October is National Cyber Security Awareness Month so we took this opportunity to discuss the importance of cyber liability coverage along with the risks and preventative steps you can take to protect you or your business from vulnerabilities in cyberspace.
Below is a transcript of the episode, modified for your reading pleasure. For more information on the topics discussed in the episode, see the links at the bottom of this post.
* * *
Grant FINLEY: Welcome back to another edition of Your Insurance Connection Podcast. I'm your host, Grant Finley, and joining me once again today we have the President of CLH Insurance, Chuck Hembree. Chuck, it's good to have you back.
Chuck HEMBREE: Well, thank you.
FINLEY: October is cyber security awareness month and so I thought this would be a great opportunity to jump into the complexities and the different layers of cyber security. We mentioned it on an earlier podcast, but I feel like this is growing in importance so it probably deserves an episode dedicated to it all by itself.
HEMBREE: Well, you're absolutely right because we're seeing it all over the news. There's hardly a week that goes by without us seeing something, whether a retail store or a government or someone who is affected by a cyber hack and there are a lot of different things that are happening in that arena, beyond just what we're seeing here and insurance is having to learn how to respond.
FINLEY: So let's talk about what insurance can protect for cyber security, which would be cyber liability. Can you just give us a brief overview of what that entails?
HEMBREE: Sure. Let's break it down. Cyber - meaning in the internet or digital access, so that's the exposure that's out there. And when we say, "cyber liability", remember, liability always means what we would be held liable for to a third party. So, we're trying to protect others from what we have if it's been hacked digitally, because we carry and hold private information more and more. We do more and more banking transactions, business transactions over the internet and so we have to figure out how do we protect other people if we're hacked, and that is the whole essence of cyber liability. Then, as a separate sideline, we need to talk about the cyber exposure to ourselves. What if our property, our digital assets are affected? So, when we talk about liability to others we call that third party liability. When we're talking about protecting our own assets because of our work on the internet, that's called first party. So, I don't want to get too deep into that and make it too complex but that is a good elementary understanding that we need to understand. We not only need to protect our own possessions, products, and information but we owe a duty to others to protect theirs.
FINLEY: So, third party would primarily businesses, where as first party would be me roaming around on the internet and somebody hacks my stuff and now I'm vulnerable?
HEMBREE: Well, a little bit of both. Not just businesses, but our own private information. So, think about us as an insurance agency. We'll use that as an example because I would think that those who are hearing us are wanting to know that we're taking steps to protect the private information that they give us. We owe that to our clients and so all of their private information that we have to have on our system and share with other insurance companies needs to be protected so that our customers feel secure that they are protected. So that's third party - what we owe to others. And when we talk about first party, I need to think about could they get into my bank account? Could they get my pictures? Could they put ransom ware on my system so I would have to pay them in order to get it un-encrypted? And that's happening to me, personally, and not to others. So that's first party, to others is third party.
FINLEY: And would a cyber liability claim protect you then in the first party instance? Is that something a person can purchase?
HEMBREE: They can. Now, third party cyber liability is a lot easier to get than first party and its less expensive. But we can protect all of those interests there.
FINLEY: So, Chuck, I think a common question people will usually have with this is, wouldn't their general liability cover anything that would happen to them online?
HEMBREE: That's a fantastic question. So, think about general liability for business owners and a homeowners policy to those of us who are worried about that - no, there is no coverage. What we cover is tangible property and all of the insurance contracts that we see have that language in there, so it's got to be tangible property. Electronically or digital assets and data are excluded from homeowners and from commercial policies. So, it refers to them, it defines it, but it also excludes it. So, we have very limited and generally no coverage underneath our commercial and personal policies for that so we had to introduce new ways to cover that exposure and that's where we get cyber liability policies.
FINLEY: So, if I'm a small business and I say, "We've got IT, we've got firewalls in place, we've got some security. Isn't that enough?"
HEMBREE: Well, I'll answer that with another question. Just because you have smoke alarms and fire extinguishers, do you not need insurance for fire? Absolutely. We still need those extra protections. Those help reduce what happens if we have that exposure but it doesn't always prevent them. So, yes, IT and firewalls are very, very important but we need to have protection because if our government can't keep themselves from being hacked with all of their protections, how do we expect that we have the expertise to do that?
FINLEY: That's a great point. So, along that same theme then, if I operate a small business and I use a third party for my credit card transactions, am I still going to need this or will they be liable if something happens?
HEMBREE: Okay, maybe is the answer. It's a great question because when we do that, it depends on where the offense took place. Did it take place as we were keying things in or did it happen inside the secure environment of the vendor that we're working with? If it happens inside the secure premises of the vendor or a bank, then generally they are held liable, but if someone is copying our keystrokes or we're introducing a virus that's already on our computers into that situation then we're held liable.
