Modern cyber policies need to do much more than just provide basic coverage should a business fall victim to a cyber breach or attack. As new cyber risks emerge, there’s an increasing need for a proactive, consultative approach from brokers, agents, and insurers.
In 2018, in response to new risks, NAS Insurance re-engineered its NetGuard® Plus cyber liability policy. The updated policy aims to help businesses of all sizes combat cyber crime and growing risks from third-party service providers, and now includes free pre-breach expert consultation, additional defense costs (outside the limit) built into the policy, telephone consumer protection act (TCPA) defense coverage, and system failure coverage for insureds’ service providers.
Here, Jeremy Barnett (pictured), senior vice president of marketing at NAS Insurance, outlines two scenarios in which coverage features of the new NetGuard® Plus policy played a crucial role in minimizing the impact of a cyberattack for clients.
In the first example, a large hotel chain suffered a data breach due to a form of social engineering called “pretexting” in which an individual tricks another party into divulging confidential information.
“In this case, the hacker posed as an employee in the hotel chain’s corporate IT department and convinced two other employees to enter their employee IDs and passwords into a fake, or ‘phishing’, website,” Barnett says. “The hacker used the employees’ security credentials to access the personally identifiable information (“PII”) of hotel guests. The breach exposed the names, home addresses, email addresses, phone numbers, drivers’ license numbers, license plate numbers, credit card numbers and telephone numbers of thousands of customers.”
The Federal Trade Commission (FTC) investigated and found that a lack of technical safeguards, such as multi-factor authentication, contributed to the theft of customer information.
“At the conclusion of its investigation, the FTC ordered the company to pay civil penalties. The insured’s cyber liability insurance covered the civil penalties, as well as any costs associated with defending the hotel chain in the investigation,” Barnett notes.
In the second scenario, the manager of a popular local tavern inadvertently downloaded an email attachment that appeared to be from his bookkeeper. The file contained the ‘CryptoLocker’ virus that encrypted files on his computer, including the QuickBooks files that are used to manage the restaurant’s finances and payroll.
“When he tried to access an encrypted file, a message appeared that notified him that all files have been encrypted and will only be unlocked if he paid a ‘ransom’ using BitCoin,” Barnett explains.
“After consulting with his insurance agent and their insurer, they were informed that this type of ‘cyber extortion’ is covered by the cyber liability insurance policy. The restaurant manager engaged an IT expert referred by the insurance company and determined that the threat was real and that the best course of action was to pay the ransom and assess further exposure and/or loss.”