Cyber attacks are now a “when”, not an “if”, and Cyber security is a pressing management issue. With costs spiraling, Cyber Insurance is a no-brainer – but it’s not enough on its own.

TOP TIP:  as well as Cyber Risks Insurance you need separate coverage for Crime to give financial protection for theft of money and fraud, including phishing scams, electronic wire transfer fraud, telephone hacking and social engineering.

If you don’t already have Cyber Risks and Crime Insurance, talk to us as a matter of urgency – my advice is always free and without obligation.


The majority of small businesses have had their digital defences breached in the past year. It’s vital to protect your intellectual property, business information and customer data against online theft and exploitation. Read on for a basic checklist on preparing for a cyber attack:

  1. Risk assessment on security and the “what ifs” for your business
  2. Security controls: maintain, regularly update and stress-test them
  3. Incident response plan: create and share it, and make sure you have the right professional help at the ready
  4. External back up systems in place
  5. Educate and train all staff to reduce human error
  6. Cyber Risks AND Crime Insurance:

To talk through your data risks, and review your Cyber Insurance, just email me – Charlene Gill or call on 646 665 7737.

La Playa: Insurance with Intelligence

People like you like us. Passionate. Discerning. Independent.

Children’s online activities not only have implications for cyber security but can also create liability exposures.

Cyber risk has made headlines recently, and I want to draw attention to some of the private risks we face at home – in particular how children of affluent families can be at risk.


Personal litigation for children bullying other children is on an upswing” – Property & Casualty 360, June 2016

In the US, issues like cyber-bullying are increasingly moving to litigation – particularly where a link can be drawn to subsequent self-harm. And families with apparently deep pockets are more likely to be a target. Online activities are almost impossible to police; the best risk management lies in conversation – read on for our 10 suggested topics.

Ten Talking Points For Managing Cyber Risks

Cyberbullying can be as seemingly naive as 10-year-old Jimmy group-texting his pals that 10-year-old Maya is “ugly and stupid.” But if Jimmy continues to make such hurtful comments, and Maya physically harms herself because of them, his parents may be liable for defamation, not to mention Maya’s emotional distress, sleeplessness, anxiety and worse.

Though there are several apps for monitoring children’s social media activity, it’s almost impossible to police. But you can TALK through the risks and explain that more affluent families may be at higher risk of being sued if they’re perceived to have deep pockets. If you’re short of ideas, Google the names of the apps your kids use plus the word “dangers”…

  1. Permanence: what they post now could surface later in life when they least expect it – your online presence leaves a trail.
  2. The law: one 15-year-old boy in the US exchanged Snaps with a 14-year-old girl, some of which were topless. The boy saved them – and because the girl was 14, in the eyes of state law it was considered child pornography possession. Had the girl’s parents pressed charges, he might have ended up on the sex offender register…
  3. Privacy: the Snapchat app requires access to your contacts – are they sharing personal info on family and friends?
  4. Security: are they posting images of your home and possessions online? What could a hacker find out about your assets?
  5. Cyber-bullying could end up in court: especially if you’re perceived to have deep pockets. It’s not just saying mean things, but also sharing information and pictures against someone’s will
  6. Libel/defamation: defamatory comments about teachers could also end up in court.
  7. Grooming: online recruiting is the third most productive method for luring young women and girls into prostitution.
  8. Friend risk: even if your children are highly responsible, they may find themselves with others who are not. Know when to disengage.
  9. Filters on: online connections are real people – don’t say anything you wouldn’t say to their face.
  10. Location: are you giving away too much about where you are or where you’re planning to be? Affluent families are more exposed to ransom requests…

And discuss practical ways to stay safe, including:

Let your children teach you about the apps they like to use and why. Help them make smart decisions to keep themselves and their reputations and families safe.

We work with a number of specialist advisers in the cyber risks arena – do let us know if you need any assistance. To talk through the Liability and Legal Expenses cover in your home insurance, just or call me – Charlene Gill on 646 665 7737, or email [email protected]

La Playa Private Client: Insurance with Intelligence

People like you like us. Passionate. Discerning. Independent.

