The recent cyberattack on the Milwaukee Bucks has garnered quite a bit of media attention. Players and staff of the team had their 2015 W-2 records compromised after a team employee sent the records to an email address that appeared to come from the team President, Peter Feigin. This is yet another example that no company is immune to the threat of hackers, but certain plays can be practiced to guarantee you don't lose the cyber liability game.
A Bucks employee received an email that appeared to be from the team president asking for all company W-2s for 2015. Since the request appeared to legitimately come from the team president, the staffer responded to the email with the information requested. Those records included player and staff financials, such as names, addresses, date of birth, Social Security numbers, and compensation packages.
However, the email was not from Feigin. Instead, it was sent from a hacker posing as Feigin (likely using his name and email signature).
The data breach occurred in April, but unfortunately was not discovered until recently.
The Bucks reported this incident to the IRS and FBI immediately after being discovered. Any players or staff who were involved in the breach will receive three years of credit monitoring and also identity restoration services - for life. Various office staff members will also receive additional awareness training. These expenses can become significant, and do not include any information technology services or upgrades the team has incurred since the breach.
Previously, many small companies felt as if a cyber breach simply would not happen to them, but that is not the case today. For example, a Milwaukee area manufacturer recently experienced something similar. There, an employee received an email from the “CEO” requesting a wire transfer to a “vendor.” The request seemed legitimate, so the employee went forward with the wire transfer, only to find out that the email was not actually from the CEO but rather, a hacker.
Because of this increased risk, many companies are opting to purchase cyber liability coverage and even increasing limits if they are already insured. However, not all cyber-related attacks may be covered unless additional coverages are purchased. For example, often times a cyber liability policy does not cover social engineering (the emails received by Bucks or manufacturer employee). Making sure you understand the coverage you purchase, and seek additional insurance if necessary, is crucial to ensuring your company can recover if ever attacked.
Making sure your company is safe from fraud is the first step to ensuring a game winning strategy. Having the correct coverage in place completes the play.