In a recent report by Allianz Global Corporate & Specialty (AGCS), Global Head of Financial Lines Vanessa Maxwell cautions that cyber risk for businesses is still high so preparations should be made to mitigate losses.
“Cyber risk remains at an elevated level and is now seen as a core duty of D&Os [directors and officers], with increasing scrutiny on how they respond,” she said. “Meanwhile, ESG [environmental, social and governance]-related liabilities – whether it is inadequate action on climate change or diversity and inclusion issues – can potentially become significant exposures for D&O insurance as well.”
Issues such as data security and information protection are now core areas to watch for directors, according to the report. Investors increasingly view cyber security risk management as a critical component of a company’s board risk oversight responsibilities. As fiduciaries, board members are therefore expected to develop and maintain accountabilities for IT security before, during and after any cyber incident, AGCS says, and alleged failures can be seen as a breach of duty.
“Ultimately, strong cyber security is down to the culture of the company and its people,” said Rishi Baviskar, AGCS global cyber experts leader, in the report. “Directors and executives need to lead by example and ensure that good cyber hygiene such as data privacy and information security trainings are regularly carried out and the company’s cyber security processes and policies are understood by staff and all relevant third parties.”
For example, last week the Chicago Police Department’s Crime Prevention & Information Center sent out a cyber security alert concerning hacking in vehicles via SIM cards. The alert notes the information was pulled from a car hacking research article written by a “self-described security consultant, hacker, and bug bounty hunter.”
The alert reads, “The publication claims the ability to remotely compromise vehicle software and operations via SIM cards installed on multiple brands of vehicles, access personal identifiable information and geo location history of vehicles through automotive industry
Spark Underwriters Chief Underwriting Officer David Willett told Repairer Driven News cyber threats are widespread and can occur anywhere.
“A lot of the cyber thieves have gone into attacking your data because the protections and duplicate records and ability just to ignore some of the extortion threats have caused them to grab data and pull it out to use that as a bargaining chip for their extortion requests more so than locking down their system,” he said. “A result is you can pay them but it doesn’t mean they still will not display the information somewhere because [there’s] value in selling that to people.”
Willett noted new legislation in California that aims to protect personally identifiable information (PII) has caused a shift in the discussion within the collision repair industry and others about carefully reviewing PII safety measures and end-user license agreements (EULAs).
“I think a good practice in that area has been to have somebody who’s used to reading those legal documents to help that out for you and that that can be your attorney or your insurance provider,” he said. “Also, your IT professional that you hire a lot of times is somebody who your risk assessment, your multifactor authentication and encryption and making sure that you’ve got limitations on that. The individual that does that for you is probably familiar with and can read these things very quickly as well. Before you sign contracts, I think people, you know it’s always a good idea to have somebody look them over.”
Willet also shared information about the National Highway Traffic Safety Administration’s Product Information Catalog and Vehicle Listing (vPIC) platform, which NHTSA says is “intended to serve as a centralized source for basic Vehicle Identification Number (VIN) decoding, Manufacturer Information Database (MID), Manufacturer Equipment Plant Identification and associated data.”
“They put this together with the idea of trying to be able to work on a car without giving out personally identifiable information,” Willett said. “I think that’s something that would be interesting to see whether the systems that everybody’s working with… would it be OK if you put everything in except the last sequential numbers.”
At the Collision Industry Conference (CIC)’s next meeting on Jan. 19 the Data Access, Privacy & Security Committee will hold a panel discussion on the potential exposure collision repairers face in regard to data sharing and chain of custody. The panel will include attorneys Steven Bloch and Manly Parks who specialize in data privacy and review.
The topic is not only current to the industry but also in location as it will be held in California where lawmakers have enacted PII regulations beginning this year. In November 2020, California voters approved Proposition 24, known as the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA) and added new additional privacy protections that began on Jan. 1, 2023.
According to the California Privacy Protection Agency that includes:
- “The right to correct inaccurate personal information that a business has about them;
- “The right to limit the use and disclosure of sensitive personal information collected about them; and
Willett said businesses should be covered in data breaches and ransomware attempts if they carry cybersecurity coverage, which is usually a separate policy from business coverage.
“There are limits available for different items whether it’s data recovery, third-party liability, or extortion ransomware,” he said.
Willett added that coverage varies on when and to what extent it kicks in and for how long. However, coverage is more available and consistently purchased than ever before, he said.
“It’s one of those things that as much as you need to be able to talk to your IT person about whether or not they’re protecting you from cyber security, I think it’s also important to be able to talk to your insurance person and have them to be able to educate you on the risk of it,” Willett said.
And it’s best, he added, for shops’ IT personnel and the insurance companies to discuss with the owner how the shop is protected against cybersecurity risks.
“You get a chance for your IT person to vet out whether your insurance person knows anything about cyber risk and you get a chance for your insurance person to vet out whether the IT person really knows something or whether they’re selling you old security stuff from 20 years ago,” Willett said.
Featured image credit: Just_Super/iStock