Though the attack was stopped within a few days, it affected over 300,000 computers across 150 countries, with the hardest hit being the National Health Service in the United Kingdom.

When faced with a ransomware attack, companies have two choices: pay a cryptocurrency ransom to regain control of their data or face the expense of having to recover their data and rebuild their computer infrastructure. Many companies struck by Wannacry simply paid the ransom, calculating that the $300 ransom was far easier to deal with than the alternative, but they did so with the knowledge that they were relying on the promises of criminal hackers, who are definitely ramping up their level of activity, as well as their demands. The ransom being demanded has been increasing over the last couple of years, and even when companies are paying the ransom only two thirds have been able to recover the files that had been impacted.

A prime example of the threats posed by ransomware can be seen in what has happened to the world’s medical institutions. In 2017, cyberattacks on the healthcare industry began turning away from large institutions which had invested in better technological protections to smaller facilities, including surgical centers and physician practices. According to Michael Simon, president and CEO of Cryptonite, “Cyberattackers target healthcare networks primarily for two reasons – to steal the medical records they contain or to extort ransom payments. Medical records are the targets of choice, as this data is highly prized to support identity theft and financial fraud.”

Another growing concern is the vulnerability and exposure of companies that are increasingly reliant on the Internet of Things (IoT). These devices and objects that communicate with each other, and the Internet, have introduced a sea change for both business logistics and consumer convenience: according to Gartner, there are 5.5 million new connected things each day, and Cisco estimates that IoT’s value will be 50 billion dollars by the year 2020. Unfortunately, very few IoT devices are properly secured, and a study by Hewlett Packard determined that 70% of Internet of Things devices are vulnerable to attack.

Whether a cyber attack’s target is a health institution, a credit bureau, or any other type of organization, the damage can be far reaching and expensive. Denial of service attacks can impact companies’ operations and leave customer data vulnerable to compromise, and hackers are getting more sophisticated, changing their ransom demands once they realize the value of what they have impacted. The costs are enormous, with ransomware attacks costing businesses well over $1 billion in 2016, an estimated $5 billion in 2017 and an anticipated $11.5 billion by 2019. These costs include:

Some companies are purchasing Bitcoin in preparation for ransomware attacks, despite warnings against rewarding bad behavior. To prevent attacks, companies should introduce employee education programs regarding cyber threats and phishing, as well as in IT protections such as secure backups and more sophisticated detection technology. If attacked companies should report what has happened, even if they pay the ransom, and communicate with customers. One way or another, it is expected that the attacks will continue.

Ransomware attacks can leave media and tech companies vulnerable to theft, cyber liability, reputational damage and personal liability for board members. It’s vital that you not only purchase Cyber Insurance, but that you buy the right size and shape of insurance. La Playa’s Cyber Insurance Policies are custom built for your individual business after a careful analysis of your activities and risk exposures. Contact us today to speak to an experienced representative about how to secure your organization.

It’s cryptomining, a nearly effortless tool that hackers are now able to use, thanks to a new and more anonymous form of cryptocurrency known as Monero and hidden cryptocurrency processing software that invisibly infiltrates Microsoft Windows on everything from servers to android and IoT devices. The system relies on a previously unknown NSA hack and the fact that any organization that uses blockchain technology necessarily connects through a transaction processor known as a miner. Chinese and Russian crime syndicates have weaponized all of these factors to invisibly attack I.T. systems.

Unlike previous hacker tools, which deny service and demand payment in big, bold, apparent strokes, cryptomining installs individual bots that operate independently and that steal on such a small scale that they go unnoticed.  By itself, each infection amounts to little of concern, and that means that it is low on a priority list for fixes: this is a mistake. When combined with all of the other systems that a single cryptomining operation infiltrates, it adds up to big business and big money. It is also nearly impossible to detect, and could lead to big losses.

So far, experts have found numerous methods by which cryptomining enters a system. Infected Microsoft Word file attachments can execute a Visual Basic script upon being opened, then move on to target Windows Management Infrastructure. Other methods involve a worm called WannaMine, tools that scan open debugging ports, and vulnerabilities in Microsoft SQL Server and Oracle WebLogic.

