Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of

Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2]

But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”),[3] if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.
Continue Reading Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot

Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information.  Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA:

This does not mean we should stop using Two-Factor Authentication (2FA). We should still use

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down.

In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices

As you work to finalize your cyber insurance riders or supplemental policies, it’s important to pay attention to the language around what is specifically covered. To ensure you’re receiving the coverage desired, the first step is to understand the difference between hacking and phishing, and how this is being applied to your policy, and to ensure the language is mutually interpreted as clearly and uniformly as possible.

Hacking is the use of exploits and vulnerabilities to gain access to and extract information from, disrupt or tamper with a computer system. Hackers break into a system and take information.

Phishing is the use of social engineering via e-mail to trick the recipient into revealing personal or confidential information, or granting access to a computer system either directly or through the installation of malicious software. Phishers convince you to let them into a system or give them information.

Why is this so important to your cyber coverage? Because there’s been some fairly significant litigation around these differences that has supported both the upholding and denial of coverage. Here are 3 examples of cases where interpretation of the rider/supplemental policy language led to litigation:

Universal American Corp. v. National Union Fire Insurance Co., 37 N.E. 3d 78 (N.Y. June 25, 2015)
Continue Reading Hacking vs. Phishing – and Why the Difference is Important for Cyber Insurance Coverage