security and installed malicious code on its computer systems. Read more…
All over the U.S., people have been receiving emails from familiar corporate giants (including Best Buy, Walgreens, Citi, Home Shopping Network, JPMorgan Chase, Kroger, The College Board, Brookstone, U.S. Bank, and Tivo, among others) informing them that their names and email addresses had been hacked and could possibly be used in phishing attacks attempting to perpetrate financial fraud by convincing individuals to reveal account information, passwords or other confidential information. The hackers’ capture of both names and emails has increased concerns about “spear phishing” – the use of personalized emails containing the customer’s name and maybe even address, as well as the logo of the relevant financial institution. Such personalized emails often appear authentic so that consumers reveal sensitive account or other information. Many of the affected companies have responded by advising their Read more…
Researchers at UC San Diego and the University of Washington demonstrated that a car’s electronics, including its brakes and locks, could be remotely taken over through the car’s bluetooth wireless technology. The potential for Product Liability disasters might come through wrongdoing by criminals intent upon controlling an armored car or a delivery van carrying expensive electronics. It also might allow a disgruntled employee attack a customer or a boss at a car dealership. Worse, of course, are the implications for terrorism possibilities. More information about the study is available in New York Times article here.
Connect with Phil Edmundson on LinkedIn.
The New York Times published an article today predicting that there will be a surge in the purchase of what it refers to as “cyber insurance” – insurance covering a range of exposures relating to the breach of privacy and network security. The article has some significant exaggerations and misleading statements, and it quotes extensively from people whose livelihood depends upon cybersecurity breaches and the sale of insurance policies, but it provides a useful window on the current environment. The article places great importance on the recent guidelines issued by the SEC’s Division of Corporation Finance. Click here for WGA’s blog post and downloadable White paper discussing these new guidelines and their potential impact Read more…