Unlike ransomware and other malware attacks, cryptomining requires no action on the part of an end-user: there is no email link or pdf file that users click on and are notified of their infection. What makes it so dangerous is the way it is impacting systems. Instead of demanding ransom or stealing data, the damage is done by infecting millions of systems and stealing their computer power, and therefore the electricity that it relies upon. Though the theft may be so insignificant that it goes without notice, resulting only in higher electrical bills and slower computer performance, the hacker can choose to escalate their usage of the mining bots, using energy to an extent so great that it depletes entire systems and leaves companies without integral resources for extended periods of time.

Because cryptomining installs invisibly and is almost completely detection proof, it can easily spread throughout an organization unchecked until it is completely compromised, and the crime is quickly becoming so popular that there is a real risk that a single organization could be contaminated by multiple bad actors whose individual small-scale infiltrations could result in major slow-downs and enterprise-wide shut-downs.

In the face of ever-changing risks, it is important that you make sure that you have a clear view of what’s at risk and comprehensive insurance policy that provides you with the protection you need. La Playa’s Insurance Policies are tailored to your business, to meet its unique and specific needs. Contact us today to speak to an experienced representative about how to secure your organization.

Author: Nic Muturniuc

As a young business pioneering in cryptocurrency, it’s vital that you can reassure your investors and stakeholders that your business – and their cash – has the best possible financial protection. But, while insurance for Fintech businesses is increasingly available, insurance for Cryptocurrency businesses can be less easy to secure.




The advent of Fintech, and especially Cryptocurrency, has disrupted archaic markets, flustered regulators and created a brave new world of risk for its participants. There’s still an element of Wild West in the sector, and many insurers remain shy of the risk involved. While the insurers’ position is absolutely understandable, it’s up to the insurance broker or agency to educate and provide the necessary reassurances to get insurers engaged.

Heavy reliance on data, technology and infrastructure, evolving regulatory structures and the shadowy threat of cyber risks heap unpredictability and uncertainty on any new entrant to this space.

With headlines like “SEC says bitcoin funds raise ‘investor protection issues’ (Reuters Jan 19 2018) highlighting the risks of cryptocurrency investments, the insurance implications are huge and underwriters are wary:

“Bitcoin’s 1,500 percent surge last year stoked investor demand for any product with exposure to the red-hot asset. A host of companies are jostling to launch exchange-traded funds which would open up the cryptocurrency to a broad retail market” – Reuters.

Macro influencers like governments will no doubt heavily impact the rate of growth in the sector – and its eventual regulatory structure. Bitcoin is especially popular in Asia, and governments’ positions there have had a very significant impact on the price of BTC. A recent ban by South Korea and the Chinese government halted trade due to a perceived lack of centralised control, while the Japanese authorities were actively encouraging the sector, until recent events with Coincheck, which are likely to push regulators to reconsider. In this context, western regulators are taking an equally conservative approach. While not faced with actual losses, regulators seem to be taking a preventive approach to protect vulnerable investors.

Taming the Wild West? Bitcoin meets the regulators

Regulation is a key chapter in the story of cryptocurrency. What position will regulators take?

While the philosophy of cryptocurrency and all derivative technologies and related applications is deeply rooted in libertarian principles, ultimately these ‘products’ will need to get sign-off from governmental regulators if they’re ever to take off. Regulatory principles like Know Your Customer (KYC), Anti-Money-Laundering (AML) and consumer protection are the main concerns of regulators. In many cases, cryptocurrencies – and especially blockchain technology, can ease rather than heighten regulators’ concerns. And generally the crypto, blockchain, libertarian community will most likely agree with these principles. You’ll find that regulators and the community share the same goals – it’s just a matter of agreeing on the means of getting there.

Insurance for Cryptocurrency Businesses

Meanwhile, it’s critical that you can reassure your clients that:

As a specialist Fintech insurance broker, La Playa can help you identify and mitigate your business risk, and structure insurance protection, backed by A rated insures, to help generate the confidence of your clients and other stakeholders.