FINLEY: So, would it be fair to say a large - we've talked about big retail chains, and the government even, are they more or less vulnerable than mom and pop, small business shop down the street?
HEMBREE: No. Let's talk about that. Another great question. 95% of all businesses are small business. That means there are 50 or less employees so just a vast majority of us are all small. Large businesses are sometimes targets because crooks think they can get access to more at one time, but that has changed completely too because small businesses and small clients and personal lines clients are more vulnerable because they have spent the time, they haven't taken the precautions, so they tend to be less prepared, take less precaution so they are a large target for crooks.
FINLEY: So, then let's talk about some steps a person or a business can take to reduce the risks of these security breaches or bulk up their security. What are some things people should look into to improve that?
HEMBREE: Okay, there are several things and whether you're listening to this and you're a homeowner and you're thinking about your exposure there, or whether you're a business owner and you're thinking about what precautions are there - I see a lot of times the "Ten Best Tips for Businesses to Consider", I don't think there should be a delineation. We need to be just as vigilant on the personal lines side as we are on the commercial lines side. So, the same things we talk about to businesses, we ought to be considering in our own homes. So, secure passwords. Do we leave them out, do we share them, are they readily visible? That's something that we should really worry about in the business place and at home. Who has access to our devices? We don't think about that often within the home, but our kids, their friends, they're teenagers, they can get on the xbox and all that kind of stuff. All those things are vulnerable and we need to be thinking about that, just as well as who has access to our business machines, computers, our data within the business as well. We need to have good firewalls, we need to have great malware that's on our systems both at home and in businesses so we're not infected, we need to just be smart. I was privileged to be able to be in a meeting with Frank Abagnale, the true "Catch Me If You Can" guy and he said, by far, the reason we become vulnerable is not because crooks are so smart but because we just aren't as vigilant and we do things that we know we shouldn't do. We click into those emails without really knowing who it's from. It looks iffy, but we go ahead and click into it. We download things that we shouldn't. So, most of the time, we're our own worst enemy in introducing viruses, trojans, and hacking malware into our own systems. Another thing that we need to remember is it's not just social security numbers and credit card numbers that we need to be very careful with, but all of our personal information - our date of birth, our addresses. Now, it seems crazy that we have to do that because we can get so much of that on Google itself, but courts hold us liable if someone gets what they consider as private information regardless if they can go and get it from another source. If they hack our systems, we have to be able to respond. The third thing is making sure that when we're not using equipment that it's unhooked. Now, obviously, we can't always do that with our computers because they need to be refreshing, they need to be getting updates, but we can put locks on them, so passwords, again, very important. And then devices that we don't use all the time we should turn off and make sure that they are down so that roaming people that are driving through, looking to see if they can get on a network within neighborhoods or around businesses won't get online. How many times do I see people go and park at Panera's or Bread Company because they can get free access to the internet, which is a valid reason, but they can also do that with yours and it might be a hacker, not someone who's needing to get on to talk on Facebook.
FINLEY: Well, Chuck, another thing that's really picking up steam lately is the idea of the smart home. Everything's connected by the internet, so I imagine that there would be a lot of vulnerabilities there as well and hopefully we can dig into the whole smart home, internet of everything idea in a later episode, but is there anything there that would be important to know with cyber security?
HEMBREE: Well, we need to. I think that's a great future podcast that we need to go talk about because we see the smart home as something that really does bring some great advantages and ease to us in life, but along with it, it brings some caveats and securities that we need to put in place. I'll look forward to speaking with you on a different date on what can we do to protect ourselves and still enjoy the advantages of the smart home technology that's coming our way?
FINLEY: Perfect. Well, if you're feeling vulnerable and would like to learn more about what your cyber security options are, we certainly encourage you to log on to clhins.com or give us a call, but I think as far as this episode, we could probably wrap it up there, Chuck.
HEMBREE: I think that's great. We certainly would invite any questions that they might have so that we can tell them what they need and what they don't need, so thanks for bringing the subject up, Grant.
FINLEY: Absolutely, Chuck and thank you once more for your insight and to all those who tuned in, we'll catch you on the next episode of Your Insurance Connection Podcast.
Your Insurance Connection podcast can be heard on iTunes and Stitcher or by visiting clhins.com/content/podcast. If you like what you’ve heard you can support this podcast by rating and/or sharing it on your social platforms. CLH Insurance is a “Trusted Choice”, independent agency servicing Missouri, Kansas and Illinois. For more information on CLH Insurance, visit clhins.com or call 636.391.0700 to speak with an agent. Until we connect again, thanks for listening.
* * *
Show Notes - Where you can learn more about the people and ideas discussed in this episode.