New Mandatory Requirement For Cyber Insurance
Oct 19, 2021
During the past year, ransomware attacks and other cyber breaches have skyrocketed leading to significant changes in the cyber insurance marketplace. Historically, obtaining cyber insurance was simple and renewals were a matter of updates based on major changes within an organization. Fast forward to now and notable shifts in insurance policies and regulations are taking shape. Underwriters are now asking for more information related to cyber controls and IT risk management.
Multi-Factor Authentication (MFA)
Multi-Factor Authentical (MFA) is now a minimum requirement for cyber insurance through most carriers. The message, if you have not incorporated MFA into your current IT environment, your organization may be considered a high risk which would disqualify you from coverage.
MFA provides an additional layer of security above and beyond your traditional password protection. It requires users to validate their identity with additional credentials. These credentials could be the answer to a security question, the click of a button in an app for approvals, or even a biometric identifier such as a fingerprint. This extra layer of protection stops attackers as they won’t be able to access an account without all required credentials, even if they have stolen a password. The additional proof points confirm the person attempting to enter the system is truly who they say they are.
According to both Microsoft, ‘up to 99% of cyber identity attacks can be prevented with MFA’. Google has also supported this with their research ‘which shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.’
If you already have cyber insurance you more than likely will find stricter requirements during your renewal. If you are in the market for cyber insurance, you will need to incorporate MFA before you seek coverage. Carrier data proves those without MFA are at a much higher risk for extortion and therefore coverage is not obtainable.
Our WVC Technologies team can assist with your MFA initiatives to help you: one, qualify for cyber insurance quotes from multiple carriers, and two, help reduce your claims activity which can improve your insurance pricing.
Connect With Us.
Greg Gomach, WVC Technologies Senior Client Rep.
Categories: Risk Services
Potential Fraud in Economic Injury Disaster Loan Program (EIDL) Program
Nov 03, 2020
The Small Business Association (SBA) issued a report back in July 2020 stating ‘serious concerns’ of potential fraud related to the EIDL Program. The SBA’s inspector general raised red flags about more than $78 billion in aid approved for businesses under the agency’s program — about 37% percent of the total amount distributed — and warned billions might have been fraudulently obtained by individuals taking out loans on behalf of companies.
WVC has received reports of this happening in Northwest Ohio. Fraudsters have taken loans out on behalf of companies and it isn’t until those companies apply for a legitimate new loan or go through a bank review are the fraudulent EIDL loans discovered.
As of today, the Federal Trade Commission has calculated $170 million in fraud losses related to COVID-19 of which roughly $2 million has occurred in Ohio and $3 million in Michigan. Cybercriminals began capitalizing on the ever-changing pandemic from the moment it began. It is unfortunate to hear, but a reality of the world we live in today.
As fraudsters exploit the ongoing pandemic, we wanted to share with you the suggested steps our in-house Risk Services Leader, Tiffany Pollard, recommends should you find yourself in a similar position:
- Work directly with the banking institution which experienced the fraudulent EIDL transaction and inquire if they will provide coverage for credit monitoring; and,
- Review the FTC website with recommendations on what to do when your personally identifiable data has been compromised:
a. https://www.identitytheft.gov/Steps
b. https://www.identitytheft.gov/Info-Lost-or-Stolen
To prevent such fraud, here are some recommendations you can do now:
- Activate credit monitoring at the three credit bureaus for your business and personal credit.
- Work with your banking institution to ensure you are using the available financial transaction monitoring available to detect fraud.
- Ensure you have cybersecurity and identity theft expense reimbursement insurance. Cybersecurity and identity theft insurance can help you pay for expenses associated with resulting losses and provide tools to reduce the risk of additional fraud.
- Complete a Security Assessment by an independent cybersecurity team. This evaluates current information technology systems to identify vulnerabilities and review the dark web for possible user name and password loss. Completing a preventative assessment can give you peace-of-mind knowing you have mitigated vulnerabilities within your network.
Having plans in place before such an issue occurs will enable your business to confidently manage such a tense situation. If you have any questions, please reach out to your WVC Advisor to Tiffany Pollard directly. WVC is here to help you.
