Ransomware, extortion, and social engineering are on the rise—be sureyour clients are protected
When advising a client, nothing is more daunting for an insurance professional than trying to explain an insurance concept that is not widely understood. This challenge confronts agents and brokers who need to persuade risk managers and business owners of all sizes to recognize the importance of maintaining effective cyber liability insurance.
A good policy will pay for PR, crisis management, and legal expenses as well as the cost of reputational harm.
Unlike the well-worn paths of more traditional insurance products, cyber coverage is constantly changing and expanding. Technical jargon abounds. And explaining the need for certain coverages or limits and how those might apply to a particular client is complicated at best, confusing at worst.
Common cyber liability concepts, however, have begun to emerge that can help ground the cyber liability
discussion. Paired with some examples, these concepts can be used by agents and brokers to show customers just how real the threats are and how vitally important appropriate protection is.
The backbone of cyber liability
Cyber crimes come in many shapes and forms, but most cyber breaches can be examined based on what they affect: data, systems, or both. At its core, cyber liability protects companies from the breach of and compromise of data, such as credit card numbers, health information, or basic customer and employee data. Cyber liability also protects companies when a cyber breach shuts down a company by infecting vital systems, locking down data, or breaking internal or external business processes or supply chains such that the company cannot function until the problem is rectified.
For example, a manufacturing company that uses modern production methods and interconnected machines or systems to create and sell goods may have several vulnerability points for cyber attacks:
- The actual equipment it uses and the technology that networks it together
- The sales software that maintains client and potential client data
- Accounting software with vendor and customer bank, credit card, or other protected data, email systems, a website, and other information
If that company were the victim of a cyber attack, it could compromise employee or client data. Or it could shut down production in a multitude of ways that management may not have considered.
When looking at a cyber liability policy, an insured will want and need to know:
- “If data gets out and I am sued by customers/vendors, will that be covered?”
- “If data has been accessed, compromised, or was lost/destroyed/stolen, am I legally required to notify people?”
- “Will the cost of notification be covered—or, better yet, will it be covered even when I morally should notify but do not legally have to?”
- And finally, “If I have to shut down to get this issue fixed, will the insurance pay for my lost income?”
The answer to each of these questions undoubtedly should be “yes.” Many companies, however, also need to consider indirect but potentially expensive problems that can arise in the aftermath of a cyber attack beyond the basic functions of a business. A good policy will pay for PR, crisis management, and legal expenses, as well as the cost of reputational harm.
It is common for a BOP or package policy to include small amounts of some of these coverages, but agents cannot rely on that alone. The average cost per record for notification and remediation expenses is in excess of $200. Therefore, if a company has more than 250 customers, employees, and/or records of any kind, a stand-alone cyber liability policy is vital.
Common cyber threats and attacks
The first cyber risk we’ll address is ransomware vs. extortion. Imagine you are the CEO of a trucking company and you arrive at work one morning to find an email from an unknown actor. The email says that an invisible entity has penetrated your internal (or other) systems and you cannot dispatch any drivers, load any cargo, or perform any basic functions because you cannot get into your computer systems. The criminal says your systems will be released if you pay $100,000 in bitcoin. This is ransomware: the demand for money to regain access to your own data or systems.
Now imagine you are that same CEO and you arrive at work to find a message that says an anonymous actor has penetrated your internal (or other) systems and will release all your customer records, trade secrets, credit card data, employee health records, etc., unless you pay $100,000 in bitcoin. This is extortion: the demand for money to prevent a criminal from releasing sensitive data.
In both of these cases the CEO would need to have a backup computer system installed, bring in forensic techs to clean out the breached system, notify individuals that their data may have been compromised, potentially (if no backup exists) pay the ransom or extortion, hire a PR firm and crisis management expert, and potentially much more.
What on the surface looks like a loss for the payment of the ransom or extortion actually will cost considerably more. Your system could be shut down for weeks as it’s being restored, resulting in massive amounts of lost profit and reputation on top of everything else.
The second kind of cyber event is social engineering. This occurs when an employee is asked for money (usually to pay an “outstanding invoice”) by phone or email and pays it in good faith, only to find out later that it was fraudulent. What makes this cyber crime so frustrating is that it can be both simple and highly sophisticated. The invoice may appear to come from the CEO’s email address, or it could be an existing invoice that has been approved and at the last minute the wire or payment instructions change to a new account.
Social engineering is a new version of the old email scam about a friend traveling abroad who needs you to wire her money. This kind of scam can be difficult to avoid under the best of circumstances. Therefore it’s important to have multiple employees check invoicing while maintaining checks and balances to help prevent these attacks.
It’s important to note that the average cost per attack has gone up year over year by a large margin. Also, this is one of the more commonly occurring attacks. Losses happen often and can involve a huge cost that most companies, particularly smaller ones, cannot afford.
The third kind of cyber crime we’ll discuss is malware, the bane of your IT existence. The likelihood of your computer, at this exact moment, having malware installed on it is so high that you should automatically assume it’s happening. Malware is any kind of software that is designed to cause damage or destruction. Two aspects of malware are particularly important in cyber crime.
The first, within the context of cyber liability, is how malware gets into your system or computer to begin with. Evil software can be lurking just about anywhere online; common culprits include email attachments, links from emails, and links in social media posts. Imagine an employee on a networked computer using Facebook and clicking a link from a random post. Any malware hidden in that link can end up infecting your entire IT system.
The second and often overlooked issue surrounding malware is the overall havoc it can wreak. Malware can be designed to allow someone access to your system; it can cause system shutdowns; and it can erase data, lock data, or even publish data. Malware can sit on your system undetected for months if not years, allowing outside parties even more time to cause mayhem. According to a recent study, the average cost of a cyber breach caused by malware was more than $450,000, ranking it the third costliest event after the loosely defined “hacker” or rogue employee.
Smaller companies at risk
In 2017 more than 50% of all cyber claims were reported by businesses with less than $50 million in revenue. Although the big companies of the world may make headlines when they disclose a cyber breach, the vast majority of firms affected fall into the small business category.
Why? First, they are less likely to have sophisticated (or any) cyber defenses. Second, employees and company owners are less likely to be proactive about preventing cyber crime. This includes regularly and educating employees about ways to keep data safe and ensuring that employees feel comfortable calling IT (or another appropriate department or individual) if they are worried about opening a suspicious email attachment or social media post. Finally, and most important, 60% of small and medium-sized businesses that had a data or system breach were unable to recover and went bankrupt within six months of the incident, according to the National Cyber Security Alliance.
The threat of a potentially business-closing cyber attack at any moment underlines the importance of quoting cyber liability insurance for every client—regardless of size—and explaining why it is so vital. As insurance professionals, the onus is on us to help insureds understand the changing risk landscape we face today.
Ellie Feldman is managing director of Wingman Insurance, a software and insurance entity that provides a platform designed to let agents across the country quote cyber and tech risks in under 60 seconds. This is the first in Ellie’s short series of articles on cyber-related issues.