February 2, 2015
Author: John Link, Vice President of Risk Management
There is hardly a day that passes in which a cyber incident – hacking, illicit fraud, data breach, etc. – isn’t in the news. What was once considered a risk for only the largest of companies (Target, Best Buy, Chase) is now finding a heightened sense of worry among small and middle market businesses including trucking companies.
What are the exposures for transportation companies for a data breach or network issue? Driver files, employee records, cargo, freight information systems, vendor information, health information files, financial data, payroll records and the list goes on and on. “Every company that collects, stores or transmits private information has a cyber security exposure [and] for trucking and transportation businesses, that could include employee and customer information,” Ken Goldstein, VP and Worldwide Cyber Security Manager for Chubb Group of Insurance Companies.
Here are some fun facts to consider:
- In 2013, the average cost incurred by a company due to a data breach was $188/record….with malicious attack costs running 1.5x higher* and a HIPAA violation 7x higher
- 40% of all breaches occur in companies with less than 1,000 employees**
- 8% of Cargo thefts in 2013 were due to fictitious pickup* and this area is on the rise
Take a moment to consider how many digital and paper records you have from applicants, current drivers and past drivers…now take that number times $188 per record. The numbers begin to become staggering for some motor carriers I’ve spoken with.
What can you be doing to protect yourself and protect the data you’ve accumulated?
- Design and set up proper platforms for your network security
- Employee Training on encrypted devices and the importance of protecting equipment
- Keep website security certificates up to date
- Work with experts on the technology needed to best protect your systems
- Hire the right people with the right experience to manage the systems
- Have a sound infrastructure in place for financial transactions – don’t rely on financial institutions
- Develop appropriate contracts with liability transfer and hold harmless provisions – outsourcing does not necessarily eliminate all risk
- Transfer risk with your insurance policy
If you are buying an insurance policy commonly called a Cyber Liability policy, it is vitally important to understand the coverage elements within the insurance policy itself. These policies can exclude more than they cover – so working with an insurance advisor who understands these policies would be best practice.
This policy is typically in two main parts – 1st party coverage (that’s for you) and 3rd party coverage (for others). Below is a breakdown for those coverages and what type of coverage may fall under each part:
3rd Party – Liability
- Privacy Injury – privacy rights violations
- Network Security Liability – theft of other’s information, infection of third-party, damage to other’s network, other’s inability to access your network
- Content Injury or Broad Form Media – advertising materials, trademark infringement, copyright infringement
- Cyber Terrorism – computer attacks that are acts of terrorism
1st Party – Liability
- Privacy Regulatory Proceeding – cost to notify others of breach
- Network Extortion – payment for extortionist’s demand to prevent network loss or implementation of a threat
- Network loss/damage – cost to recreate or restore to pre-loss condition
- Business Interruption & Extra Expense – loss of income and extra expense
- Event Management – cost to retain public relations services
- Electronic Theft – loss of money, goods, security, trade secrets, intangible property
When considering the purchase of a Cyber Liability policy, some key areas for consideration are the following:
- Buy 1st and 3rd party coverage
- Breadth of Coverage…the internet has NO boundaries. Make sure coverage area is “worldwide” or “universal”
- Whether your Cyber Liability policy protects info on unencrypted devices
- Is there coverage for Business Income/Extra Expense/Dependent Business Income?
- Is there coverage for information in the care, protection, or control of 3rd parties?
- Data restoration costs in your coverage
- Whether your policy covers regulatory actions
- Whether injuries to a company’s corporate clients are covered, not just injuries to natural persons
- Whether the insurance policy covers data transmittals that take place outside of the company’s offices
- If your business accepts payment by credit cards, consider if your policy provides for payment card industry liabilities
- Provides coverage for identity theft resolution services
- Potentially including loss control services in your coverage
- Provides coverage for Property Damage and Bodily Injury
- Are freight costs covered? To what extent?
Ultimately, my underwriter friends are under the belief that it won’t be a matter of “if” your company experiences a data/privacy breach, but rather a matter of “when” those incidents will occur. Planning today and implementing processes and procedures may not completely prevent those incidents but impact the severity of the incident. Insurance is a method to transfer the financial exposure and premiums are quite reasonable, BUT make sure to build a policy that protects your operations. No two policies are equal and should be reviewed carefully.
- *Ponemon 2013 Cost of Data Breach Study
- ** Verizon 2013 Data Breach Investigations Repo