Cyber Breach - Equifax

What does the Equifax Breach Mean for Your Organization?

September 15, 2017

Download Crisis Plan Paper

If it can happen to Equifax... 
Equifax is one of the country’s three credit-reporting agencies. That means they’ve collected and stored an immense amount of personal records – names, addresses, social security numbers, credit card numbers, and other personal information. And they’re charged with keeping it secure.

Recently, Equifax disclosed that they suffered a massive breach of its cyber defenses, acknowledging that the personal records of 143 million U.S. consumers was compromised during a digital raid that lasted for two and half months. In addition, the hackers accessed files containing credit card numbers of around 209,000 customers along with “certain dispute documents with personal identifying information” for about 182,000 more.

If this sort of widespread breach can happen to a company whose main responsibility is to collect and protect sensitive consumer information, how safe is your organization?

What can you do to protect your data?
Being prepared to effectively deal with a cyber breach is important to all organizations, but small and midsized firms are the most likely to be forced out of business due to fallout from an event like the Equifax hack. But what does “being prepared” look like?

If you outsource functions that can put you at risk such as credit card processing, handling payroll, doing billing, administering employee benefits, accounting/tax services, processing banking information, background checks, credit checks, or even simply doing business in the Cloud, you need to take preventive measures:

  • Analyze your vendors’ financial strength
  • Require all vendors to carry proper insurance, ensure proper type and proper verification
  • Have contracts in place with all vendors which include a clear understanding of the limitations on liability and indemnification provisions
  • Create and maintain a corporate recovery plan, including customer communications
  • Invest in security systems
  • Develop security protocols for adding new vendors/when vendors update software
  • Conduct regular backups and store data securely off-network and offline
  • Train employees to recognize and avoid social engineering
  • Review password protection protocols
  • Discuss cyber security at the executive level
  • Regularly test security measures
  • Review your cyber insurance policies regularly

Remember, a cyber-attack doesn’t necessarily have to be on the scale of the Equifax breach to be harmful to your business and your stakeholders. Computer viruses, phishing expeditions, ransomware, unauthorized access to your stored information, and many other forms of cyber events, including routine mistakes or negligence by employees, can and should be covered by your protection protocols as well as your cyber liability insurance.

What kind of insurance is the right kind?
Preventive measures and having the right plan in place are your primary tools to weather a cyber-attack. But insurance ultimately plays a role in ensuring that your operations are able to continue without undue interruption and that any damages to your organization and your customers can be made whole.

A good cyber liability policy will ensure that you only have to make one phone call if you believe a cyber-attack has occurred.

Make certain that whatever insurance you invest in provides:

  • A comprehensive program that includes a sophisticated response team and support
  • Investigation support – forensic specialists who will determine if and how and the extent to which a breach occurred
  • Methods to mitigate potential harm including protecting directors and officers from personal liability
  • Coverage for the theft of information in any format, electronic or otherwise

Marsh & McLennan’s annual cyber risk surveys have regularly pointed out that the majority of small and midsize employers report not having any cyber liability protection in place. At the same time, more than 80% of them report being exposed to at least five of the key cyber risks and 60% have no disaster recovery plan in place.

The sooner you make cyber security a priority, the more protected your organization will be. And the less any future attacks will cost you.

Make cyber security a priority. 
For more information about cyber-attacks, the risks involved, and being prepared to handle the fall-out, ask for our 2017 Cyber Risk Survey Report due out in October.

If you’re interested in learning more about our cyber liability risk insurance products, please contact our Management Liability Group.