  1. supervision would give underwriters a framework to be able to offer coverage terms to protect your business and your customers. The London and Lloyd’s insurance markets, to which La Playa has access, has historically specialised in emerging risks, and as much as insurers would want to cover your business, the argument for ‘Why?’ needs to outweigh the argument for ‘Why Not?’. And while that’s the best part of my job, I need you to help me…

4 Key Pillars of Cryptocurrency Insurance

1. Errors & Omissions Insurance
In a sector which evolves daily, even a well-managed business can find itself in dispute with a client over an error, a delay or alleged breach of contract. Errors & Omissions Insurance (E&O Insurance) provides indemnity for losses you are legally liable for if you make a mistake or are negligent, or if your product or service is defective, inadequate or fails to perform.

Failure to defend your business adequately could cause irreparable reputational damage – not to mention the financial implications.

We can help you review your contractual obligations to identify the extent of indemnities that your clients require.

2. Directors & Officers Insurance

Directors & Officers Liability Insurance (D&O) is now considered a crucial form of protection for all businesses, and is often a requirement before investors and board members risk their personal assets to serve your company.

Legally, the directors of a company and the company itself are separate entities and so may both be defendants, separately or jointly, in any legal action or prosecution. D&O can help to protect the personal assets of individuals and, crucially, to cover the costs of their defense.

Directors of all companies are now held, at an unprecedented level, to be personally responsible for actions and decisions they make on behalf of the company – putting their personal assets at risk if those decisions are tested in the courts.

3. Crime Insurance
Have you considered the risk of fraud in your organization? It pays to think through the risks of fraud at work and check you’ve got the right insurance protection in place.

Crime Insurance protects your business from losses that are a direct result of employee or third party dishonesty.

4. Cyber & Privacy Insurance

The invisible threat of cyber-crime, combined with the potential for tech infrastructure to fail, and the ever-evolving regulatory landscape, represents a new minefield for modern crypto business. Unless your organization carries specialist cyber insurance coverage against such perils, you won’t be protected against the unusual risks that arise in cyberspace.

In the wake of numerous high-profile cyber-crime cases, including network and data breaches, businesses globally are shoring themselves up against a range of new global tech and cyber risks.

As experts in customized insurance for Fintech businesses, La Playa is the ideal partner to design a watertight insurance solution for your business risks in Cryptocurrency.

To talk through your Cryptocurrency risks and for a free review of your insurance needs, just email me – Nic Muturniuc [email protected]

La Playa Science & Technology: Insurance with Intelligence®

People like you like us. Passionate. Discerning. Independent.


Further reading:

Tales from the crypto: the rise and fall of bitcoin – The Economist

Greater fool theory: The bitcoin bubble – The Economist

Beyond bitcoin: Bitcoin is no longer the only game in crypto-currency town – The Economist

Unless you live in Atlanta, Georgia, you might have missed the news that a good part of the city’s administration was reduced to old-fashioned longhand reporting and take-a-number, stand-in-line customer service last week. The reason? A ransomware attack demanding $51,000 in bitcoin.

If it sounds crazy to have policeman and sewer department officials writing up arrests and requests using pen and paper, then consider this: Atlanta was far from alone. At the same time that the southern city was struggling, the city of Baltimore’s essential 9-1-1 system had to turn to manual dispatch for almost 24 hours and the tiny town of Leeds, Alabama (pop. 11,700) had to pay hackers $12,000 to get their computers up and operating again.

A 2017 survey conducted by the International City/County Management Association showed that, as well as private businesses,  almost half of local governments admit to experiencing cyberattacks on a regular basis. Many have no idea how often they are attacked, and even more admit to having no idea whether their system has been breached or not. This level of vulnerability appears to be matched by a level of apathy: more than half of those who are attacked don’t even bother keeping track, and Atlanta officials admit that they were warned a year earlier of the weakness of their cyber defenses, yet they did little or nothing to protect themselves. An intelligence expert who previously directed Israel’s Mossad refers to cyberattacks as “soft nuclear weapons” that are aimed at organizations — public and private — around the world.

