The Expert Podcast

Cyber liability and cyber security are going to be the single two most important factors in any business going forward. These are things which really didn't exist within business up until about five or six years ago. As a small business, medium cap, or even a large publicly traded company, cyber security and cyber protection, and liability for those are going to have more of an impact on a business's success than anything else.

It's been reported that 60% of businesses that have a serious cyber attack close within two years. It's also reported that the liability for any kind of cyber risk or vulnerability extends beyond just that loss. If you're on the board of a public company and you haven't done sufficient efforts to protect your company against cyber, there are SEC regulations that kick in that the board may have liability. There's also a requirement that certain companies have to report any cyber attack on their business to the government. Even car dealerships have to report cyber events because they carry lots of information about consumers.

So, there are four different elements of cyber security and cyber liability that a business should be concerned about. The first one is prevention. Sounds easy, right? Simple things like two-factor authentication on your logins, physical security of things like servers and equipment, regular updates of patches and software, current versions, and active monitoring of your system. Anytime you have a system with more than two or three computers, you want to have active monitoring.

How do you do that? Well, you'll have an IT person in-house that's good. You want to have them protected, but that's not enough because the hackers are coming up with new methods of hacking every single day and your IT person, as good as they are, are not seeing all of the new attacks that exist across the board. So, you want to have third-party active monitoring that can come from your insurance company. Most cyber liability insurance policies that are pure standalone policies, not just a rider or add-on to your liability policy, will have active monitoring.

If you purchase a separate substantial cyber liability insurance policy, it will have active monitoring in most cases. Check your policy, make sure you get it from an insurer that has active monitoring. What does that mean? They're going to install either hardware or software on your system. It might be a patch, it might be some little download to put on your system, or it might even be a physical device that's attached to your network. What that will do is it will monitor all your network traffic to see if there are hacking events which land on your system.

The good news is about hacking events or ransomware events, they usually result from monitoring of your system for many, many weeks. So once you see it's on there, you can actually shut it down before it happens. We'll talk about that more a little bit later. Also, as part of prevention is employee and staff activities. Many of the hacking events and the cyber attacks come from social engineering where an employee is coerced or tricked into doing something to allow access.

The next level of cyber security is called mitigation. After prevention is mitigation. What that means is if there is an event that happens, you have things in place that will either keep it from doing damage or minimizing the damage. The active monitoring is part of that, a response team. If you have a cyber liability insurance policy, you will have more than likely an active response team. As soon as you know about any event, you pick up the phone, you call your insurer, and they have an active response team that will jump into action right then.

They will start defending your system, they will start blocking further damage, they will start retrieving records that have been compromised. That's part of your mitigation practice. The other part of your mitigation practice, of course, is backups. But backups are tricky because if you only back up once a day, everything that happened since your last backup is now compromised. And if that hack went on for a week, you might have a week's worth of old data. So, it's not just simple backup to a hard drive, it's having resiliency where you have a mirrored system that if one system is compromised, you can just switch over.

It's called a failover system to the other set of hardware. It's a little tricky to do, but once it's set up, it takes very little effort to keep it running. You also want to have them firewalled from other with an air gap too. So, if one system is compromised, the other one doesn't have that same defectiveness within it. Also, with mitigation comes best practices. Once something happens, it's almost like red alert. In addition to your outside third-party response team stepping in, you want to have procedures for your internal staff of what they're supposed to do.

The third leg of the table or the platform of cyber security is response. How do you respond to it? It's a little bit different than mitigation. It's after the fact. What do you do initially? Do you have a place where you can deploy additional hardware? Maybe you have a set of computers, a set of monitors that's stored in a storage facility or in another office that you can put into place immediately. Maybe you have as part of your response structure a notification that goes out.

One of the responses that's required is most states have requirements that if your customers' records are compromised by a third party, you are required to notify the government and those customers within a certain period of time. If you don't do that, it can add liability and fines and payments to third parties for not notifying in the proper timeframe. Part of the response also is to go through your census of devices. You should have a census of all your devices, know what the list of all your devices connected to your network are or all your electronic devices, and you go through each one and you check the status of each one to see if it's been compromised. That's part of your response process.

The last leg of that table is your viability, your resiliency, your ability to thrive even if all of your other methods fail, your prevention, your mitigation, your response fail, and you have a catastrophic loss. How do you have viability? It may be capital reserves, it may be additional pathway for accounts receivable. You have to have a plan in place for if worst case scenario you have damage, how are you going to survive as a business? Maybe you know a payroll line of credit if you don't get your receivables in, maybe if your bank accounts are compromised, having some type of insurance policy.

Having cyber liability insurance, you have to have a worst case scenario doomsday plan in place for resiliency, viability, and survival of your business. If you put those four elements in place, prevention, mitigation, response, and viability after the fact, you now have a scenario where a cyber attack, which is highly likely, can do the least amount of damage to your company and to your personal finances and the security of the people that work for you, the people that rely on you for a place to work, and also your clients and your vendors. They rely on you for product and rely on you for business.

Cyber attacks, if not already, are likely more probable to a business than a fire, than a physical damage to your building. There's insurance coverages and plans in place for all those things. You have a sprinkler system, you have fire insurance, you have a response system, the fire department. So, a physical threat like a fire or an earthquake or a flood has systems in place. You likely don't have that same depth of plan for a cyber event and a cyber event is much more likely. High percentages of businesses have these cyber events. It's only a matter of time till the serious one will hit your business and you want to be prepared for it because your business is what drives your personal life, affluence, and the security of your employees and those around you.