7 minute read
Are We Covered?
The cybercrime industry is rapidly making it difficult for cybersecurity to keep pace with technology vulnerabilities. Cyber criminals do not discriminate when it comes to the size of businesses they target. High-profile attacks make the news, but in reality 90 percent of these crimes significantly impact small to medium size companies.
What Management Companies Should Know About Cybercrime
Fifty to 80 percent of all cyberattacks are aided or abetted by innocent insiders, most commonly through an email message that asks a relevant party to click a link or open an attachment. Some attempts are obvious, but many are carefully crafted, appearing very credible – this is where the success of cyberattacks can reach the high end of the range.
The goal of most cybercrime attacks is the theft of private information that is potentially sold on the dark web. Inherently, businesses have the care, custody and control of some type of third-party private information stored either physically or electronically. That responsibility creates a direct cyber liability exposure. Even when the information is transferred to a thirdparty service vendor, the responsible parties will still have at least a vicarious liability* exposure.
Community management companies take on the direct care, custody and control of the association’s private information as part of their contracted services. This creates a direct cyber liability exposure for the management company as the responsible keeper of this information. The associations they manage typically do not have direct control of the private information, so their risk exposure is generally limited to vicarious liability. However, it is important to consider the cyber exposure of each association to determine their level of control.
Types of Cybercrime that Directly Impact Management Companies
Ransomware attacks are the fastest growing type of cybercrime. The infection of prominent websites and downloadable applications has become a common means to attack computers. The latest ransomware virus can leap from computer to computer once unleashed within an organization. It will freeze the computers until a “ransom” is paid (usually in virtual currency known as Bitcoin). The recovery of files is questionable even when the ransom is paid. Management companies are encouraged to establish a strong software backup system to protect against the potential loss of data due to a ransomware attack.
Cloud computing technology is a very appealing infrastructure platform that is
Are We Covered?
Types of Insurance Management Companies Should Carry in an Age of Cybercrime and Other Threats
By Ané Agostini, CIC, CRM
Are We Covered?
Continued from page 52 being adopted by many management companies. Distributed Denial of Service (DDoS) is a type of cybercrime attack that compromises a business’s cloud network connectivity making it impossible to access your resources. DDoS attacks are an attempt by a malicious party to overload valuable resources such as e-mail services, internet access, web servers and network systems housed in the cloud to shut down access. The conveniences and cost benefits of transferring these services to a third-party cloud vendor should be weighed very carefully against the potential retained liability and potential cybercrime loss exposures.
Best Practice Approach for Managing Cybercrime Risk • The education of employees and the important role they play in cybercrime loss prevention should become a standard part of the human resource department. Management companies should have an established cybercrime policy and set of procedures. Utilizing an experienced IT consultant can greatly assist with educational tools and training for your employees. • It is also important to contract IT services that offer a proactive monitoring approach to cybercrime exposures.
Establishing an ongoing annual agreement for IT maintenance and monitoring services plays an important part
in controlling the cybercrime exposures. If a management company utilizes in-house IT expertise, an IT consultant should be utilized as a separate firewall layering strategy. The growing cybercrime exposures cannot be 100 percent prevented for any management company. Therefore, it is important to develop a best practice insurance strategy that creates an indemnity firewall against the complicated moving parts of cybercrime.
Best Practice Insurance Strategy for Management Companies and Their Association Clients
It is important to understand that cyber liability coverage is triggered by the insured that has the care, custody and control of third-party private information on their computers. Because the management company inherits this exposure from their association client agreements, a cyber liability insurance policy becomes an important risk management tool to protect them against cyber related losses.
In turn, your association clients are transferring the care, custody and control of private information to your management company. However, they are still responsible for the safe keeping of that information, which creates a vicarious liability exposure for potential legal actions tied to the management company’s responsibilities. The management company cyber liability insurance policy will not provide coverage for the association’s exposure, so coverage for the association client would need to be addressed.
Insurance Solutions Coverage for the Management Company and Their Clients
The insurance industry solution has been to insure each entity separately. However, the cost of a stand-alone cyber policy for associations has not been cost effective, so very few have purchased coverage. The cost factor is even more compounded by the association’s limited vicarious liability exposure.
The recommended solution is for the management company to seek a cyber liability insurance policy that can address the coverage needs of both their company and their association client’s vicarious liability exposure. This is a cost effective method to insure both the management company and their association clients properly.
What Exposures Are Not Covered on a Cyber Liability Insurance Policy?
One of the fastest growing cybercrime claims is the electronic theft of bank funds involving business online banking activity. This type of cybercrime is referred to as “computer fraud” and is typically caused by an innocent employee clicking on an email link that allows a hacker to steal the online banking sign on/password, remote in and steal the funds out of the account. Five years ago, very few management companies used online banking, but today most use online banking for their client services because of the efficiency.
It is important to understand that cyber liability insurance does not cover the actual electronic theft of bank funds (money) by a third-party. There would be coverage for the cyber breach portion of the loss and coverage for the management company if they were sued for the damages, but no coverage for the bank funds stolen.
What Type of Insurance Policy Would Provide Computer Fraud Coverage?
Computer fraud coverage is found on a broad-form, standalone fidelity insurance policy. This is an optional coverage designed to cover electronic theft of bank funds on any computer caused by a third party. Because coverage extends to any computer, those who have care, custody and control by contractual agreement of client bank funds would be covered.
Who Should Purchase Computer Fraud Coverage?
The management company has the care, custody and control of their client bank funds, however it is highly unlikely they can afford or even insure for the total theft exposure of all associations. Each association should carry a computer fraud limit on a stand-alone fidelity insurance policy equal to their employee theft coverage limit to ensure adequate protection. At the very minimum, a management company should carry computer fraud coverage equal to their employee theft coverage limit on their own fidelity insurance policy. Do I Still Have a Cybercrime Exposure When I Transfer Services to a Third Party Vendor?
Many electronic services are contractually transferred by either management companies or their association clients to third party vendors. These vendors typically take on the care, custody and control of the private information associated with the services rendered, but their contractual agreements seldom provide indemnification or additional insured protection in favor of the management company or their association client. It is important to remember to address this deficiency when contracting services and understand that a vicarious liability exposure may still be retained.
Finally, a mental shift surrounding cybercrime must occur within our industry in order to stay ahead of the developing perpetual cyber threats coming down the pike. The technology of tomorrow will bring more challenging cybercrimes that will demand more aggressive risk management strategies. Stay ahead of the cyber curve.
Ané Agostini, CIC, CRM, is CEO of CID Insurance Programs.
* Vicarious liability is a legal doctrine applicable in the state of California that creates liability for a person or organization whose activities did not actually lead to an incident but that has a special relationship (the right, ability or duty to control) with the one who did.
