What’s the single most talked about topic in the boardroom of most companies? Cyber security. This is certainly understandable. When you read the news, you’re apt to find stories about various large organizations – everyone from Best Buy to leading hospitals – suffering high-profile cyber attacks.
The costs of such an attack can be enormous – large enough to destroy any business. Hackers get in, and they quickly steal customers’ personal information and other valuable private data. These cyber criminals then re-sell this information or use it for their own schemes. Your customers (or patients) – whose personal data you have failed to protect – might seek compensation for any damages they incurred from this breach. Such damages could total more than your organization’s entire net worth.
This problem is not going away. Most major corporations are still in the midst of their digital transformation – the change from paper records to automated systems. More and more, these companies are outsourcing their digital services to third-party vendors, creating even more vulnerabilities and points of exposure for a breach. Everyone is dealing with it.
This new reality brings us to a new topic: cyber insurance. Cyber insurance is now the most quickly evolving product in a fast-moving landscape of exposure. With corporate processes and data being automated, businesses have so much to be concerned about when it comes to security because a lot of it is no longer handled in-house. It’s hard to keep pace with the security measures needed to outpace the threat actors. So, many companies outsource their data protection systems to third-party professionals. And those third parties are dealing with many Ransomware events. This post is designed to get you familiar with this emergent and dynamic new topic.
Cyber insurance: it’s now a business requirement
Cyber insurance will help you protect the balance sheet of your business. Do you need any additional reason beyond that?
Every organization is vulnerable to cyber attacks, no matter how good its security systems and practices. Whether you outsource cybersecurity to a data loss protection (DLP) provider or keep protection in-house, your business has exposure points where hackers can gain access. The “human factor” alone accounts for ever-changing points of entry. Hackers love to go “phishing” and see if they can fool an unwitting employee to grant access to the corporate system.
Connectivity makes you exposed, and there isn’t a viable business organization that isn’t connected. You’re using laptops and mobile devices to conduct business, you’re storing information in the cloud, and you’re constantly interacting with people outside your organization’s network. This means your organization is vulnerable to cybercrime. If you get hacked, and the data you have stored in your systems falls into a cyber criminal’s hands, your business could face dire financial consequences. If you want to stay in business after such an event, you need to protect your balance sheet. Make sure you have cyber security insurance. That typically means a robust insurance policy which covers third-party liability losses and first-party expense losses resulting from a breach of the network and/or protected information.
This applies to ANY business that is connected to the internet – from mom & pop shops on Main Street all the way to Fortune 500 companies. Everyone is connected, and it’s that connectivity that makes them exposed.
It also applies to people who aren’t attached to a business. Although the personal lines side of the insurance industry is a few years behind the commercial marketplace, new products are emerging. If you work independently at home and handle all your banking, credit cards, and shopping online, or even if you keep your digital photos connected to the web or on a thumb drive, you should get coverage. After all, as soon as you connect to Wi-Fi, you’re at risk. We all do our finances at home – it’s an open door, and you definitely need protection when connecting to the internet.
Types of cyber insurance policies
The commercial policies available in the marketplace are pretty robust for a relatively new product. Most commercial cyber insurance policies are bifurcated between a third-party liability loss and first-party expense insuring agreements. The third-party liability aspect covers financial harm that comes to a third party because of the insured’s failure, error, or omission that results in a cyber loss.
An example of the insured’s failure is Network Liability Security – this involves the insured’s failure to prevent malicious software – or “Malware” – from leaving their network. If one of your employees sends an invoice to your clients, for example, and (unbeknownst to them) that invoice is embedded with a virus, that virus might attach to an email that originates in your network and migrates to your client’s network. The client opens the invoice and it causes all types of harm; they’re not able to operate because of the Malware. They might hire a forensics team that identifies your organization as the source. Considering the financial harm the client suffers, it’s very likely that they’re going to come at you with a monetary demand. The insurance policy would pay for your defense as well as for the client’s related damages.
Another example is Privacy Liability – this is financial harm that comes to a third party because of your failure, error, or omission in protecting sensitive information. If your company discloses any private, sensitive, protected/confidential information, you’re liable and open to legal action for that disclosure. If the cyber criminal makes a monetary demand after getting access to your network – e.g., scraping employee data or client information (social security numbers, addresses, etc.) and publishing it on the Dark Web – those employees and clients can sue you for failure to protect their privacy. Your cyber insurance policy should pay for your defense costs resulting from that kind of demand, as well as the damages resulting from it.
We’re also seeing class action lawsuits related to biometric information. If your company holds data containing a scan of an iris or a thumbprint, many states view that as personally identifiable information. Several cases involve timeclocks that use thumb scans where the scans were taken without the patients signing any releases and then their private information gets used without their approval. Class action lawsuits also appeared in the aftermath of the 2013 Target hack. In that event, MasterCard, Visa, American Express and Discover sued Target claiming that, but for that breach, they would not have incurred expenses of more than $200 million to cancel and reissue credit cards. MasterCard and Visa successfully negotiated a $39 million settlement in this case, which would get paid from the Privacy Liability insuring agreement of the cyber policy.
Remote work and other cyber challenges
We are in a very dynamic marketplace right now. Until recently, businesses could readily get a cyber insurance policy without too much scrutiny from carriers. It didn’t take very much information – just your name, your address, your URL and your annual revenue. It didn’t matter what you did for securities and controls, and it didn’t matter how your network was protected. It was just a new product and a new opportunity for these companies to be in business, and they were giving policies away.
Now we live in a post-Covid world, and threat actors have such an enormous attack surface available to them. So many people work from home (WFH), but they don’t have cyber security comparable to their brick-and-mortar offices. Employees at home might use their personal Wi-Fi and personal devices, and corporate IT teams haven’t caught up with the necessary WFH security. Companies initially emphasized productivity over security, but that created huge vulnerabilities that threat actors have exploited. Ransomware attacks have gone up by 30,000%. The ransom amounts have also gone up significantly – from $20,000 up to an average of seven figures now. And it’s not just the ransom costs – it’s the business interruption costs/loss of income costs, extra expense costs, and the data restoration costs that come with them.
This has upended the marketplace, because carriers did not collect the premiums needed to sustain such huge losses. So, we’re seeing an about-face. Not only are carriers hyper-cautious in their underwriting, they’re also jacking up premiums by 100% to 300% across all sizes and classes of business. It’s harder than ever before to secure an insurance policy. If you don’t have basic cyber hygiene, or controls like multifactor authentications or endpoint detection and response across the network, you won’t get a policy. Meanwhile, clients with better controls might get a policy – but they’ll pay much higher rates. The market is correcting the pricing shortfalls.