Whether the target is a government or a private entity, prevention of attack and mitigating damages starts with a recognition of the threat. Internal users need to be made aware of risk and trained on appropriate actions, and funding for cybersecurity as well as persistent data capture and storage need to be increased. Though storage costs will grow, failure to store clean backups on a regular basis will mean long periods of blackouts. One week after Atlanta was attacked, only a few employees had been given permission to even turn their computers back on, and a spokesperson for the city said, “It will take some time to work through and rebuild our systems and infrastructure.” That means that almost half a million citizens have been impacted, and the city’s government will bear the financial brunt.

Ransomware attacks demand payment in cryptocurrencies specifically because they are considered virtually untrackable while remaining easily traded. Interestingly, the blockchain technology that enables cryptocurrencies may also hold the answer to prevention, as using the technology within an organization renders it “virtually impenetrable.”

Whether your organization is able to enact the appropriate safeguards and technologies to protect itself before a major attack is a matter of finances and motivation, as well as a bit of luck.

Having a comprehensive insurance policy that anticipates and mitigates the impact of cybercrime should be an essential element of your risk planning. For more information on how we can help safegaurd your organization from the financial impact of ransomware, contact us today. Email us here, or call us on 646-665-7737.

This is the tenth year that Trustwave has been publishing their security report, which is based on a careful analysis of their own internal research, data-breach investigations, and reports on international cybersecurity events. In the years since the company’s first report there has been a notable shift: where cybercriminals once cast as wide a net as possible, indiscriminately pursuing weaknesses wherever they could find it, they are now identifying high-value opportunities, carefully assessing vulnerabilities and taking advantage of them.

The 2018 report  details the persistent insidious activities of individuals, criminal syndicates, and rogue nations as well.  If your role is managing risk in your organisation, you should know:

North American businesses are the top targets – though cybercrime is an international problem, 43% of all data breaches reportedly took place in North America, with the Asia Pacific region following at 30%. A combination of Europe, Africa and the Middle East represented 23% of attacks and Latin America represented 4%.

Retailers are at risk – when identifying the types of businesses that are most frequently targeted, retail leads with 16.7%, while finance and insurance industries are not far behind at 13.1% and hospitality representing 11.9%. Of note was a sharp increase in the number of service providers that were targeted this year. Just two years ago, so few of these types of entities reported breaches that they did not register on Trustwave’s report, where for 2018 they represented 9.5% of comprises. Because these companies can be linked to numerous other targets, these threats are particularly of particular concern.

Organization and preplanning by cybercriminals has increased  – careful analysis has revealed that cybercriminals are spending extensive amounts of time searching for vulnerabilities and developing tools with which to exploit them. Some attacks have involved cross-site scripting, SQL Injection, Path Traversal, Local File Inclusion, and Distributed Denial of Service, while others have allowed eavesdropping and command of sensitive information in web applications.

The human element remains the weak link – the most prevalent method of compromising an organization remains human trust. There have been a growing number of executives who have been tricked into authorizing fraudulent financial transactions.

Despite the best efforts of organizations to protect themselves, the number of cyberattacks is expected to continue to increase. Trustwave’s chief marketing officer Steve Kelley said, “As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data.”

To protect your organization against the very real impact of cyber crime, it’s essential that you do a thorough risk analysis. Think: what could a data breach cost our business?

– in lost income?

– reputational damage?

– in loss of trust?

– in forensic/investigation costs?

– in notifying customers?

– in legal costs?

– in fines?

As well as risk management in systems and processes, you need to protect yourself against the financial impact – with a robust Cyber Insurance program, tailored to your organization actual risk exposures and areas of work.  To discuss your cyber liability insurance needs, get in touch with us today. Get a free quote here, or call us on 646-665-7737.

La Playa offers affordable insurance protection in cyber space for arts organizations. But why do you need Cyber Liability Insurance? Most arts organizations would agree that data or information is one of their most important assets – it’s almost certainly worth many times more than the physical equipment that it’s stored upon.  But the risks are not just about data:

1. Your data is an important asset – but it’s not covered by standard property insurance policies.
Your data is probably worth much more to you than the physical equipment it’s stored on. Many arts organizations don’t realize a standard property policy wouldn’t respond in the event that this data is damaged or destroyed. La Playa’s Cyber Liability Insurance portfolio policy can provide comprehensive cover for data restoration and rectification in the event of a loss – no matter how it was caused, and up to the full policy limits.

