The WCI will present cybersecurity as a breakout on Wednesday, December 15, 2021 (8-12:15, Crystal Ballroom J-1). I am honored to be hosting that breakout with the UWF Center for Cybersecurity, GoldSky Cyber Security, and Eric Adams, a Tampa attorney experienced in defending businesses that face liabilities as a result of having been attacked, breached, ransomed, or worse. It is going to be an outstanding look into the threats that face small businesses in 2021, the probable path forward through increasing government scrutiny and regulation, and the challenges of tomorrow. It is a "Must-see" on a topic that your business will have to address, now or later.
When? That is a critical question. GoldSky characterizes this as a "war on cyber threat actors." We have heard that vernacular before. The government likes that phrase anytime it begins to focus on problems it perceives as major. For the "small-midsize business" (SMB), this topic is coming to the fore. Virtually all companies will have addressed threat protection by 2030, we have a busy decade before us. But, they contend the volume will be on a bell curve and that some began addressing threats in 2015, and that most will do so by 2025. The next few years will see a frenetic pace as SMB struggle to appreciate threats and guard against them. Will it become your focus before or after your business is stricken?
Where? There is a vast quantity of computer servers out there, places in the cyber world similar to states, counties, and towns in our physical world. Without offending anyone (perhaps), we can all admit that some places are decidedly less safe, less alluring, yes more seedy than others. In the Internet, those seedy spots are in the "deep web" and the very worst are in the "dark web." Do you know the difference? Why would you care? Because those are the spots in which your data will be offered for sale, where your business' reputation is threatened.
Because, with software to protect their identity and anonymity, there are miscreants populating the Internet. They include organized crime, state-sponsored attackers, hackers, hacktivists with a cause, and ordinary people with some purpose or cause, perhaps as simple as boredom. They are in search of data and information, yours. They seek to deprive you of it in exchange for ransom. They seek to simply steal it and then threaten or ransom the people who are exposed within it. They seek to sell that information to other miscreants who will exploit that information for financial or other gain.
How? Intrusion is a usual path. They may trick one of your employees with a clandestine link in an email. They may hide a program or process in a shared document. They may plant a bug on a flash drive and leave it on the steps of your office in hopes a well-intentioned employee will plug it into a computer just to find out who "lost" the flash drive. There are a multitude of threat paths, and each of them depends in large part upon human frailty, forgetfulness, and mistake.
So what? every business in the workers' compensation industry has long labored under the burden of confidentiality and fiduciary. For decades, the treatment records of injured workers have been generated, stored, duplicated, and shared throughout care, recovery, and even palliation. For decades, we have appreciated the sensitivity of that information and spent millions of dollars storing, maintaining, and even shredding such records (and the many copies shared with other treaters, IMEs, lawyers, rehabilitation providers, financial professionals, judges, and more).
The Internet did not create identity theft. It merely made it more lucrative. The Internet allows us to sit in our living rooms and shop for products at thousands of retailers, miles distant, and make our purchases. It has changed the accessibility of those retailers, the convenience. In a parallel, the Internet did not create data security challenges, it merely made theft and attack more convenient for the miscreants.
And, unfortunately, most SMBs are approaching the challenges with the mantra of ignoring the problem in hopes that it will disappear. Others are in panic mode and jumping to solutions they do not yet understand, which may or may not even address their particular threats. Time and again, in preparing for this conference, I have heard "it can't happen to me," "I'm too small for them to fool with," and "I have anti-virus, I'm safe." The fact is that everyone is a target, Everyone will be faced with threats, decisions regarding data protection, assessing of risk, training of employees, compliance with government or client requirements, and financial risk. And, no antivirus can simply provide protection against the panoply of threats.
What if you are the target of an attack, what then? Attorney Eric Adams notes that a breach of your business may impact your company, those who trusted you with data, and even third parties. Will there be financial liabilities you face because you were victimized? That is a chilling thought. You are the VICTIM, and yet the results of some miscreant's breach of your facility could place you in further and ongoing peril. If someone broke into your office and stole critical information, the challenge would be no different. See Lloyd and Harry Wreaking Havoc (November 2021). The Internet just saves them the trouble of actually entering your office.
When you are compromised (not "if"), what are the costs? There will be "response costs" that will include your time, other management time, your IT team, outside IT experts, replacement of computer assets (hardware and software), and the impact on your reputation ("Did you hear about ________, they got hit and lost tons of data, they lost ________ as a client over it"). There will be the chance of being sued, and associated costs of "defense and damages." And, there are the potentials for costs and penalties imposed by the government for failing to protect or safeguard the information in your possession. Costs. There are a multitude of them. Attorney Eric Adams will provide critical thoughts and advice on this subject.
Then, he will address the potentials for limiting liability. Every business makes decisions regarding risk tolerance. Each will make decisions about the potentials for liability and the products available for mitigation. Cost of insurance coverage, availability of coverage, and perceived benefit will all be worthy of consideration. Mr. Adams will outline the "first-party" coverages that provide support and response to your business after a breach. He will dive into "third-party" coverage, in the event that the breach of your business results in damages to others (your customers, suppliers, vendors, or more).
A major consideration in any discussion of insurance is the prevalence of "exclusionary provisions," that is contract clauses that result in non-coverage. Through stated "exclusions" and through word definitions that create exclusion, insurance policies can be a difficult read. Mr. Adams will provide insight and an overview of the complexity that may present in evaluating a cyber-coverage purchase or in dealing with the aftermath of an attack.
How will you plan for an attack or react? Strike that, when will you be well enough informed to decide how you will plan or react. What better opportunity will you get to understand the threats and options than the "Lessons Learned" program from 8:00 to 12:15 on Wednesday, December 15, 2021, at the WCI, Marriott World Center in Orlando (Crystal Ballroom, J1)? This will be a deep dive but is a program for business owners, managers, and more. You may think you are a doctor, lawyer, or any number of other professions. BUT, you are also a businessperson, a custodian of records, and this is a critical concern you will face, now or later.
This program will answer questions, open eyes, and help you appreciate your personal risk and path forward. I am flattered to be involved and hope to see you there.