In our last post, we discussed several of the common misconceptions that relate to stored data, building on our recent paper about cyber threats and Cyber Insurance. Here, we’re going to expand on that a bit, focusing more on the security infrastructure and threats relating to electronic information.
“I have little valuable information, so the handful of skilled hackers out there won’t target me”
There’s a misconception that breaching a data system is a fairly difficult task that requires advanced skills. This might stem from the way many high-profile breaches are talked about. For example, the recent breach of Anthem’s database was described by its President as “a very sophisticated external cyber attack“. Similar language is used every time a major breach is reported, but don’t think that this means that all successful cyber attacks have to be sophisticated. In fact, there are several places – on the dark web, for example – where would-be hackers can buy the necessary tools, simplified to the point that many have been referred to as “starter kits“. In other words, the actual skill necessary to attempt to hack a system is not significant.
“Sufficient security infrastructure eliminates the risk of a breach”
This misconception is understandable, but starts to fall apart if you think about it too much. Consider your computer’s antivirus. Have you ever noticed how it’s constantly updating? This is because new threats are constantly being developed, and it’s only once a new technique to breach a system has been developed that security experts can analyze it and formulate a defense. This means that even the most up-to-date, advanced system cannot protect you against newer developments, at least not at first.
“Passwords provide significant protection”
Unfortunately, passwords do not provide very strong protection against attempts at breaching a system. Depending on the system they are meant to protect, they may in fact prove no more than a minor annoyance. For example, there are directions online for how to bypass the Windows logon screen – in fact, there’s far more than one way. This means that a stolen company laptop with unencrypted data on it will almost certainly be breached within a very short time of its theft.
“I don’t need a Cyber Insurance policy, since my General Liability (CGL) coverage takes care of it”
So let’s say that you’ve come to the conclusion that you need insurance to protect your data after having reviewed all of the potential risks and recognizing how difficult it is to truly safeguard all of your information. Of course, you might immediately assume that your CGL policy covers these risks – after all, virtually every company has them to some extent. However, a standard CGL policy excludes most types of cyber claims.
Cyber risks are new, and, in response, the insurance industry is developing a new class of insurance policies to respond. Since this area of insurance is so relatively undeveloped, these cyber policies are non-standard, and often contain endorsements that restrict or modify coverage. Any company seeking to purchase cyber coverage should be cautious, as each policy should be tailored to the particular exposure and carefully reviewed to avoid gaps.