The Liability of Ignoring Cyber Crime: What can you do to protect your company?

As commerce moves increasingly online, the criminal class is also redirecting their malicious efforts toward the digital sphere.

According to the “2015 Cost of Cyber Crime Study: United States” conducted by the Traverse City-based Ponemon Institute, the U.S. has seen an 82 percent increase in cyber crime in just over half a decade. The Hewlett Packard Enterprise-sponsored study also indicated cyber attacks are now 22 percent more expensive, are happening much more frequently and are taking longer to resolve than they were a year ago.

In the face of this escalating trend, experienced security, risk mitigation and commercial liability experts realize what some local business owners seem not to: Traverse City is no longer immune to cyber threats.

“There are companies right here in Michigan, small companies in northern Michigan, that have been the subject of cyber intrusions,” said Thys DeBruyn, President of ADVANCE Resources and Consulting, a Michigan based risk analysis firm.

Prior to standing up ADVANCE, DeBruyn spent the last quarter century in the Central Intelligence Agency, and held senior positions in China and Indonesia. Now the Traverse City native, and once again resident, parlays his expertise into helping clients safeguard their cyber security.

“Just because you’re a small company in northern Michigan, geography doesn’t offer any protection from this sort of thing, unfortunately,” said DeBruyn.

Strategies to defend against cyber attacks include enhancing security, transferring risk to third party companies, like Paypal, vetting all potential partnerships or ventures, and finally acquiring cyber liability insurance.

For many business owners, paying to shore up their organization’s digital defenses and to help rebuild in the event of a successful attack becomes a question of immediate cost versus what they stand to lose.

“Is it hardware, software? Are you insuring against fines and penalties? Or is it intellectual property? Reputational damage?” DeBruyn posed. “You can keep adding on to this.”

“Obviously cyber insurance policies limit the scope of liability.”

Cyber liability insurance often provides the final layer in company’s security planning.

“You try to mitigate all the potential possible ways of having losses…when you get as close as possible to protecting yourself, that’s where the insurance comes in,” said Shawn Gregg, commercial risk manager with the Larkin Group, a Traverse City insurance firm. “To fill that gap when you’re likely to have a loss and you need to be able to weather that storm.”

The cost of cyber liability insurance can range from one to several thousand dollars a year, said Gregg. He also said the insurance can range from a simple policy rider to a more rigorous separate policies which protects clients against multiple types of loss.

Commonly, cyber liability insurance provides first and third party protection, meaning against direct and indirect losses.

First party coverage can cover “damages that you suffer because of intrusion from an outside party, restoration of data… and the costs associated with that,” said Gregg.

Third party coverage could potentially cover expenses like monitoring and credit reports for clients whose data has been put at risk or stole, as well as regulatory fines placed against the breached company. It could also possibly cover restitutions to third party clients, like a retailer’s manufacturers for instance, who suffered some loss due to a cyber attack.

Despite this, the number of companies adding cyber liability coverage to their policies does not appear to match the increase in crime.

“We still see a ‘that can’t happen to me attitude,’” said Gregg, who has worked in the commercial insurance industry for nearly three decades.

“Even with [this] type of thing going on, people are somewhat reluctant to buy the insurance coverage,” he continued. “They think that their IT people…have made them immune to it.”

Gregg pointed out that when large national and international companies, organizations and even governmental agencies are falling prey to hackers, what chance is there that smaller, local businesses can effectively ward off attack?

During a recent cyber security workshop hosted by Networks Northwest, special consideration was given to the increasing number of local businesses that work, trade or interact with foreign partners or in overseas markets, he noted.

“Companies need to not fall into the trap of thinking ‘because we’re don’t have an office there or a manufacturing facility there, we’re not at risk,’” said DeBruyn, who was one of the workshop’s speakers.

What foreign hackers are often after may also be exceedingly more costly to companies then credit card numbers or medical records, which Gregg indicated can generally fetch between $1 and $20 respectively.

“If you’re a small technology company in Michigan, your client list is probably all that attractive to hackers from a business intelligence or identity theft standpoint,” said DeBruyn. “It’s your technology.”

According to the Ponemon Institute’s findings, “Information theft continues to represent the highest external cost.”
Circling back to China, DeBruyn’s firm estimates that up to 80 percent of intellectual property theft can be traced there.
DeBruyn’s message to northern Michigan businesses, regardless of size, scope or industry?

“Understand what you’re up against, understand who’s interested and what and how they go about taking it,” he said. “You want to think about those risks and do everything you can to protect against them before you get to that point.”