Cyber Liability for Trustees: Preventing and Managing Breaches

A friend—a small business owner—recently shared a very stressful situation. She had a significant cyber breach that almost cost them hundreds of thousands of dollars. What happened? She had hired a new assistant and issued a new email address. However, the email was not protected by the domain and email host for a short window, which gave hackers access to the company's emails.

The hackers sent numerous emails to clients with fraudulent wire instructions. Luckily, only a few clients fell for this attack, and most of the money was recovered. While the ultimate dollar amount lost was not significant, this was a major distraction. It interrupted the business and the company had to hire computer consultants to determine the cause of the hack and make the repair. Additionally, it put their customers at risk.

Small businesses that don't think they're being targeted should take note—cyberattacks can happen to anyone, even those with a one-person operation.

A Troubling Trend

The challenge with cybercrime today is that we never know all our vulnerabilities—but cybercriminals sit and watch for that one moment of opportunity. With over 2,328 attacks per day, an average of 800,000 occur in a year, according to Astra, a cybersecurity company. In fact, on average, there is a hacker attack every 39 seconds. In 2023, we will face around 33 billion account breaches.

Small businesses account for 43% of cyberattacks annually, according to Accenture's Cost of Cybercrime study. Here's how much these cyberattacks cost, from IBM Security's Cost of Data Breach Report 2022:

• Phishing was one of the top attack vectors in cybercrime at 16%. It's the costliest initial attack vector, costing $4.91 million on average in breach cost.
• The second most costly was business email compromise (BEC) attacks, which cost an average of $4.89 million. These attacks made up 6% of breaches.
• Ransomware is responsible for 11% of breaches in 2022, up from 7.8% in 2021. The average cost of a ransomware attack, not including the ransom, was $4.54 million.

Trustees Are Equally at Risk; How to Protect Yourself

The number one thing a trustee can do is focus on prevention. But there are other ways to protect yourself and your clients.

Get Training

Large companies now require their employees to go through annual cyber awareness training. Given the risk to our clients, trustees should do the same to increase their awareness and be able to identify phishing attempts and avoid data breaches, network attacks, and ransomware threats. Engage a specialist for training and even simulate attacks, which will improve your ability to identify real attempts.

Update Your Software

Most of the well-known software companies used in trustee practices monitor all aspects of their platforms and update their software periodically. While many of these updates are focused on enhanced features, they also continually provide security fixes. Without updating your software, you may be vulnerable to evolving cybercrime tactics.

Enable Multi-Factor Authentication

This is a must, given the frequency of attacks looking for personal information. Multi-factor authentication has had rapid adoption because it requires active identity verification before accessing information.

Use a Password Manager

Passwords are the bane of our existence, but cybercriminals have access to our passwords on the dark web. We have all been told to use strong passwords and to create different passwords for each login. The best next step is to use a password manager that uses a secure master password combined with digitally-created strong independent passwords.

Have a Written Plan in the Event of an Attack

Keep a printed copy. This is important because you don’t want to have to research the next steps during an attack. This should include all contact information to be able to identify the breach, contain it, and eradicate the threats.

Cyber Liability Insurance: Yes, It's Worth the Cost

Even with all good plans in place, in the event of an attack, there are expenses associated with solving the issue—and there may be liability. The most recent statistics suggest that 34% of all businesses purchase cyber insurance, but only 26% of small businesses do. Most businesses question the cost versus the coverage and their risk. Many trustees believe that their risk is too low to justify the expense.

We have already established there is more risk than you may expect. The real question is: What does insurance provide? Coverage includes network security and privacy liability, as well as network business interruption. One important insurance feature that cannot be overlooked is the service insurance companies provide. Most insurance companies that write cyber liability insurance policies have committed to offering significant resources to customers in the event of a claim.

Ultimately, in the event of a breach, there are critical services to seek.

These attorneys can help determine if the breach requires notification to consumers or customers under relevant laws or regulations and hire computer forensic experts to assess the impact of a data incident on your computer system. Also, if applicable, they give advice and provide oversight in connection with the investigation conducted by a forensic investigator. The cyber insurance carrier also has access to experts in ransomware negotiation.

Trustees can now purchase cyber liability insurance in conjunction with trustee liability insurance offered by Nomadx. Visit www.trustnomadx.com or contact one of our specialists to discuss how cyber insurance can protect you as a trustee.