Newsletter Article
April 2024

Protecting Your Company from Cyber Threats

At the 2023 NCEO Annual Conference in Kansas City, one of the best attended sessions was on cybersecurity. That’s not surprising in light of the growing threat that gaps in security can pose to a business.

Blake Brown of the Baker Group, Mike Weiss and Ross Ingersoll of the employee-owned insurance company Holmes Murphy, and Evan Rice of Guide Star provided a useful roadmap of how to stay protected.

According to Weiss and Ingersoll, one insurance carrier said the average ransom payment made in 2023 was $537,036, nine times what it was five years before. A second carrier said its loss ratio was 150%, while a third said breach response costs have increased 220% since 2016.

The speakers identified the top underwriting concerns, including:

  • Multi-factor authentication
  • Endpoint detection and response
  • Employee training, policies, and procedures
  • Robust backup and recovery procedures

When selecting an insurance policy, setting the right limit for your business is a difficult decision. The potential costs can vary widely, not only with the kind of work you do, but also the kind of attack you experience. Engaging an expert from
outside your insurance carrier can help you navigate this. Threats to cover include ransomware, cyber extortion, business interruption, and “social engineering fraud” (using psychological or other ruses to convince people to provide information and/or access they should not have). There are often sub-limits on social engineering fraud. You may also want to be insured for widespread events, such as a denial of service for an entire network, but your carrier might exclude these potentially catastrophic events. Oftentimes, there are also exclusions for a failure to maintain the appropriate systems.

While getting good insurance is essential, this is one product where you would be happier never to actually get what you pay for. Create a checklist you can regularly review. Using a third-party framework can help provide the needed expertise if it does not exist in house. Key elements include:

  • Training
  • Having a managed firewall
  • Multi-factor authentication (MFA)
  • Email management and filtering
  • Backup and recovery
  • Managed detection and response (MDR)

The outside advisor or an in-house expert (or both) should run periodic audits, tabletop exercises, and supply chain reviews. Make sure you have playbooks for various scenarios. Invite your carrier to send a representative to review your exercises and procedures. Consider joining organizations that focus on cybersecurity (such as the Information Systems Audit and Control Association, the Internet Security Alliance, or the International Information Systems Certification Consortium). Getting your IT staff cybersecurity certified may be worth the investment. There are also a variety of tools you can invest in that detect or prevent incidents. You may want to obtain a managed security service provider or virtual security service provider.

Playbook Essentials

Determining how the breach/incident occurred is vitally important. Forensics can take a long time, and during that period, what is being evaluated cannot be used for business functions. You may need to quickly acquire additional resources to take the place of those that can’t be used. Forensics costs can add up quickly.

If there is a breach, aside from reputational damage, there could be lawsuits from affected clients, employees, vendors, etc. whose data has been breached. Credit monitoring for any lost private information will be needed. You may even lose customers or suppliers.

Your ransomware playbooks must include an option to pay the ransom. Threat actors will do research on your organization and will typically request a ransom that is hard to accept but not out of reach.

Businesses that store private personal information should take note of the FTC Consent Order and take the following lessons to heart:

  • Develop a written information security program (“WISP”) which identifies reasonably foreseeable internal and external risks to the security and confidentiality of customer information that could lead to the unauthorized disclosures of private personal information;
  • Continually assess the sufficiency of the institution’s safeguards and operational risks including detecting, preventing, and responding to attacks against the institution’s systems;
  • Evaluate and adjust the WISP in light of relevant circumstances and changes in the company’s environment, business offerings and operations, and the results of security testing and monitoring;
  • The FTC has established through the Wyndham litigation that it has authority to bring claims against businesses for cybersecurity intrusions under Section 5 of the FTC Act’s unfair and deceptive umbrella;
  • The FTC expects all businesses to adhere to the cybersecurity practices required by Section 5 of the FTC Act; and
  • Businesses should carefully monitor FTC Consent Orders regarding data breaches and use those consent orders to better model their practices.

With the rise of artificial intelligence, cyberattacks can only become more widespread and persuasive. Taking the threat seriously is vital for any business.

ERISA Requirements

In 2021, the Employee Benefits Security Administration announced its own cybersecurity guidelines for ERISA
plans. The guidance is broken down into three areas:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.