CYBER RISK: THE GOOD, THE BAD, AND THE UGLY
From common causes of data breaches
to avoiding cyber mistake
By Randy Boss, CRM, MWCA, SHRM-SCP
When I started my career in insurance in 1977, and with little fear that someone would hack into my IBM Selectric, the world’s first personal computer, the Commodore, was introduced at the Consumers Electronics Show in Chicago. Six years later, in 1983, the internet was born. And from there it took only another five years for the first cyber attack to occur as a computer worm made to replicate excessively, and which slowed the early internet down significantly, resulted in damages estimated up to $10 million. Just a year later, in 1989, a hacker created the first ransomware attack, and there has been no looking back since.
Programmers write code to instruct computers to do what they design the program to do, while hackers find ways to break the code to make computers behave the way they want them to. Then, software programs are needed to build a patch to correct what the hacker did. Then the hacker … well, you get the idea. Think of it as the circle of cyber-life.
Things have changed a lot as the internet has evolved. Think about how your office reacts when the internet goes down and everyone has to stop working. That’s how it is with most businesses, and it gets even worse when there is a cyber breach of their system.
It’s imperative that a good risk management plan be put in place to handle a cyber breach and the damage it can cause. I call this approach “Flipping the Pyramid.”
The insurance pyramid has three layers: The bottom layer is insurance, the middle layer is cost containment, and the top layer is cost prevention. This traditional insurance approach is the costliest way to manage risk. It’s time to “flip the pyramid” by starting at the top with cost prevention, then cost containment and, finally, insurance. This approach needs to be applied to every risk faced, especially cyber risk. Let’s look at the good, the bad and the ugly of cyber risk and how we can use “Flipping the Pyramid” for better results.
Sadly, 60% of small businesses that fall victim to a cyberattack go out of business within six months.
The good
It starts with prevention by partnering with a good IT provider—one that is proactive and not just reactive. They should be able to set up your system, maintain it, and help respond to a breach, as well as do a Compliance Check—a checklist that benchmarks what a business is doing right and what it needs to work on. The results can be used to communicate a good risk score to secure competitive rates and to show your client or prospect what they can do to improve that risk score.
Train employees to avoid a cyber breach. This is critical because a high percentage of cyber breaches are due to employee error.
The Good continues with Containment by having a Cybersecurity Incident Response Plan, a document that provides IT and cybersecurity professionals with instructions on how to respond to a severe security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.
The next step is Good Insurance, a.k.a. Coverage for First-Party Expenses. Examples of first-party expenses are:
- Incident response and digital forensics services (these alone cost several thousand dollars)
- PR services to manage reputational damage caused by a breach, notification to affected parties, and other expenses involved with directly responding to a cyber incident
- In addition, a well-written policy may offer to extend coverage to provide:
- Protection for loss of income related to a cyber event or a system failure
- Cyber-crime protection (financial losses resulting directly from criminal activity). An example is the theft of funds as a result of digital fraud or even social engineering, where an insured is tricked into sending funds to the wrong party
- Damage to equipment arising from a cyber event
Policies should also contain coverage for Third-Party Expenses. This category covers costs associated with defending liability or privacy regulatory claims and paying associated fines and penalties assessed by regulating authorities. Examples include legal fees to defend lawsuits against the company and fines for violating HIPAA regulations.
The bad
Let’s now consider the bad. These are the five most common causes of data breaches:
- Weak or stolen credentials (if your password is “password,” this is what I mean)
- Application vulnerabilities (no patch available or, in many cases, not installed)
- Malware (e.g., keylogger)
- Malicious insiders (disgruntled employees)
- Inside error (cc: wrong person)
Remember, not all cyber insurance policies are the same. When assessing the strength of a cyber policy, it’s a good idea to look for coverage addressing the following five common issues:
- Cyber extortion. Ransomware and DDoS (Distributed Denial of Service) attacks are the two most common types of cyber extortion. Cyber extortion occurs when cyber criminals compromise confidential data or threaten to disable the operations of a target business unless they receive a payment.
- Social engineering. Social engineering is used for a broad range of malicious activities accomplished through human interactions.
- Business interruption. Business interruption refers to the financial loss a company suffers when its operations are disrupted due to a cyber attack.
- Virus transmission. End-to-end coverage applies from discovery to removal of a virus, even if the virus spreads before being removed.
- Liability implications. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses and, in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information. When a data breach incident occurs, notification can seem counterintuitive. Organizations don’t want to publicize the issue, but just minimize the damage done. This can only worsen the situation. Failing to notify those affected by a breach could result in steep fines and penalties. A study from the IBM/Ponemon Institute found that data breaches cost businesses $242 per stolen record on average. That means the average U.S. data breach costs more than $8 million.
The ugly
Ransomware has become the most common type of malicious software, as it infiltrates computers and locks them down until a ransom is paid. Attacks in the U.S. skyrocketed in 2021 to$420 million, up 98% from 2020. Despite the mounting threat, many businesses do not insure against it.
These incidents happen more than you might think, and most do not make the news.
The cost of cyber insurance is increasing more than any other line of insurance. And it’s no wonder, because the impact of a cyber attack can be lethal—it ruins the business’s reputation and leads to customer trust issues. Sadly, 60% of small business that fall victim to a cyber attack go out of business within six months.
- Help the businesses we work with avoid making cyber mistakes, such as:
- Assuming their business is too small to be on the attacker’s hit list
- Having an incomplete stock of resources and endpoints
- Setting their admin password, and afterward failing to remember it
- Failing to implement patches and upgrades in a timely manner
- Not understanding that their most prominent liability is their employees
- Not having a reaction plan
- Here are five things a business can do to manage their cyber risk:
- Partner with a good IT provider
- Complete a compliance check
- Train employees
- Create a response plan
- Get the right insurance (prevention first equals lower insurance cost)
Think of the internet as the sun and your client’s business as the Earth, revolving smoothly and safely around the source of its power and using that power to grow and become more and more successful. As advisors, we are mission control with the task of making sure a cyber attack doesn’t knock that business out of its orbit.
The author
Randy Boss is a Certified Risk Manager at Ottawa Kent in Jenison, Michigan. As a Risk Manager, he designs, builds and implements risk management and insurance plans for middle-market companies in the areas of safety, work comp, human resources, property/casualty and benefits. He has over 40 years’ experience and has been at Ottawa Kent for 40 years. He is the co-founder of emergeapps.com, web apps for insurance agents to share with employers. Randy can be reached at rboss@ottawakent.com.