What does Cyber Security and Data Protection Mean for your Brewery?

By: Tim Hillberg
Risk Manager for Starkweather & Shepley Insurance Brokerage

thillberg@starshep.com

LinkediIn Headshot.jpg

When meeting with my clients, our discussions always touch upon Cyber Security and the need for Cyber Liability Insurance. With the seemingly endless stream of public breaches and amped up government regulatory attention, it is easy to see why this is the topic du jour.

My client’s reaction to the topic typically falls in one of two categories:

Concerned:

1)     No current cyber loss mitigation plans or procedures in place.  They want to put something in place, but do not know where to start.  Think- “Help I’ve fallen and can’t get up!”

2)     Some cyber loss mitigation plans/procedures in place and looking to expand.

Not Concerned

1.     Some cyber loss mitigation plans/procedures in place and they believe their systems are “tighter than Fort Knox”.

2.     No plans/procedures in place and they do not care to implement any.

Why are my clients concerned? 

1)     Large Breaches- Equifax, Sony, Home Depot, Target and the SEC are all front page examples of cyber incidents.  Many wonder if they are the next.

2)     Cyber Terrorism and State Actors- Russia, China and North Korea.  Could they come after my business?

3)     Hackers focus on smaller companies- Easier targets due to lesser security.  Smaller companies also have relationships with larger corporations (think HVAC contractor and Target). 

4)     Rogue Employees- What if a disgruntled employee sabotages my business?

5)     Ransomware- What if my computers are locked up for ransom?

What are the statistics?

  • Average Cost of a Stolen Record- $141.
  • 10% of events are caused by rogue employees.
  • Damages caused by Ransomware are 15 times greater than they were in 2015.
  • 22% of incidents involve a broken business practice.
  • Regulators are considering harsher penalties for known violations 

What types of claims do you see in the brewery space?

  • Ransomware- Hackers holding your system hostage.  Costs include the actual ransom (if you choose to pay it), system rebuilding costs, downtime and effected party notification costs (if applicable).
  • Business Interruption- A computer system hack could cause the production line shut down.  Property policies do not cover cyber incidents.
  • Data Breach Notification Costs- A computer system hack could cause potential for data breach notification which also occurs during a ransomware attack.

Example:  A Brewery’s computer system was breached and the credit card information of 2,000 customers was stolen. The total cost of this claim was $169,514. The brewery in this instance did not have a cyber policy in place and was on the hook for the total cost. Had they purchased the cyber policy which was offered to them for $1,000, they would have only been responsible for the policy deductible.

Is there protection available for my brewery?

YES! Broad, responsive policy forms are available and include security and privacy liability (arising from third party claims; including regulatory actions). Policy definitions are broader as well. Forms are no longer limited to the theft or disclosure of Personally Identifiable Information as defined by a specific state statute.

Insurance carrier capacity is at an all-time high with many new entrants to the market. In turn, pricing is favorable for clients and terms are broadening. Many carriers are introducing new forms with streamlined coverage offerings. Both first and third party coverage is readily available.

In addition, policies include free access to online training and support including cyber risk webinars, access to expert breach response teams in the event of a loss, and updates on changing data security laws. In some cases, the value of these services exceeds the premium paid for the policy.

While my clients all have different risk tolerance levels, I stress the importance of being educated on the topic of cyber. Every business owner has fiduciary responsibilities to their company and ignorance, especially in the cyber security space, is no longer an excuse.