CYBER CORNER

The New York Attorney General (the “AG”) settled with an upstate healthcare provider (the “Company”) for failing to properly secure medical data of over 2,000,000 patients. The settlement required that the Company invest $2.25 million in cybersecurity improvements and pay $1 million in penalties, half of which will be suspended pending its compliance with the order.

In 2023, the Company suffered two ransomware cyberattacks, which were alarming given the incidents were only ten days apart. In the AG’s investigation, it was found that the Company lacked in-house cybersecurity expertise, outsourcing its cybersecurity entirely and failing to proactively monitor its third-party vendors (the “Vendors”). These Vendors neglected critical security controls and failed to implement essential security measures such as installing multi-factor authentication, encrypting patient data, and logging network activity. As a result, the Company’s networks were unsecured. The AG found that the Company’s failure to properly vet and monitor the Vendors led to a weak and susceptible network.

The Company’s errors highlight the demand for businesses to maintain vendor management, robust cybersecurity, and cyber insurance. Businesses outsourcing cybersecurity to vendors must ensure they conduct independent audits and reviews of their systems. In addition to ensuring outsourced firms are reputable, when utilizing services like managed service providers for security, companies should also ensure that the contractual agreements between both parties outline liability and indemnification in the event of lapses.

Furthermore, cyber insurance policies vary by carrier, meaning that not every coverage option will be available to all businesses. Also, depending on the industry, security protocols, and company size, policy terms may differ. When negotiated by an experienced broker, policy terms can provide for better protections. 

The SEC has issued almost $7 million in fines against four technology companies it accused of attempting to minimize the impact of breaches to their systems in their disclosures to investors following an attack on their software provider, SolarWinds Corp.

The developer’s software was in use by thousands of companies and government agencies in 2020, when suspected Russian spies infiltrated the software provider’s network. The security failure at the software provider was itself the subject of a separate proceeding brought by the SEC against SolarWinds. The SEC alleged that each company named in the enforcement actions were negligent in their description of the event’s impact on their own operations in statements made to investors between 2020 and 2022. The penalties against the individual companies ranged from $900,000 to $4 million, and the settlements did not entail any admission of wrongdoing by the companies.

Hiscox’s 2024 Cyber Readiness Report (the “Report”) discusses the multifaceted impact on companies that suffered cyberattacks such as data breaches, financial losses, reputation damage, and of particular concern, customer retention. As cyber events have become more alarming and sophisticated, 67% of companies surveyed in the Report indicated an increase in cyber incidents over the past year. The Report focused on findings that 47% of the affected companies reported difficulty in attracting new customers, while 43% reported the loss of customers due to these cyber events.

The Report also considered the “human factor,” with businesses and their employees rising to the third most leveraged point of entry for hackers. The Report emphasized that companies were swiftly shifting to “disruptive technologies” such as artificial intelligence (AI), the Internet of Things (IoT), and cloud computing for better efficiency and risk management. However, this shift may have been, and may continue to be, counterproductive, especially when employees utilizing these advancements lack sufficient cybersecurity training in a world filled with sophisticated hackers. 

Notably, more companies have turned to cyber insurance as a protective means to manage risk and address cyber events. Cyber insurance remains critical in providing financial safety and facilitating rapid recovery for businesses after cyberattacks. In addition, the Report highlighted that keeping security technologies up to date was another essential means of preventing data breaches, as outdated software posed a significant vulnerability that hackers skillfully exploit. 

The Report suggested that companies should employ robust internal cyber resilience programs by allocating resources to better structure security protocols. For example, investing in employee training can shape a company’s preparedness for cyber events. In the end, by combining insurance with strong internal risk management and prevention measures, companies will be better equipped to mitigate cyber risks.