The Growing Threat of Cyber Risk to Your Club

by Toni Shibayama

Imagine you’re a Club General Manager and it’s Friday evening and you are just sitting down to dinner after a long week. You get a call from your HR department, and the conversation starts like this “Our members are calling and they are telling me their personal information has been hacked. I called the bank and they said a cyber thief got into our members’ bank accounts that we use to debit for membership fees.  Are we covered?”

It’s an excellent question, and one that you better have an answer for.

When the subject of cybersecurity comes up, we often think about credit card fraud. But it’s more than that, and the financial impact goes much further. No industry is safe.

Recently, 4,000 members of Wentworth, one of England’s most exclusive golf clubs were warned that their personal details may have fallen into the hands of hackers following a ransomware attack. However, according to The Telegraph, the first club members knew of the problem was when an unauthorized message appeared on the “Wentworth at Home” internet page claiming that “your personal files are encrypted!” and demanding a Bitcoin cryptocurrency payment for a decryption key.

Wentworth is not an isolated incident. This year, the email account of Clubster founder William King was hacked, resulting in members of 10 U.S. Clubs, including Anderson Country Clubs, receiving messages replete with racial slurs and expletives. The National Club Association recently surveyed its members and found that only 41% had conducted a cybersecurity vulnerability assessment within the past year. The survey also reported 63% of respondents recognized their vulnerability to a security breach and only 49% indicated they had done any training to raise their staff’s awareness on cybersecurity.  Folks, ignoring the problem won’t make it go away.

Cyber criminals are sophisticated and well equipped to go after the goldmine of information collected by businesses, nonprofits, and government entities. One of the largest data breaches in history at Target stores during the busiest three weeks between Black Friday and December 15 affected as many as 40 million people who used their credit cards. An investigation by the Secret Service revealed 1,797 stores around the country were involved. Like Wentworth, Target was not alone:  major data breaches, included Neiman Marcus, White Lodging, Sally Beauty, Michaels, Affinity Gaming, City of New York, PF Chang’s, Albertsons & SuperValu, Community Health Systems, UPS, Dairy Queen, Goodwill, Home Depot, Jimmy John’s, JP Morgan Chase, Sourcebooks, Kmart, Staples, Bebe, and Sony. From these breaches, hackers leaked five unreleased movies, 47,000 social security numbers, some with other personal information like full names, dates of birth, home address, increasing the chance of identity fraud.

According to a report by the Cybersecurity Unit of the U.S. Department of Justice, any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. They claim a quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now before an incident occurs by preparing a plan for before, during and after a cyber incident.

But it’s important to be aware that not every data breach is initiated by some criminal type skulking about in a dark basement sitting in front of three large computer screens.  Sometimes the attack comes close to home.

Last year a controller of a large Club sent out a message to members about a large construction project and asked them to wire money to help pay for the project. Unfortunately, the account given by the controller was able to divert a portion of the monies into his personal account. This went on for many months before he was caught.

So what is the game-plan when it comes to preventing cyber-theft?  First, start by identifying your mission critical data and adopting risk management practices found at the National Institute of Standards and Technology Cybersecurity Framework before an incident unfolds.  Then, be prepared for an incident to assess its scope and nature, whether it is a malicious act or a technical glitch. After recovering from a cyber attack continue to monitor for any anomalous activity to make sure you have regained control of your network. Conduct a post-incident review to identify any deficiencies in planning an execution of your response plan.

But most importantly, make sure you have cyber and privacy policies that cover your Club’s liability for a data breach in which your members’ and employees’ personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies should cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

Also, the policies should cover liability arising from website media content, as well as property exposures from (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion.

Breaches are now just a part of life, and yet when they happen too often, companies pull out an outdated incident-response plan that hasn’t been looked at in two years or worse yet it isn’t on the shelf when you reach for it. Meet with your insurance broker and legal team to discuss possible scenarios, whether it be employee dishonesty or cyber attacks. Cyber-theft is on the rise, and the best thing you can do is make sure your Club is ready when, and if, it hits.

Toni Shibayama is a Broker/Risk Consultant for S&K Insurance in Southern California. She has more than 15 years experience in risk management, job safety, Workers’ Compensation, wellness and HR consulting. Toni is also the author of “The Private Club General Manager’s Big Game Playbook.”
She can be reached at toni@sk-insurance.com and by phone at 213.627.5204.