Issue 111 - May 2021
Cyber Liability ProgramBy Jim Thyden, Insurance Programs Manager
All members of the Authority have some level of cyber risk exposure. In the last year, members have reported nine cyber incidents to the Authority, many involving significant downtime to member systems, including entire loss of access to servers, email, and phones. It can take weeks for members to fully re-open. In some instances, digital media is never recovered. Additionally, members have been directly defrauded of funds or data has been stolen and released to the public or sold on the dark web. Costs to recover from a cyber incident have ranged from $5,000 to over $250,000 with countless hours of staff time diverted from regular work.
The Authority’s cyber liability program is insured through Illinois Union Insurance Company, a Chubb subsidiary, and provides limits of $1,000,000 per occurrence/$1,000,000 aggregate per member per protection period, and $10,000,000 aggregate shared by all members. The program also includes a self-insured retention (member responsible for payment) of $50,000 per occurrence. This program provides both first- and third-party coverage for members who have incidents involving the following types of losses:
- Cyber Incident Response Fund covers expenses to retain a computer forensics firm and for notifications and credit monitoring needs after a breach.
- Business Interruption Loss and Extra Expenses covers business income loss due to network interruption.
- Digital Data Recovery covers the re-creation of data lost due to a network interruption.
- Network Extortion covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network.
- Cyber, Privacy and Network Security Liability covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format.
- Electronic, Social and Printed Media Liability covers infringement of copyright or trademark, invasion of privacy, libel, slander, plagiarism or negligence arising out of the content on the organization’s internet website.
As soon as a member becomes aware of a cyber incident, the first step is to call the Crisis Hotline at (800) 817-2665 or use the Chubb Cyber AlertTM mobile app. Members can find this app in the Google Play store as well as Apple’s App Store. The Authority recommends that all staff who may be responsible for reporting claims download the app and register as soon as possible. When registering, use policy number G70164243 001 and enter your agency’s name in the section for “Company name.” Once registered, the user is able to report a claim at any time. When reporting claims via the hotline or email, members should advise of the name of their agency and that they are a member of the California Joint Powers Insurance Authority.
The hotline and mobile app will connect members to specialists that will take their information and route the incident to one of Chubb’s Incident Response Coaches, their pre-approved law firms that are adept in handling cyber matters. The Incident Response Coach will contact the member to assist with the initial event triage, and can subsequently help to:
- investigate the legitimacy and impact of the event,
- manage the legalities and regulatory communications if sensitive and protected information has been compromised, and
- engage the services of other Incident Response Team Specialists.
When a member calls the hotline or uses the Chubb cyber app and there is determined to be a claim, the response coach with whom the member has been connected via the hotline or app can report the claim on behalf of the member to Chubb. The member also has the option of reporting the claim via email to firstname.lastname@example.org.
Additionally, members are entitled to one free hour of consultation in the event of a privacy incident with a cyber incident response coach. Chubb’s Cyber Incident Response Team can work with members on a range of issues resulting from the incident, including legal, computer forensics, call center, public relations, fraud consultation and credit monitoring.
Even with these coverages, the best solution is preventing the loss in the first place. Educating and training staff is crucial in the fight against cyber criminals.
Chubb provides resources that are specific to cyber exposures, including various training tools related to cyber risk, ransomware, hacking, phishing, etc. These resources are geared specifically for IT personnel, risk managers, and others who have responsibilities in this area. Visit the Chubb website to access these resources. Members will need to log in using an access code, 494718.
Additionally, the following three steps can help strengthen your agency’s workplace cybersecurity.
Three Steps to Ensure Workplace Cybersecurity is Everyone’s Business
A chain is only as strong as its weakest link. You have heard that before, I’m sure. Well, it’s true for chains and it’s true for your organization’s cybersecurity program.
Here are three steps for making cybersecurity everyone’s business in the workplace.
- Start at the top – To create a strong cybersecurity culture, you need leadership buy-in. Leadership must recognize cybersecurity as an identified risk and properly address it through dedicated human and budgetary resources. Cybersecurity risks and best practices should be discussed at regular management meetings. Cybersecurity is no longer an IT issue; it’s a “boardroom” issue.
- Create a cybersecurity culture – Creating a cybersecurity culture includes promoting awareness and making cybersecurity part of the everyday conversation. Companies shouldn’t just perform the annual training and then shelve cybersecurity issues until next year’s training. Rather, continually bring cybersecurity to the top of everyone’s mind throughout the year.Cyber threats and vulnerabilities affect your employees’ everyday duties, and it is important to create awareness. Create a culture of awareness through regular training, awareness posters in common areas, and integrating cybersecurity into the employee review process.Additionally, don’t treat cybersecurity as an afterthought; start creating the culture during the new hire process. Delegate awareness to a department, put someone in charge, and don’t let anyone pass the buck when it comes to cybersecurity awareness.
- Training – Training is a must. “Formal” training should be done at least annually with updates, reminders, and notices sent weekly or bi-weekly. The training should be continuous and broken up into bite-size chunks dedicated to specific topics. Ransomware, phishing, password health, access controls, and mobile devices should all be addressed.Training can take many forms: online, in the classroom, and interactive exercises, individually or part of a group. Mix it up and keep it interesting. Make it fun by rewarding employees for being an essential part of the culture. By implementing regular cybersecurity training, you are addressing one of the major risks of a cyber incident – human error.
Cybersecurity tools and software only go so far. Creating a culture of cybersecurity awareness with everyone in your organization is essential to help prevent harmful cyber attacks.
If you have any questions, comments, or suggestions, or if you need assistance navigating these resources, please contact Jim Thyden, Insurance Programs Manager, by email or at (562) 467-8784.< Back to Full Issue Print Article