Media Contact: Eric Berman - 781-839-5507 - eberman@marealtor.com

Your Practice is at Risk for Cybercrime – Insuring Against the 'Inevitable'

by JOHN TORVI, Herbert H. Landy Insurance Agency | May 01, 2017
Computer crime takes many forms and there is no shortage of news about the latest data breach, wire fraud event or information on how businesses need to protect themselves from the “inevitable”. Make no mistake, we are all vulnerable to the sophisticated international cybercriminals and their efforts to hack, spam, phish, extort, spoof…and steal, our information and our money.

The consequences are ominous and include theft of data (like your clients’ privileged information), corporate espionage, misappropriation of funds, extortion/ransom, cyberstalking and more. Even with increasing risk for the general business community, real estate professionals are particularly attractive to the fraudsters. Reasons include the socially interactive nature of the profession, including
personal meetings, networking, social media, and reliance on personal communication devices; owner-operated businesses that do not have regular IT support; access to
confidential information, and the holding of escrow funds.

Cybercriminals are interested in data containing confidential information and/or money. To consider how to obtain the proper cybercrime insurance for your firm, one can start with an analysis of what you have to protect. A business that has data, whether that of employees, clients or potential clients (in Massachusetts especially containing name, SSN, driver’s license number and/or any type of financial, date of birth, credit card or bank account numbers), but does not act as a custodian of other people’s funds, can consider a cybercrime or privacy breach policy. Such a policy might respond and pay for credit card monitoring, notifications of breach, forensics, data restoration, reputation repair, credit card industry fines, first and third party lawsuits and data extortion costs.

If a business holds others’ funds in escrow, trust, or IOLTA-type accounts, then a policy that includes computer fraud, wire fraud, and social engineering coverage would be appropriate. Certain businesses might benefit from employee dishonesty and corporate
espionage coverage as well (a disgruntled employee can steal privileged information for sale to the highest bidder).

Insurance policies and crime bonds developed to protect businesses from cybercrime can take many forms. The problem is a relatively new one and the insurance industry is evaluating how to how best provide coverage, assess the real risk of claims, and determine pricing. These policies contain multiple “insuring agreements” that define coverage as well as liability limits for the various aspects of coverage.

For example, a policy from Company A might contain different definitions and amounts of coverage for computer crime, e-commerce fraud, forgery or fraud, fund transfer fraud,
and so on than Company B. The options can make purchasing the right coverage more complicated, but the end result should be obtaining a policy that best meets the risks your business has at a price that is appropriate for the coverage purchased.

Numerous policies are available from quality insurers, but it should be noted that errors & omissions and business office liability policies provide little to no real protection
from cybercrime. Many policies may offer risk management assistance, hot lines, and other useful information to prevent a cybercrime in the first place.

Real estate professionals can take preventative steps to minimize this risk, though not eliminate it. All offices and agents should use encrypted software, email, and password
protected phones and tablets. Strict protocols should be in place for the custody and transfer of any funds. No professional should be conducting business on unprotected domains such as Google or Yahoo nor making the private information of any party available on social media.

Massachusetts law requires the development and use of a Written Information Security Plan (WISP) and adherence to MA General Law 93H governing data and privacy protection. A business information plan that exceeds these requirements is prudent. If the bad guys can breach the US government, Target and major hospitals, then making one’s business more secure, and purchasing insurance against the “inevitable”, can be a prudent decision.