What to Watch for in 2016
1. A More Sophisticated Criminal Landscape for Stolen Data Emerges
Attacks in 2015 were more acute in their approach and targeted goals. Despite a relatively flat number of data breaches reported domestically in 2015, the number of impacted records nearly doubled. Information available from cyber insurance carriers suggest that actual claims reported to carriers increased 50% in 2015. 2016 will continue to bring even more activity from a variety of threat sources.
2. Cyber Liability Marketplace is Still Evolving
The Cyber Liability marketplace continues to be one of the most dynamic markets in the insurance industry. Loss data is still not sound enough to generate solid rating platforms and carriers are unable to attract the appropriate IT talent to accurately underwrite risks. Industries facing larger exposures must consider agent representation with specialization in this area to ensure proper protection and policy architecture.
3. An Incident Response Plan Cannot be Created After an Incident
A cyber security incident is like a fire – after it happens, there is no time to formalize a response plan. Vendors who specialize in the area of breach response will continue to grow in 2016. Most Cyber Liability policy carriers offer a panel of professionals who, at little or no cost, will take the time to understand and counsel their clients prior to a breach.
4. Vendor Contracts Won’t Always Cover Lost Data
Outsourcing data management and storage is becoming critical to all types of organizations, and will continue to trend upward in 2016. Negotiating terms that are in your best interests will require your diligence in asking the right questions. Data vendor agreements should be negotiated and reviewed with qualified legal counsel, familiar in the area of data management.
5. Ransomware is “User-Friendly” and Phishing Attacks Are Convincing
Critical files must be backed up frequently (hourly if possible). Ransomware is typically deployed through phishing attacks and can be activated by any employee of an organization. Deploy specialized training to employees on how to spot a phishing email and use credible security technology to check the authenticity of all emails, including any embedded files or links.
6. International Data Security Requirements to Surpass Domestic
The GDPR will be enforced on organizations that fail to abide by its rules and do not perform “good faith” efforts to secure data. Understand the type and origin of data being held by your organization and the potential international regulation. Typical Cyber Liability policies contain worldwide coverage territories, but terms and conditions of policies including Duty to Defend and regulatory coverage may be limited by non-domestic regulatory bodies.
7. Cyber Security Remains a Directors & Officers Issue
Regulatory bodies and organizational stakeholders will continue to hold leadership accountable for breaches of privacy due to negligence. Not all Directors & Officers policies will automatically provide cover for claims alleging breach of duty related to a data security. Coverage should be reviewed with a knowledgeable professional for coverage limitations and potential carve back for cyber security claims.
8. Third Party Cyber Breach Class Action Suits
When assessing your cyber security risk, do not completely discount the cost to defend and settle a potential third party lawsuit. Understand your absolute exposure in this area and adequately budget for defense expenses. Understand that companies that have a public brand face increased potential for litigation as the allure of class action litigation by plaintiff attorney’s increases.
9. Federal Cyber Security Regulation is Coming… Just Not Any Time Soon
Clear-cut regulation providing preventative security measures and post-breach notification guidelines will not arrive in 2016. Until this legislation is passed and jurisdiction is appointed, uncertainty surrounding breach response will continue. Proactive cyber security awareness and planning continues to be the best defense to potential regulatory action and penalization. Companies implementing best practices can avoid costly litigation and penalties
10. Social Engineering and Computer Fraud on the Rise
Social engineering and fraud tactics mirror more traditional theft of funds but do so using tools that all professionals use on daily basis. The success of these schemes in 2015 indicate they’ll be on the rise in 2016. Implement and train on internal procedures, such as dual authorization to release funds, to ensure payments are only made to authentic sources. Understand your bank’s protocol for identifying and stopping unusual activity, such as callback procedures.