Lessons from 3 High Profile Cyber Incidents

Lessons from 3 High Profile Cyber Incidents, Daryl Henry

Three recent stories have changed how I view Cyber Liability coverage and cyber attacks. I want to share three observations with you, one from each story.

Case 1: Minneapolis Public School System Data Breach

Minneapolis Public School System was a victim of a ransomware attack in February of 2023. The school system refused to pay the ransom, and the gangs resorted to leaking student’s sensitive files online.

From the article: “The lasting legacy of school ransomware attacks, it turns out, is not in school closures, recovery costs, or even soaring cyber insurance premiums. It is the trauma for staff, students, and parents from the online exposure of private records…The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate, and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts…”

Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files.

https://www.insurancejournal.com/news/national/2023/07/07/729105.htm

Observation: Cyber Crimes cause more than just financial damage.

Before this news story, I had always framed Cyber Liability in the context of preventing financial damage. But now I factor mental health damages into the equation as well. When you look at this story, you can see that the children and families were the hardest hit victims of this crime.

What about your organization? What would the reputational damage be if you run a Medication Assisted Treatment program and someone puts your clients’ files online for anyone to see? If your client is a respected lawyer or accountant, will they lose business because of a perceived drug problem?

For counseling programs, if you are discussing suicide, rape, or psychiatric breaks, and the records are released online, how would your clients be impacted?

Carrying sufficient cyber liability insurance cannot prevent ransomware attacks or resulting mental health damage. But, it can reduce the time it takes to respond to cyber-attacks and help pay for any resulting lawsuits. It can also hire forensic teams to investigate and stop the leakage of sensitive information. Any organization with access to records that include private mental health data must have robust cyber liability insurance.

Case 2: Caesars Casino pays roughly $15 Million for data breach ransom

From the article: “Hackers used a social engineering scheme in which a person pretending to be an employee contacted the company IT Help Desk to have a password changed, according to people familiar with the matter. In a Thursday Securities and Exchange Commission filing, Caesars said that the incident resulted from a social engineering attack on an outsourced IT support vendor without providing further detail on “the unauthorized actor” responsible for it.”

https://www.wsj.com/business/hospitality/caesars-paid-ransom-after-suffering-cyberattack-7792c7f0

Observation: Just because you outsource a service to a third party doesn’t mean you outsource your liability.

One of the most common objections I hear when I discuss cyber liability insurance is, “We keep all the data on the cloud.” Or “We store all our data with a third-party vendor.”

When I hear these objections, I hear, “Someone else is responsible. How could an issue be traced back to me?”

In the case of the breach at Ceasar’s, they paid a $15,000,000 ransom because of an error made by an outsourced IT Help Desk technician. No cyber security system is immune to human error.

Even if you outsource your services to a third party, the financial impact on your operations will still fall on you.

MGM Hack Has Vegas Hotels Resorting to Cash Bars, Paper Vouchers

From the article: “Scanning a largely empty casino floor at the MGM Grand in Las Vegas on Tuesday, Marina Lopez said the hack has been a hassle. Restaurants were only taking cash, as was the poolside bar: She had to pay cash for a margarita the previous day. An even bigger annoyance greeted guests eager to try their hand at the slot machines. Many one-armed bandits, she said, weren’t working….Several guests faced long waits to check in because staff was doing everything by hand, jotting down credit-card information on clipboards. Slot-machine attendants cashed out players the same way.”

https://www.insurancejournal.com/news/national/2023/09/13/740157.htm

Observation: Cyber hacks can paralyze a business by forcing it to operate offline.

I can personally relate to this one. I went to the Frederick County Fair with my family on a Friday night. The food court was very crowded, and cell service was terrible.

I needed to buy dinner for myself and my son and had no cash in my wallet.

The first food truck’s credit card reader was down. I had to walk away.

The second food truck’s credit card reader was down. I had to walk away.

I tried two different ATMs that couldn’t make a connection.

I finally found a stand that sold fried Oreos, chicken on a stick, and corn dogs, whose credit card machine worked.

I bought 40 dollars of junk food and gorged.

If you are a business that relies on credit card transactions, how many customers like me would you lose over the course of a weekend?

MGM estimates the total cost of their breach will be more than $100,000,000.

In conclusion:

A good cyber policy can protect you from an assortment of risks:

1. Liability damage that you cause to others
2. Cyber Extortion
3. Loss of Business Income and Additional Expenses
4. Digital Data Recreation
5. Forensic IT work
6. Social Engineering Crime coverage.

At this point, every operation has cyber exposures, probably in ways you had never considered. Learn from these news stories and ensure you’re properly addressing your needs.

Also see: Cyber Liability Coverage