Published Since 1865 Boston, Mass. August 19, 2016 Vol. 279 No. 4

www.spcpub.com

StandardPublishingCorporation

TH

EStandardN E W E N G L A N D ’ S I N S U R A N C E W E E K L Y

PROFESSIONAL LIABILITY/D&Ospecial focus on

As hackers and organized crime rings look for new ways to steal funds and gain illegal access to confidential corporate and personal financial information, pro-fessional service firms are increasingly becoming targets of their attacks.

Although the most widely reported at-tacks have been those against retail outlets (with credit card data), hospitals and banks, a much broader array of at-tacks is being targeted at businesses in nearly all sectors, including professional services firms. The incidents vary widely and include:

• Cyber extortion, where perpetra-tors extract a company’s data or take control of its network and only release them back to the owners in exchange for a ransom, typically paid out in Bitcoin.

• Theft of personally identifiable in-formation (name, address, Social Security number, etc., of any em-ployees, trading partners or clients) and/or sensitive client data (on their employees, customers or proprie-tary information or trade secrets).

• Denial of service attacks in which perpetrators either shut down the victim’s network or use unauthorized access to shut down an-other party’s network (or replicating viruses to do so).

• Fraudulent transfer of funds, which can occur through the use of malware that shadows computer keystrokes to misappropriate bank PIN and account informa-tion or by a so-called “phishing” scheme in which perpetrators use email to impersonate a top exec-utive and convince unsuspecting employees with financial access to wire funds for an alleged business transaction.

In addition, there are widening con-cerns about materials published on the internet and social media sites, which create the possibility of copyright infringement, libel and slander.

For any business, effective cyber risk management starts with understand-ing its potential exposures, safeguarding data, preparing for a cyber event, eval-

uating insurance options and making adjustments to computer systems and computer usage to guard against an attack.

Assessing and Managing Cyber ThreatsFirms should catalog all confidential data they own or maintain for clients and make sure they have an effective se-curity program in place. Data security measures generally include: conducting ongoing risk assessments; investing in state-of-the-art security; and regularly testing the integrity of systems. Employ-ees and vendors should be informed of the firm’s security procedures, and these policies should be updated periodically and reviewed with them.

Preventing cyber-related crime and breaches calls for several measures, including:

• A system of financial controls that separates requests for payment from approvals and check issuance and signature.

Perspectives for Professional Service: Navigating Cyber and Emerging Crime Risks

By: Mike Herlihy and Dan Knise

2 August 19, 2016

PROFESSIONAL LIABILITY/D&Ospecial focus on

• Monthly reconciliation of bank statements and accounting records to track receipts and payables.

• Requiring two approvals for any wire or automatic clearing house transfers.

• A secure computer network, in-cluding firewalls, encryption, anti-malware protection and other barriers to unwanted intrusions.

• Back-up storage of data that al-lows you to quickly duplicate information that is lost, stolen or compromised.

• Having strong passwords (at least 12 characters) and changing them regularly.

• Protecting laptops, backup media and thumb drives with whole-disk encryption. Firms might also consider a standardized desktop equipped only with firm-issued software.

• Protecting servers and securing in a locked rack, closet or room.

• Smaller firms might consider using a single integrated product to ad-dress spam and viruses and should be vigilant about ensuring any soft-ware patches are applied on timely basis.

• When terminating employees, im-mediately cut all access (including remote) to the network and cancel the employee ID.

• Instruct employees to use wireless hotspots with great care and provide a virtual private network (VPN) or other encrypted connection for remote access.

Preparing for a Cyber Event Regardless of how careful any business is in protecting against a cyber incident, it’s likely that one will occur. So, firms of any size need to be prepared.

Start by establishing a multi-disciplin-ary team to develop a plan and respond when a breach occurs. The plan should include procedures for identifying and repairing the breach, investigating its cause, analyzing its implications and no-tifying the necessary parties, including the insurance company.

These measures can be complemented by effective insurance coverage. As cy-ber insurance has become more readily available, many businesses now consider it a critical element of their overall risk management program.

Checking Insurance ProtectionThe first step in evaluating insurance is to consider what, if any, coverage for a potential cyber incident may be avail-able under a firm’s existing insurance policies. Notably, some standard insur-ance policies, especially crime policies and professional liability insurance poli-cies may offer limited coverage for cyber risks.

