What’s the single most talked about topic in the boardroom of most companies? Cyber security. This is certainly understandable. When you read the news, you’re apt to find stories about various large organizations – everyone from Best Buy to leading hospitals – suffering high-profile cyber attacks.
The costs of such an attack can be enormous – large enough to destroy any business. Hackers get in, and they quickly steal customers’ personal information and other valuable private data. These cyber criminals then re-sell this information or use it for their own schemes. Your customers (or patients), whose personal data you have failed to protect, might seek compensation for damages totaling more than your organization’s entire net worth.
This problem is not going away. Most major corporations are still in the midst of their digital transformation – the change from paper records to automated systems. More and more, these companies are outsourcing their digital services to third-party vendors, creating even more vulnerabilities and points of exposure for a breach. Everyone is dealing with it.
We recently sat down for a very informative discussion about cyber insurance with Hub International’s Cyber & Tech Insurance Solutions expert, Michelle Lopilato, as well as the President and CEO of Hub International New England, Charles J. Brophy, III. Michelle has been with Hub for nine years, joining after a decade with Marsh in their professional financial lines. When she started with Marsh around 2001, cyber insurance was not well known. Now, it’s the most quickly evolving product in a fast-moving landscape of exposure. With corporate processes and data being automated, businesses have so much to be concerned about when it comes to security because a lot of it is no longer handled in-house. It’s hard to keep pace with the security measures needed to outpace the threat actors. So, a lot of it is being outsourced to third party professionals. And those third parties are dealing with many Ransomware events.
SMW: Why should businesses buy cyber insurance?
ML: Quite simply: because it’s going to protect their balance sheet. Every organization is vulnerable to cyber attacks, no matter how good its security systems and practices. Whether they outsource cybersecurity to a data loss protection (DLP) provider or keep protection in-house, it has points of exposure where hackers can gain access. The human factor by itself accounts for ever-changing points of entry. Hackers love to go “phishing” and see if they can fool an unwitting employee to grant access to the corporate system.
Connectivity makes you exposed; there isn’t a viable business organization that isn’t connected. You’re using laptops and mobile devices to conduct business, you’re storing information in the cloud, and you’re constantly interacting with people outside your organization’s network. This means your organization is vulnerable to cybercrime. If you get hacked, and the data you have stored in your systems falls into the wrong hacker’s hands, your business could face dire financial consequences. If you want to stay in business after such an event, you need to protect your balance sheet. Make sure you have cyber security insurance. That typically means a robust insurance policy which covers third party liability losses and first party expense losses resulting from a breach of the network and/or protected information.
SMW: Who should be buying these types of policies?
ML: Anyone who is connected to the internet – mom & pop shops on Main Street all the way to Fortune 500 companies. Everyone is connected, and it’s that connectivity that makes them exposed.
SMW: What about a person who isn’t attached to a business – should they get an individual policy?
ML: On the personal lines side of the business, there are some new products. They’re in their infancy, probably about 10-15 years behind the commercial marketplace. If you’re at home and handle all your banking, credit cards and shopping online, or have all of your digital photos connected to the web or on a thumb drive that you connect, as soon as you connect to Wi-Fi, they’re at risk. We all do our finances at home – it’s an open door, and you definitely need protection when connecting to the internet.
SMW: Can you give us an example of a cyber security policy?
ML: The commercial policies available in the marketplace are pretty robust for a policy that’s been around less than 20 years. It is bifurcated between a third-party liability loss and first-party expense insuring agreements. The third-party liability aspect of it is financial harm that comes to a third party because of the insured’s failure, error or omission that results in a cyber loss.
The first one would be Network Liability Security, which would be the insured’s failure to prevent malicious software – or “Malware” – from leaving their network. If one of your employees sends an invoice to your clients, for example, and (unbeknownst to them) that invoice is embedded with a virus, that virus is attached to an email that originates in your network and goes to your client’s network. The client opens the invoice and it causes all types of harm; they’re not able to operate because of the Malware. They might hire a forensics team which identifies your organization as the source. Considering the financial harm the client suffers, it’s very likely that they’re going to come at you with a monetary demand. The insurance policy would pay for your defense as well as the damages.
SMW: What other types of cyber security insuring agreements exist?
ML: Another example is Privacy Liability – this is financial harm that comes to a third party because of your failure, error or omission in failing to protect sensitive information. If there is any type of disclosure of private, sensitive, protected or confidential information by your company, your company can be liable and can be sued for that disclosure. In the event that there is a monetary demand due to a threat actor getting access to your network – e.g., scraping data of your employees and clients (social security numbers, addresses, etc.) and publishing it on the Dark Web – those employees and clients can sue you because you did not protect their privacy. This insuring agreement also pays for your defense costs resulting from that kind of demand, as well as the damages resulting from it.
We’re also seeing class action lawsuits related to biometric information. If your company holds data containing a scan of an iris or a thumbprint, that is also considered personally identifiable information in some states. Several cases involve timeclocks that use thumb scans – the cases we’ve seen the scans were taken without any releases being signed and their private information used without their approval. There have also been some class action lawsuits in the aftermath of the 2013 Target hack. In that event, MasterCard, Visa, American Express and Discover sued Target and claimed that, but for that breach, they would not have incurred more than $200 million to cancel and reissue credit cards. I know MasterCard and Visa were successful with a $39 million settlement. Those settlements would have been paid from the Privacy Liability insuring agreement of the cyber policy.
Charles Brophy: Michelle, from a pricing perspective on the product and the capacity, particularly trying to get excess layers, what are some of the challenges you’ve run into with clients who have had claims and in general in certain segments of the industry?
ML: We are in a very dynamic marketplace right now, where we just left a very soft marketplace. It was like the Oprah Winfrey Show – “You get a policy! You get a policy! Everybody gets a policy!” And it didn’t take very much information – just your name, your address, your URL and your annual revenue, and you could get a cyber risk policy. It didn’t matter what you did for securities and controls, and it didn’t matter how your network was protected. It was just a new product and a new opportunity for these companies to be in business, and they were giving policies away.
Now what we have seen, especially post-Covid, is threat actors that have an enormous attack surface available to them. This is because so many people are now in this global remote workforce, and they don’t have the cyber security at home that they would have had in place in their brick-and-mortar buildings. Employees are at home using their personal Wi-Fi and personal devices, and a lot of the IT teams haven’t caught up with the securities that they needed. Initially, companies placed productivity over security. But that has created a huge vulnerability to be exploited by these threat actors. And they have been exploiting it – Ransomware attacks have gone up by 30,000%. The ransom amounts have also gone up significantly – from $20,000 up to an average of seven figures now. And it’s not just the ransom costs – it’s the follow-on business interruption costs/loss of income costs, the extra expense costs and the data restoration costs.
What it’s done to the marketplace is basically upend the ability to pay for these, because the insurance companies did not collect the premiums needed to sustain the types of losses they’re having right now. So, we’ve seen the marketplace do an about-face. Not only are they being more scrutinizing when it comes to the underwriting, the premiums have gone up anywhere from 100% to 300% across all sizes and classes of business. It’s a much more difficult process to secure an insurance policy than it ever was before. If you don’t have basic cyber hygiene, or controls like multifactor authentications or endpoint detection and response across the network, you’re not going to get a policy. And for those clients who do have better controls, they’ll get a policy, but they’ll be paying far more than they ever paid in the past. Frankly, I don’t think we’re in a hard market so much as we’re in a correction of the products’ pricing.
Look out for Part 2 of this blog coming soon.