Fishing or Phishing: Coverage to Mitigate Cyber Crime
November 1, 2019
Over the past four months, we have raised awareness of cyber risk by identifying areas of vulnerability, discussing preventive measures and “best practice” techniques, and exploring the various types of risk and attacks affecting the industry. We noted the Coast Guard’s position that having a robust response plan in place will be more effective than relying solely on prevention. We mentioned several times that if you’ve discussed risk transfer options with your insurance broker and have proper coverage in place, you are ahead of the curve. Finally, we pointed out that traditional hull and protection and indemnity (P&I) policies are either silent or specifically exclude cyber-attack as a covered peril. Even if you think you are covered, you may not be. It’s wise to have an honest discussion with your broker to determine whether you have the cyber risk coverage you think you have.
You’ve worked hard to build your assets – let’s explore a few of the common cyber coverages needed to best protect them.
Breach Event Response Costs Coverage
Breach response is required by law in all 50 states and internationally, and can include notification costs, several years of credit monitoring for individuals and/or companies whose data has been exposed, forensic and investigative costs, public relations and legal costs. Breach event response coverage seeks to address these costs (and in many cases, more). The coverage is negotiated and placed onto a cyber policy, which should include pre-selected vendors who will provide the above services in the event of a covered breach. Without this coverage, you would need to secure and work with all of these parties during an event.
Security and Privacy Liability Coverage
Security and privacy liability coverage protects the insured when a third-party claims damages were incurred because of a security or privacy failure. Most basic policies limit coverage to the organization only and do not cover liability assumed under a contract, whereas a more comprehensive policy can extend coverage to include this type of liability.
Privacy Regulatory Expenses and Penalties Coverage
This coverage addresses fines and penalties imposed by the courts (civil) or regulatory agencies. As we mentioned in the last article, UW Medicine agreed to a settlement of $750,000, plus a corrective action plan and annual compliance reports. As more localities, states, countries and specific regulatory bodies levy cyber event penalties, it is worth noting that fines and penalties can be significant. Without proper coverage in place you would need to bear these costs “out of pocket.”
Cyber Extortion Coverage
As we mentioned previously, the U.S. Department of Homeland Security’s Cyber & Infrastructure Security Agency states, “… ransomware has rapidly emerged as the most visible cybersecurity risk.” According to the 2018 Internet Crime Report, the FBI received 351,936 complaints of suspected Internet crime, with reported losses in excess of $2.7 billion. Be reminded, criminals attempting to extort you will likely demand payment in bitcoin or other cryptocurrencies, which often includes significant cost to procure or “mine.”
Cyber extortion coverage is intended to address ransomware attacks. And while many policies on the open market will pay the ransom amount, most of these policies limit coverage to the amount of the ransom and will only deal in traditional forms of payment. A comprehensive policy should include coverage for the ransom amount, payable in cryptocurrency, plus any forensic costs and costs associated with ensuring the ransomware attack is over. It’s critical to work with vendors who have bitcoin on hand so that you’re prepared to respond quickly to a ransom demand. As we’ve heard before, “time is money.”
Business Interruption Coverage
Business interruption coverage provides protection against the loss of business income and any extra expenses incurred if your operation is disrupted, impaired, or completely shut down due to network damage, security failure or a virus. Most policies limit this type of coverage to disruptions that are caused directly by your actions. However, if your network goes down because of somebody else’s security failure, you may find that you have a gap in coverage. For example, if one of your IT providers suffers a cyber event that shuts down your operations, your policy would only be triggered if you have contingent business interruption coverage in place. If you currently have a cyber policy, ask your broker if that policy would address contingent business interruption and from what kind of service provider.
Additionally, most “off-the-shelf” policies require a 12-48 hour waiting period before coverage kicks in. Once again, “time is money.” When you’re losing fishing time due to mechanical failure or breakdown, you do whatever it takes to get the boat running again as soon as possible with the least financial impact. It should be the same in the case of a cyber-attack. For that reason, a comprehensive policy would reduce the 12-48 hour waiting period to a more reasonable 6-8 hours. Waiting periods are negotiated and present on any policy with business interruption coverage.
Network Recovery Protection Coverage
This coverage responds to reasonable and necessary costs and expenses required to restore a network following a cyber-attack. Typical policies are limited to actual network reconstruction costs and wouldn’t include any costs related to mitigation, forensics or notification costs. In addition, typical policies do not address the issue of replacing any licenses that may have been compromised during the cyber event. A comprehensive policy should address all of these, including license replacement.
Multimedia Liability Coverage
Multimedia liability coverage is designed to address claims alleging copyright or trademark infringement, libel, plagiarism and personal injury resulting from the dissemination of electronic, or in many cases, printed material. Standard policies may limit this coverage to the website of the insured. For coverage to be truly considered “multi-media,” it should not be limited to the insured’s website. It should apply to all web-based content, including social media.
Clean Up Set
Regulators, environmentalists, farmed and “fake” fish, foreign competition, tariffs and changing ocean conditions can all potentially threaten your fishing business. The potential for a cyber-attack is just the latest threat. And while the threat of a cyber-attack may be the hardest to visualize as affecting your business, it’s something you can tackle successfully with effective insurance and risk transfer. Talk to your insurance broker about your options.
Mark Gleason represents USI Insurance Services in the maritime and related markets. He has spent 24 years in the maritime industry, including 13 years as a commercial fisherman in Alaska, Washington, and California, and as Executive Director of a fishing industry trade association.