For instance, many professional ser-vice firms purchase packaged insurance programs, which include coverage for general liability, property and certain other exposures. Some of these policies offer limited data breach coverage for forensic costs and other expenses.

Some professional liability insur-ance policies afford liability coverage for claims arising out of cyber events. Typically, coverage is limited to claims brought by clients for breaches of the security systems that might take place during the performance of profession-al services. There also is coverage for claims brought by employees when their personally identifiable information is stolen from the company computer system.

Cyber/network security insurance, which is purchased by a growing num-ber of professional service firms, covers both the first-party loss suffered by the company itself as well as liability claims brought against the company for loss suffered by others as a result of a security breach. While these insurance policies

vary by insurer, many typically include coverage for the following:

• First-party loss, such as the costs to notify affected individuals; credit and identity theft monitoring (in-cluding credit thaws and freezes); public relations and external foren-sic expenses; and cyber extortion/ransom payments.

• Business income interruption for loss of income/profit due to a breach or denial of service attack.

• Costs to repair damaged systems and hire consultants to restore the computer system.

• Loss of money or securities due to fraudulent electronic instructions to wire transfer funds.

• Media liability, including costs aris-ing from trademark or copyright infringement and related causes of loss.

• Coverage for claims brought by cli-ents, employees and third parties who suffer loss as a result of the breach of a company’s computer system.

Significantly, these policies may include services, such as websites or access to experts, to help insureds prevent losses and to assist them should a breach oc-cur. They can be helpful even before a crisis arises.

Understanding the Limitations of Cyber InsuranceEven though cyber insurance poli-cies have come a long way in recent years, they are not a panacea for man-aging these complex and substantial risks. Buyers should review these poli-cies carefully and identify any specific restrictions or limitations.

For instance, many cyber policies don’t cover theft of hardware from the in-sured’s premises. They also may limit protection for breaches to those involv-ing U.S. privacy statutes or regulations, a potential concern for firms with international operations or clients.

Some policies may have inadequate

As internet and cyber-related risks become increasingly widespread

and complex, professional service firms should take a comprehensive

approach to manage them.

THE STANDARD 3

PROFESSIONAL LIABILITY/D&O special focus on

sublimits for fraudulent fund transfers, forensics and crisis management expens-es, which can leave firms with inadequate funds to investigate where their sys-tems were infiltrated or to address costs of managing an incident-related crisis. Other coverage restrictions might apply to restoration of intellectual property or proprietary business information.

Crime/Employee Dishonesty InsuranceThe widespread use of the internet has also created an environment where various types of phishing scams have in-creased. At the same time, employers must become more vigilant about em-ployee crime and theft. Some protection can be found under various crime or fidelity insurance policies.

For smaller and midsized firms, this coverage often is available as an add-on to a package insurance policy. Generally, the limits of coverage provided un-der this approach range from $25,000 – $100,000 with a relatively narrow

coverage grant.

This may be sufficient for smaller firms; however, since the costs for crime insur-ance are relatively affordable, any size business ought to consider purchasing stand-alone crime coverage. The poli-cies often can be written for a three-year term and premiums are quite reason-able. Some key coverage considerations are:

• Limits — These usually run from $500,000 to $5 million or more depending on the size of the firm’s revenues and assets.

• Deductibles — Typically, $5,000 to $25,000, depending on firm size and limit purchased (higher limits tend to have higher deductibles).

• Key extensions — It is critical that the policy include funds transfer fraud and computer fraud. More claims are arising from these forms of theft, which may be excluded from the coverage provided un-der a package policy. Another key extension, “third-party coverage,”

addresses losses by a client or others if their funds are, for some reason, in the insured firm’s control.

As internet and cyber-related risks be-come increasingly widespread and complex, professional service firms should take a comprehensive approach to manage them. This includes as-sessing potential risks, implementing sound risk management and crisis plan-ning, evaluating available insurance, including stand-alone cyber and crime policies, as well as monitoring and up-dating programs as dictated by changes in their firms’ size, scope of business and use of technology. ■

Mike Herlihy, executive vice president and partner, Ames & Gough, is head of New England operations. Based in the Boston office, he can be reached at mherlihy@amesgough.com.

Dan Knise is president and CEO, Ames & Gough. Based in the Washing-ton, D.C. office, he can be reached at dknise@amesgough.com.

Reprinted by permission of Standard Publishing Corp. © 2016.