CYBER RISK: A TWOFOLD APPROACH
First, protect your agency, and then leverage your experience to sell cyber policies
From Russian hackers cyber-meddling with the 2016 presidential election to the FBI asking Americans to reset their routers to foil a wide-spread cyberattack on U.S. citizens this past May, cyber incidents do not appear to be abating. Instead, it seems, cyber criminals are only getting more creative with time.
There’s one thing we know for sure: cyber-attacks can happen anywhere, anytime to anyone or any business—including a credit reporting behemoth like Equifax. As bigger businesses gain sophistication in fighting off cyber-attacks, some attackers are turning their attention to smaller businesses, like insurance agencies and their clients.
News of cyber incidents should encourage business owners and individuals to proactively stay alert for attacks. Unfortunately, many who read about high-profile breaches believe they are somehow immune from such an attack, comforting themselves with phrases like “it won’t happen to me” or “we don’t have anything a cyber-criminal could possibly want.”
Although independent insurance agents often help their commercial policyholders understand the cyber risk facing their businesses, they frequently neglect to make sure their own businesses are protected. Certainly, insurance agents have a responsibility to talk about cyber risk with commercial clients, but they are business owners themselves and, as such, should know how to reduce their own cyber risk
One of the best defenses against a cyber-attack is education. Business owners, including independent insurance agents, and their employees should know what a cyber-attack might look like and understand how to report any suspicious activity.
As flight attendants say before takeoff, if there is a sudden change in cabin air pressure, secure your own oxygen mask before helping others.
The scope of the problem
The risk of a cyber-attack hitting your agency or your clients is not going to go away. In fact, it’s growing, according to a July 2018 report from the Ponemon Institute LLC, sponsored by IBM. Their research found the average cost of a data breach rose to $3.86 million in 2017 from $3.62 million in 2016. The average cost per record accessed rose to $148 from $141. Let’s put this in perspective: For an insurance agency with 3,500 records, we could be talking about more than a half-million dollars of unanticipated expenses. The report also pointed out that companies that gained control over a breach in fewer than 30 days saved more than $1 million compared to those that took longer.
Another study, a 2018 Data Breach Investigations Report from Verizon, provided details on the victims in these cyber-attacks. Verizon found that 24% of those impacted were health organizations, 15% were businesses related to food services or accommodation services, 14% were public sector entities and the majority—58%—were small businesses.
Criminals who perpetrate these attacks are using a variety of tactics to break in and commit cyber-crimes. According to Verizon, 48% of attacks occurred through hacking and 30% from malware; 17% had errors as causal events and another 17% were social attacks like phishing scams. The rest resulted from privilege misuse or physical actions.
New technology seems to be compounding the problem. Mobile technology and the Internet of Things, essentially any devices that are connected to the Internet, open up new risk exposures for agents and their clients.
What does all this tell us? Everyone needs to be prepared. Insurance agents shouldn’t just be preparing their clients; they need to take steps to protect themselves as well. And once they do that, these agents will be in a unique position to provide first-hand, personally tested recommendations for cyber protection and policies to small business clients facing the same risks.
Mitigating the risk
One of the best defenses against a cyber-attack is education. Business owners, including independent insurance agents, and their employees should know what a cyber-attack might look like and understand how to report any suspicious activity. The U.S. government provides several tips on its website, at ready.gov/cybersecurity, to help prevent a cyber-attack. Tips include updating software, using strong passwords, keeping an eye out for suspicious activity, applying encryption where possible, and using a safe WiFi network.
Specifically, they recommend:
- Using a password with a length of more than 12 characters that includes a mix of letters, numbers and symbols and changing that password monthly
- Applying two-factor authentication
- Making sure the Internet connection is secure
- Providing personal information only to sites that begin with HTTPS (the “S” stands for secure)
- Using a virtual private network (VPN) for a secure connection
- Running antivirus software
- Checking privacy settings
- Changing WiFi passwords regularly
- Watching for suspicious activity
- Using caution when downloading from emails or the Internet
Aside from the tips above, to protect from cyber-attacks related to the Internet of Things, business owners should make sure all devices are password-protected and never leave them unattended.
Finally, an insurance policy to protect the agency or business is critical. A good policy can provide coverage against cyber extortion, pay legal fees and costs of notifying clients of a breach, and address reputational repair, among other things.
What to do if you get hit
Despite best efforts, an insurance agency or other business can fall victim to a cyber-attack. However, as Ponemon found in its study, containing the problem quickly can make a big difference in how your business comes out on the other side.
First, identify or hire a cyber incident response expert. All staff members should know how to identify a cyber-attack and understand the critical importance of reporting anything suspicious immediately to whoever serves as their cyber expert.
Unfortunately, people are often the weakest link when it comes to cyber safety. One employee opening an attachment to a suspicious email can compromise an entire computer system. According to Verizon, 98% of social cyber-attacks result from phishing, the email bait practice mentioned above, and pretexting, which comes in the form of an emailed phony story designed to collect information.
Once an attack is identified, the cyber expert should determine the severity of the incident by considering whether company-sensitive information may have been accessed and if law enforcement needs to be notified. The cyber expert should also identify the type of security incident that occurred and gather information to share with the cyber insurer.
The cyber expert should also review your computer system thoroughly, disabling compromised accounts, listing all IP addresses involved, requiring password changes by all users, and letting those who access the compromised accounts know of the situation.
An incident that is thought to be a data privacy breach will require consulting an attorney to provide guidance on privacy issues and assist in communications and documenting the incident. It’s also important to determine the type of sensitive information that was compromised in a data privacy breach, including first names, last names, etc. Law enforcement and a cyber expert can help to determine the scope of the attack, possible sources, type of breach and even possible suspects, among other things.
Finally, the cyber expert should check all other systems for compromises and determine who needs to be notified and if there are statutory requirements surrounding their notification.
Subscribe to your own compelling sales offer
With every new headline about a cyber incident comes another opportunity to sell cyber coverage to a client. But while you get them thinking about it, make sure you are heeding your own advice.
Agents need to be informed themselves. They shouldn’t be intimidated by the subject of cyber. They need to learn and understand cyber issues, so they can better protect their own assets, as well as the assets of their policyholders.
There are many ways agents can spread the word about the need for cyber coverage and sell it. They can bundle it with packages, cross-sell it when other products are on the table, and share their knowledge of the subject with others through a blog or social media and direct mail pieces, or by offering remarks on the subject at Chamber of Commerce events, etc.
For businesses of any size operating in today’s high-tech environment, cyber insurance must be part of the equation. Any organization that uses a computer and accepts payments or tracks personal information is exposed. Agents have a responsibility to convey this to their policyholders and prospects while protecting their own businesses as well.
Matt Masiello is executive vice president and chief operating officer of SIAA (Strategic Insurance Agency Alliance).