It’s a saying that has been around for years…it’s not if, it’s when. That saying applies seemingly absolutely to cyber-attacks. It’s not if your entity will be attacked, it’s when. In 2017 Equifax had a breach which resulted in 143 million records being compromised. Equifax isn’t the only large entity to suffer a breach, 3 billion Yahoo accounts were compromised in 2013; 76 million JP Morgan Chase and 145 million eBay accounts in 2014 were compromised. It’s not just large public agencies facing these challenges, the US Office of Personnel Management had a breach in 2012 which resulted in the compromise of 22 million records. That is quite the expanse of information being shared about the internet.
We hear the term ‘cyber liability’ all the time, but some may not even know what that means. Cyber liability is liability arising from a data breach in which some personal information is exposed or stolen by someone who has gained access to the electronic network. If your network is breached, you may have liability to notify someone whose data has been stolen, to offer credit monitoring, to pay costs to defend claims made by state regulators, to pay fines and penalties associated with a breach and to pay losses associated with identity theft. The liability cost of a breach, as reported in 2016, was $221 per compromised record.
Cyber breaches and attacks not only impact clients and consumers outside of your entity, it also impacts your entity directly. First party exposures include business interruption, including the cost of shutting down operations during the breach; data loss and destruction resulting in costs to recoup or recreate data; computer and funds transfer losses; and cyber extortion which is the attach or threat of an attack against an enterprise coupled with a demand for money to avert or stop the attack.
There are different types of cyber-attacks, and different levels of these attacks. Phishing is usually done through the email services of a company. In a general phishing attack, a general email is set out casting a wide net to see if someone will open the door for the virus to be planted. Spear Phishing involves some research being conducted by a hacker prior to engaging in the attack. The hacker will use information gathered about the intended victim’s family, and then use that information in an email to lure the recipient into engaging in the infected email. An example would be the hacker is aware that a family member is out of the country, and may send an email with an infected pdf attachment, claiming that the attachment includes information about how to send money to assist in necessary medical care or transportation. Once the victim opens the attachment, they unknowingly release the virus into the system. There is often a follow up email assuring the victim that there was a mistake and that no emergency exists, all the while the virus is now making its way through the victim’s system, gathering information. A third form of phishing is called whaling. In this instance, a high level party is targeted. A hacker will obtain the credentials of the party and then access their email, usually through a web based account. No immediate action is generally taken, however the hacker will monitor the email correspondence, gathering information and details about the entity’s business. At the right moment, they create an invoice which is sent along, resulting in a fraudulent money transfer, which is generally difficult if not impossible to track or recover. Home buyers have been reportedly tricked into making wire transfers to a hacked escrow account.
Other types of cyber-attacks are known as malware or ransomware. Malware has been shifting and trending into ransomware. Ransomware attacks occur when a hacker encrypts an organization’s files or data, and then requires payment of ransom, often via the use of bitcoin. Bitcoin is a digital asset which is exchanged peer to peer, without an intermediary. Bitcoin can ultimately be exchanged for other currencies, products or other services. Once the payment of the ransom is made, the data is decrypted. Ransomware usually requires some performance or engagement by the end user. There may be a link within an email, a file to be downloaded, an attachment to open or a macro to activate. Ransomware can also be delivered through advertising. Hackers have been known to purchase advertising space and upload a legitimate ad, however if the purchased space is not checked by the host, the ad can later be replaced with infected advertising, which when clicked releases the virus into the system.
Distributed denial of service attacks generally do not involve direct profit for the hacker. It is believed that these types of hacks are done for bragging rights. During a distributed denial of service, a hacker will take down a website of an entity, which can be detrimental to the entity, but with no real visible gain for the hacker himself.
With some very basic and general knowledge of some of the ways that our electronic systems can be attacked, the next logical step is knowing how you can protect your entity. It is important to create and keep up to date backups of all your information. If a ransomware attack is made, having the current information backed up makes the decryption of data less crucial. Additionally, having back up bandwidth to cover the downed system is recommended to keep operations moving. Training employees to understand cyber exposures and how those exposures potentially impact your entity will help limit the number of emails opened or downloads allowed. Operational systems should have appropriate firewalls and data breach protection tools in place. If a data breach occurs, your entity should have a plan in place on how to address the breach.
While the above is not an all-inclusive list, one of the most important ways to protect your entity from cyber liability exposures is to secure appropriate coverage. Members of the SDPAA who have their liability coverage with us already enjoy cyber liability coverage. The coverage applies to website publishing liability, network security liability, replacement or restoration of electronic data, extortion threats, business income and extra expenses, public relations expense, security breach expense and crisis management services.
If you have questions about the SDPAA’s Cyber Liability coverage, or would like more information about becoming a Member of the SDPAA, please visit our website at www.sdpaaonline.org or contact our office directly by phone at 800-658-3633 option 2, by email at sdpaa@sdmunicipalleague.org.
Lynn Bren, AIC SCLA
Director of Member Services
