HEMIC's Directors of Safety & Risk Management and IT discuss cyber security in Hawaii Hospitality magazine.
This article originally appeared in Hawaii Hospitality's Spring 2022 issue.
In today’s post-pandemic world, a “safer workplace” refers to more than just the physical environment. As workplaces have moved increasingly digital, so have their risks. The costs of a cyber incident and its fall-out can be devastating, especially to smaller businesses.
- The average total cost of recovery and downtime resulting from a cyber incident more than doubled in 2021, from $761,106 to $1.85 million, reports AGCS.
- In the first half of 2021, cyber intrusion activity more than doubled compared to 2020. Ransomware and extortion operations were the top two drivers behind this rise, according to Accenture.
- The FBI reports a 62% increase in ransomware incidents and a 20% increase in reported losses in the US during the first half of 2021 compared to the same period in 2020.
Hotels, food & beverage, and other hospitality-oriented businesses are popular targets for cyber attacks, but not only because they capture customers’ personal and credit card information for booking, ordering and payments. In response to the pandemic, many businesses adopted new technology to facilitate these online transactions, enable remote workers, and grow their social media presence – and this has increased their cyber exposures and vulnerability.
Since many smaller businesses do not have dedicated IT resources on staff, they have been specifically targeted for cyber fraud, including fraud of funds from federal pandemic aid programs, such as the PPP loans and now ARPA funds.
As such it is vital that hospitality businesses of all sizes stay on top of their evolving cyber risk and take measures to thoroughly evaluate, secure and insure their cyber exposures and liabilities. Maintaining a safer digital workplace consists of both a strong technical defense of cyber security and a strong insurance policy that provides appropriate coverage for the individual business’ cyber risks plus support services such that, should a cyber incident occur, the business can respond and recover with minimal impact to their operations.
A cyber security assessment evaluates the strengths and weaknesses of a digital workplace, including hardware, software, personnel, and protocols. A useful way to approach cyber security and corresponding insurance coverages is to consider the Cyber Incident Response Framework (CIRF). This ongoing six-step process is used by cyber security professionals to respond to and recover from cyber incidents.
- Preparation. The first step is to conduct a cyber security assessment, which includes an inventory of the technology in use, the data being collected, security awareness training, documentation, and a thorough evaluation of the risks to your business of different types of cyber incidents. For example: What would happen if customer data was hacked? If systems were held hostage? If wire transfer fraud were to secure a massive payment? What would be the impacts and costs to business operations, customer relations, and publicity?
Cyber security is not a “one-and-done” process. It should be repeated at regular intervals or when triggered by changes in technology or business model. Since many organizations do not have cyber security expertise in-house, it is advisable to work with an expert consultancy.
- Detection. This step is triggered by cyber attack. Detection determines the nature and extent of the attack’s impact. It provides a forensic analysis of the systems affected, the data or funds compromised, and so forth. Many businesses do not have the necessary technical expertise in-house for this and must hire dedicated cyber security consultants. A cyber insurance policy can pay for these resources or provide them as part of the policy coverage.
- Containment. After detecting an attack, it is critical to isolate and stop it from spreading. Containment also refers to fulfilling the legal requirements for reporting and responding to data breaches and managing public relations. Cyber breach notification laws vary by state, so businesses’ must meet both our Hawaii laws as well the state laws where all other affected customers reside. Cyber insurance policies can vary widely in what they offer for coverages, limits, reimbursements and support services to help with legal requirements and public relations. Some policies offer coverage for financial loss resulting from business interruption.
- Eradication. Once identified and contained, the next step is to remove and remediate the attack vector and then, to ensure it cannot happen again. Eradication involves addressing damaged or compromised hardware and software, as well as confirming that all technology is now “safe”. Insurance policies can provide coverage to pay for external technology resources; some may recommend preferred providers.
- Recovery. The ultimate goal of CIRF is to get the business back online safely and as quickly as possible, with minimal impact to business operations and customer relations. Recovery can include replacing hardware, restoring applications and recovering data. Insurance policies can cover the costs of hardware/software loss and replacement, external cyber security resources, and financial losses resulting from the cyber attack (such as business interruption). Some may include coverage for ransom payments. Playing out the true costs of recovery for your business is key to understanding what you need in a policy.
- Lessons Learned. This final review step is to ensure that a similar incident cannot happen again. It should take into account all aspects of the CIRF cycle: cyber security, IT support, legal and public relations. Some insurance policies can provide a “breach coach” to lead a post-incident review, providing guidance and recommendations to improve technology and operations to prevent future cyber loss.
At the end of the day, the true value of a cyber insurance policy comes out when it is called upon to respond to a cyber workplace incident. Having appropriate coverages that speak to the individual risks of your specific operations and provide adequate support services and funds can mean the difference between a devastating impact and an efficient, effective recovery to your business operations.