One day, a payroll accounting employee at Scotty’s Brewhouse in Indianapolis received an email from the company’s CEO. The email requested the employee send all 4,000 of the company’s employee W-2 forms in PDF format. The employee did.
Turns out that email did not come from the CEO. It was a scam. Those 4,000 W-2s were sent to god knows who for god knows what. This style of scam — phishing or social engineering — is a little more sophisticated than all of those Nigerian princes out there who just need your bank account routing number to send you their riches. These emails come claiming to be from the IRS or Fed-Ex or a company’s CEO.
With W-2s, hackers then immediately file false tax returns to obtain refunds, which is tax fraud. Since the W-2 contains personally identifiable information, a brewery in Scotty’s situation must notify all victims of this hack, provide and pay for credit monitoring and indemnify victims who may suffer financial loss due to tax fraud. Then of course there is the negative stigma and possible loss in reputation that comes with such a headline, which may require additional public relations expenses to overcome.
Here are your cyber security risks
Web-application attacks are the most common risks, accounting for 40 percent of all data breaches. They’re usually the result of employees on the internet visiting a site with a virus or malware. When they click on a certain program, it ends up infecting the entire insured system, causing a breach. Employees can also be responsible for other miscellaneous errors that cause a breach, such as losing paper files that contain personal information, leaving personal information visible online and mailing personal information to others by mistake.
Breweries need to be careful, not just to avoid these email tricks, but also in how they handle credit card payments — POS intrusion is the second-leading cause of data breaches. Then there are online sales and transactions that can be denied by hacks that disrupt operations, leading to a loss of business. In certain situations, cyber-attackers will infect the brewery’s computer system with ransomware and encrypt data. The hackers then demand a ransom for the encryption keys. Without this information, the brewery will no longer have access to that data and will either have to pay the ransom or other companies a large sum of money to resolve the issue.
How to protect yourself
We asked Larry Chasin, insurance program manager at BreweryPak, what his firm recommends for breweries in need of stepping up cyber security protection.
“Considering POS intrusion is the second leading cause of a breach, merchants must become more compliant in accepting credit cards with chip technology,” he said. “In fact, as of October 1, 2015, all merchants should have the proper processing technology for accepting chip cards. However, most merchants in the U.S. do not, as the estimated number in compliance sits below 50 percent.”
Merchants without this chip card processing technology are more vulnerable to a data breach and won’t be reimbursed by the payment card industry for fraudulent credit card transactions. For example: Purchases made from a stolen credit card will not be compensated if the merchant isn’t following the “standards” for credit card processing technology. On top of that, they are subject to fines from the payment card industry which are typically covered under Cyber Risk coverage.
Cyber Risk coverage typically addresses third-party liability of insureds, as well as wrongful acts including infringement of copyright or trademark and defamation. These are typically associated with content posted to a website. Breaches that may reveal personally identifiable information of others or cause transmission of a virus to a third party should also be covered. The first-party expenses breweries should think about include extortion threats, business income, public relations, legal fees and credit monitoring.
Note that these exposures are not covered under the typical property and liability policy. In order to address these risks, specialized endorsements and policies must be made. We’d suggest finding an insurer that specializes in breweries and wineries and understands their unique risk exposures is best-suited to provide brewery owners with the cyber coverage options that are right for you.
“From a risk management perspective, breweries should make Cyber Risk prevention a high priority for all levels of leadership,” Chasin said. “Cyber Risk prevention is no longer just an IT issue but a responsibility to be shared by all employees no matter their position. It’s important to have policies and procedures in place regarding the handling of personal information and social media use. An organization’s security is only as strong as its weakest link, making employee training and awareness a priority. Limit data access to only authorized personnel and properly train employees on cyber security issues to keep your company protected.”