2. Systems are critical to your day to day work – but downtime isn’t covered by standard business interruption insurance. Most arts organizations rely on systems to conduct their core business, from marketing to electronic box office. But traditional business interruption insurance doesn’t cover hack attacks, viruses or malicious employee interference. Our Cyber Portfolio policy provides cover for loss of income associated with a computer virus or denial of service attack.

3. Cyber crime is the fastest growing crime in the world, but most attacks aren’t covered by standard property or crime insurance policies. New crimes are emerging every day. The internet means that your organization is now exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. Phishing scams, identity theft, and telephone hacking are all crimes that traditional insurance doesn’t address. Cyber Liability Insurance provides comprehensive crime cover for a wide range of electronic perils that are increasingly threatening the financial resources of arts organizations.

4. Third party data is valuable – you can be held liable if you lose it.
We all hold more data than ever before, and often this data belongs to audiences, donors and suppliers. Contracts and agreements contain clauses around data security that can leave you liable for expensive damages claims in the event of a data breach.  Increasingly, consumers are also seeking legal redress in the event that an organization loses their data. This risk is even greater if you hold data on US consumers.

5. You could face severe penalties if you lose credit card data
Global credit card crime is costing billions, and increasingly this risk is being transferred to the organizations that lose the data. Under merchant service agreements, organizations can be held liable for forensic investigation costs, credit card reissuance costs and the actual fraud conducted on stolen cards. These losses can run into hundreds of thousands of dollars for even a small organization. Cyber insurance can help protect against all of these costs.

6. Complying with breach notification laws costs time and money
GDPR brought with it a raft of new regulation around breach notification, with 72 hour deadlines and hefty fines for non-compliance. These generally require that if you lose sensitive personal data, you provide written notification to the individuals potentially affected. Customers who have had their data compromised expect openness and transparency from the organizations they entrust it with. Cyber Liability Insurance provides cover for the costs associated with providing a breach notice.

7. Your reputation is your number one asset, so why not insure it?
Any arts organization lives and dies by its reputation. Although there are certain reputational risks that can’t be insured, you can insure your reputation in the event of a security breach. When your systems have been compromised, you run a risk of losing the trust of your loyal customers – which can harm your business far more than the immediate financial loss. Our Cyber Portfolio policy will not only help to pay for the costs of engaging a PR firm to restore this for you, but also will reimburse you  any loss of current or future income.

8. Social media claims are on the rise
Social media is the fastest growing entertainment channel in the world. Information is exchanged at lightning speed and exposed to the world. But often you have little control over what’s said and how it’s presented – you could be liable for the actions of your employees on sites such as LinkedIn, Twitter and Facebook. Cyber Portfolio  will cover your costs arising from leaked information, defamatory statements or copyright infringement.

9.  Portable devices bring new data risks 
Portable devices and remote/home working mean that important and confidential data can be stolen or lost much more easily. A laptop left on a train, an iPad stolen in a restaurant, or a USB stick going missing are all good examples. In addition, the devices themselves are being targeted with a growing number of viruses being built just for them. Cyber Liability Insurance will cover the costs associated with a data breach following a loss, theft or virus attack on a portable device.

10. Hackers don’t just go after big business – you’re at risk too
Whilst the high-profile hack attacks often involve big companies, small organizations are also at risk and often don’t have the financial resources to get back on track after a hacking attack or other kind of data loss. In fact, over a third of global targeted attacks are aimed at businesses with fewer than 250 employees. Cyber attacks are quickly becoming one of the greatest risks faced by smaller companies, making Cyber Liability insurance a must. It can help protect against the potentially crippling financial effects of a privacy breach or data loss.

Case Study
A UK arts venue had malicious coding inserted into their files from an outside virus attack with the aim of infecting every visitor to their website – despite having suitable firewalls in place. On discovery, the website had to be closed down, a temporary site built – and months later, a permanent one. The costs of the investigation, the temporary and permanent new websites amounted to around £12k. With no Cyber Insurance in place, this was a significant hit to the venue’s finances.

