Client Alert - Cybersecurity: The Importance of Protecting Sensitive Information
The horrific invasion of Ukraine by Russia has brought with it a higher likelihood of cyberwarfare resulting in an increased focus on cybersecurity. A natural reaction by owners of businesses, particularly small businesses, may be to conclude that the invasion of a country 4,700 miles away cannot impact the security of the information they gather and store. These business owners may even wager that cyberattacks are made only on large institutions. But even if cybercriminals do not target specific small businesses, these cybercriminals can target networks and systems and in the process negatively affect these businesses. Thus, now is the time to rethink these conclusions, as no one is immune from cyberattacks from any place at any time.
What is Cybersecurity?
Cybersecurity is the practice of protecting networks, internet-connected devices, and data from unauthorized access and criminal use, and the practice of ensuring confidentiality, integrity, and availability of information over the life of this information. With the prolific use of devices and communications such as smartphones, laptops, tablets, and e-mail, and the related storage and transmission of sensitive information on and by these devices, the need to protect this information has become more critical than ever. Cybercriminals consider small businesses, because of their size, perceived lack of sophistication, and lower investment in cybersecurity, to be particularly vulnerable. A single ransomware attack could have a severe impact on a small business. Therefore, every business should consider implementing two measures: cybersecurity insurance and cybersecurity plans.
Cybersecurity insurance protects businesses against financial losses caused by cyber incidents including data breaches and theft, system hacking, ransomware attacks (a type of malicious software designed to block access to a computer system until a sum of money is paid), and denial of service. There are different types of cybersecurity insurance: (I) first party coverage, which relates to damages a business suffers, such as the cost to recover data or lost revenues due to business interruption; and (ii) third-party coverage, which relates to damages suffered by a third party due to a cyber incident involving the insured business.
Who Needs Cybersecurity Insurance?
Any business, large or small, needs cybersecurity insurance if it stores sensitive information such as cell phone numbers, credit card information, driver license numbers, social security numbers, or health information. In other words, just about every business, from hospitals to financial institutions to law, accounting, and other professional firms, should have cybersecurity insurance. Indeed, many of these businesses are required to have policies and procedures relating to cyberattacks, including legal obligations to notify regulators, law enforcement officials, or both.
Accordingly, a second way for businesses to protect sensitive information is to develop a cybersecurity plan and afford this plan the same importance as other key plans and policies the business maintains. The plan should cover matters such as the following:
Training employees in security principles
Protecting information, computers, and networks from cyber attacks
Providing firewall security
Creating a mobile device action plan
Making backup copies of important business data and information
Controlling physical access to computers and creating user accounts for each employee
Protecting Wi-Fi Networks
Limiting employee access to information
Securing credit card information
Implementing password and authentication protocol
Depending on the business involved and the type of information stored, business owners should consider having the plan prepared and/or reviewed by an outside professional.
Cybersecurity Security and Plans – Who Should Require Them?
Financial institutions, parties to non-disclosure agreements, licensors of intellectual property, and owners supplying confidential information to contractors and suppliers are just some of the entities that should consider requiring cybersecurity insurance and cybersecurity plans of the parties with whom they have business relationships. If, for example, a borrower, supplier, or licensee is the victim of a cyberattack, their ability to repay the loan, provide critical supplies or goods, or maintain the value of the intellectual property could be greatly compromised.