Tiffany Pollard, CISA
Risk Services Practice Leader, William Vaughan Company
Tiffany.pollard@wvco.com | 419.891.1040
Categories: COVID-19
How to Protect Your Business from COVID-19 Phishing Scams
Sep 14, 2020
As the coronavirus (COVID-19) pandemic continues to impact businesses globally, cybercriminals are taking advantage of this crisis, through phishing tactics, for their financial gain. Phishing is the fraudulent attempt of a cybercriminal to act as a trusted source to gain sensitive information, typically resulting in financial gain for the criminal. Since January 1, 2020, the Federal Trade Commission has received more than 90,000 reports related to COVID-19 fraud with a total loss of $114 million since the beginning of the year.
Business owners already have the day-to-day operations of managing employment needs, fulfilling client orders, and running back-office tasks to manage; the list goes on and on. Having to worry about a phishing attack shouldn’t be one of those added tasks. However, a surge in COVID-related fake emails with dangerous attachments, links, and requests for personal information is our reality.
As teams work remotely, businesses have increased their use of web-based meetings. An example of a COVID-19 phishing scam involves the use of Zoom websites. Scammers are sending fictitious Zoom web address links, that when launched, download viruses that compromise the company’s data. These scams result in expensive fixes to restore company networks.
The Federal Bureau of Investigation (FBI) recently issued an alert warning which urged individuals to be on the lookout for the following red flags:
- Unexplained urgency
- Last-minute changes in wire instructions or recipient account information
- Last-minute changes in established communication platforms or email account addresses
- Communications only in email and refusal to communicate via telephone or online voice or video platforms
- Requests for advanced payment of services when not previously required
- Requests from employees to change direct deposit information
Here are some basic rules and best practices to protect you and your employees from falling victim to these scams:
Exercise caution – Don’t open emails from unfamiliar email addresses or contacts. Or if you receive an email that appears to be from a trusted source, but appears ‘odd’ call and verify with the sender the authenticity of the email.
Avoid clicking on links and opening attachments – Verify a link by hovering your mouse button over the link to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email and notify your IT department.
Get information about government actions regarding COVID-19 from reputable sources – For the most current information, visit the CDC and WHO websites.
Do not reveal personal or financial information – Emails seeking personal information like your Social Security number or login information is a phishing scam. Never respond to solicitations for this information. If you receive an email saying your shipment has been assigned a new ‘tracking id’ and you are asked to click the link to verify the update. Do not click the link. Instead, go to the website of the delivery service and enter the tracking id to verify if a change was made.
Do not use open or unsecure Wi-Fi for working remotely – Never use public wi-fi. When working remotely it is best practice to have a mobile wi-fi device that you can securely connect to.
Connect with your IT department – If you receive a suspicious email, forward the entire email as an attachment to your IT team. If you click on a link or open an attachment in a suspected phishing email, report any incident immediately.
If you are concerned about your company’s security controls or your phishing risk, connect with our team. We can assess your systems and provide value-added recommendations to protect your organization.
Tiffany Pollard, CISA
Risk Services Practice Leader, William Vaughan Company
Tiffany.pollard@wvco.com | 419.891.1040
Categories: COVID-19, Risk Services
SBA Data Exposure Highlights the Need for Cybersecurity Programs
Apr 23, 2020
On April 21, 2020, news sources* revealed the Small Business Administration (SBA) notified 8,000 applicants of the Economic Injury Disaster Loan (EIDL) program of a data exposure on the application website. The exposure, which occurred briefly on March 25, may have permitted applicants to view Personally Identifiable Information (PII) of other applicants. Current reports reveal the disclosure included names, Social Security numbers, tax identification numbers, addresses, dates of birth, emails, phone numbers, marital and citizenship statuses, household sizes, incomes, financial and insurance information.
If you learn you have been impacted by the data exposure, the Federal Trade Commission has provided specific guidance with checklists on their website for Identity Theft. The actions described in their checklists are based on the type of data loss. Please refer to this website on how to protect yourself.
It is unfortunate to have a data exposure during an already stressful time, but it further demonstrates the continued need for cybersecurity programs. WVC Technologies is here to assist you in making sure your company is operating securely whether it be updating your remote working policies, implementing a security practice, or preparing a business continuity plan.
*CNBC was the first to report on the data exposure from the SBA. For a full report, please see this article.
Connect With Us.
Tiffany Pollard, CISA
Risk Services Practice Leader
Categories: Risk Services