The Taiwanese company responsible for making the chips that power the Apple iPhone, as well as other popular devices, was the victim of the debilitating WannaCry computer virus. The attack so significantly impacted the operation of Taiwan Semiconductor Manufacturing Co.’s (TSMC) factories that is expected to delay global shipment and reduce the company’s revenues. The company says that the attack happened at the worst possible time, just as its operations were ramping up in response to the release of Apple’s next model iPhone.

The company revealed that the WannaCry virus outbreak occurred on a Friday, and though they were able to restore 80 percent of the fabrication tools by the following Sunday morning and expected full recovery by the beginning of the following week. Still, despite the quick turnaround they announced that shipments would be delayed and that they calculated the attack would lead to a three percent decline in third quarter revenue and one percentage drop in operating margins.

Though the company’s quick recovery means their predicted profit margin is not expected to change for the year as a whole, the attack serves as a stark reminder of how vulnerable the world’s supply chain is to attacks by cybercriminals, and how an attack on one company can not only affect its operations, but the operations of all those that depend upon them for the supplies that they produce. TSMC reports that there was no confidential information compromised by the attack and that it has taken steps to strengthen its internal security measures as a result of the attack, which they blame on a “misoperation” when a new tool’s software installation process was initiated: operators failed to scan the tool’s software for malware before it was installed. Once the virus had infected the new tool and it was connected to the company’s computer network, it quickly spread to every other tool in the factory.

This type of cybercrime is becoming more and more prevalent, and is expected to cost global business up to $8 trillion in damage over the next five years. TSMC’s Chief Financial Officer, Lora Ho, said, “TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines.”

The attack is directly linked to the 2017 WannaCry cyberattacks, which brought many companies to a standstill as they searched for a fix for the ransomware attack. Though TSMC may not be a household name, it is the world’s largest chipmaker, and its role in production for Apple and other companies makes it clear that in the digital age, bad actors can have an enormous impact with a small action.

The ever-present risk of cybercrime means that businesses must be proactive in their approach to protecting themselves. Cyber risk insurance coverage can protect against the costs, expenses and liabilities of restoring or recreating data, the costs you can incur when an outsourcer is attacked, business interruption, and more. Call us to talk about how we can protect your business today.

There are four key areas through which you can mitigate the risks of cloud computing:

1. The contract: make sure you have meaningful liability terms, with each party’s duties carefully articulated – otherwise the contract could prove ineffective.  The most important terms in contract are those which establish which party bears the loss if service provider suffers a security breach.   Ask the provider to indemnify you for losses as a result of a data security breach.  These costs might include breach notices, attorney fees, mailing costs, credit monitoring expenses and call center expenses. Look closely and modify if necessary clauses that limit the provider’s liability and consequential damage disclaimers.  The contract also needs clear exit terms in case of the provider becoming insolvent, with provision for you to get your data back or transferred to an alternative provider (including from third parties).

2. Due diligence: make sure your provider can deliver on their promises. The Cloud Security Alliance provides a framework of security concepts and principles designed to help you assess the overall security risk of a cloud provider.

3. Incident response procedures: try to lock your provider into incident response procedures that dovetail with your own.  Stipulate:

  1. immediate investigation after a breach
  2. mitigating, remediating and notifying you promptly
  3. providing written reports and status reports after breach
  4. retaining information relevant to the breach: logs, planning documents, audit trails, records and reports
  5. an obligation for the provider to preserve data (and initiate a ‘litigation hold’) and allow your own forensic investigation and preservation process; permission to conduct your own forensic assessment of a breach – or for them to undertake it, providing reporting and information
  6. limited use of third parties to handle data without your consent, and a requirement to conduct full due diligence on third parties and impose contract terms similar to your own terms with the provider.

4. Good insurance: the fourth emergency service is of course a good insurance policy: don’t under-estimate the costs associated with an incident such as a data breach.  The language used in policies varies widely – make sure yours covers your real exposures.

Buying cloud is a leap of faith.  Before making the decision to move your data to the cloud, work through the potential risks, and make sure you control the risks through the contract.  In choosing a provider you may be offsetting price against safety and control – so your choice will depend on the sensitivity of your data.

La Playa Logo