What’s the single most talked about topic in the boardroom of most companies? Cyber security. Read part 2 of our conversation with Hub International Cyber & Tech Insurance Solutions expert, Michelle Lopilato, as well as the President and CEO of Hub International New England, Charles J. Brophy, III.
SMW: What’s trending the most right now?
ML: Ransomware events. That’s a big claim event because the event triggers lots of follow-up issues. If you have a Ransomware event where you have a threat actor able to gain access to a network and encrypt it so nobody was able to access it anymore, the first thing they’re going to do is demand a ransom. The policy’s network insuring agreement would pay for that ransom, but in addition to that, it would pay for consultants to assist/manage the crisis. These individuals can be ex-FBI, ex-Special Ops, ex-State Police, with a particular expertise, who come in and negotiate with these threat actors to get the ransom amount down and make sure you get usable data back.
Typically, what happens is, while you’re down, you’re incurring a business income loss. The average downtime post-ransom is 21 days. If you have 21 days where you are not able to operate, that is going to be a significant amount of business income lost. You will also incur extra expenses to get your network back up and running. Possibly you could be in a position where your data may not be usable. If any of your everyday data has been stolen, lost or corrupted – your email, your inventory, your logistics, accounts payable – you’ll have to incur those first party expenses to restore, recollect or even recreate that data.
SMW: We have all our data backed up – are we naïve to think that if we were hacked, we would be ok?
ML: Not naïve – it depends on the backups and the controls. Right now, the best practice in backups is utilizing the 3-2-1 method: 3 copies of backups, 2 different media formats, and 1 should be stored off-site. What we have found is most of these backups don’t restore properly. So, if you only have 1 set of backups and you go to restore them and they fail to do so, you’re left paying a ransom or you’re left to rebuild that data, which takes some time. For healthcare organizations, they have patient records that go back 20, 30, 40 years – how could they possibly rebuild those records in time to make a diagnosis for a surgery? They can’t, so they generally pay the ransom because they simply can’t afford not to. In my experience, insurance companies will recommend paying the ransom because it is the swiftest way to get an insured back up and running avoiding a lengthy and costly business interruption.
SMW: Is hardware – computers, servers – covered under these policies?
ML: The policy provides coverage for loss of intangible assets, typically a loss of data or a breach to your network. So, if you’re looking to have the property that’s been affected insured – you would look to your personal or commercial property policy… There is, however, an extension of coverage called Bricking – basically of malicious virus software that runs your computer hard drives at such a rate it burns them out so that they’re no longer usable, there is an extension for coverage there.
SMW: What are the most common claims you’re seeing reported?
ML: Right now, it’s Ransomware and business e-mail compromise, or “social engineering” – this is when you have threat actors who are able to spoof the CEO and send an e-mail to someone in the organization with a high level of urgency, saying something like “We won’t get our next shipment if we don’t pay this immediately; here are your wiring instructions, make sure it’s paid”. Because the threat actors are sophisticated enough to say something like “Hey Charlie, how’s your wife doing? How are your two dogs? Can you make sure this gets paid?”, you don’t question why a request is made in a way you don’t normally pay these invoices.
SMW: What about the businesses who say they already have cyber coverage in their insurance policy? We’ve had clients who thought they were all set, but after we review their policies, we see it’s either not the right coverage or it’s not enough. How would you tell a client they need a standalone cyber policy?
ML: You hit the nail on the head with ‘it’s not the right coverage and it’s not enough’. I can tell you that if there is a loss of 25,000 personally identifiable records, that is immediately a $250,000 impact to your balance sheet just to deal with privacy compliance. So, that’s bringing in the privacy attorney, the forensics team, a PR team, notifications to the individuals, and then the monitoring – that’s just your entrance into that type of event. That does not include a possible follow up regulatory investigation and/or penalty; it doesn’t include a privacy liability lawsuit. If it was a Ransomware event, it doesn’t include the ransom to pay, the business interruption, the data restoration. Typically, what you’re going to get on a GL policy is maybe some level of privacy liability – usually $25,000. That’s not going to cover it. If it’s on a property package policy, you’re going to see some level of business interruption or maybe privacy compliance costs, but I’ve never seen anything more than $100,000. And those carriers are all rolling back their coverage grants.
SMW: And they give them to independent adjusters who usually handle property losses and don’t know to handle cyber claims.
ML: Not only do these independent adjusters not know how to handle it, they don’t often know how to read the cyber grants within the policy. I dealt with one of our carrier partners, who is a very good partner to us, who thought it would be a good idea to throw it into one of their package policies. Lots of different carriers did this to differentiate themselves. When the claim came in, it was a Ransomware event. There was a little bit of coverage on the property portion of the policy and a little bit of coverage on the GL portion. The carrier didn’t have a hotline or privacy attorney on panel, so they didn’t have anyone advising the client on how to handle the event. The property adjusters didn’t know what to do, so they were just calling and leaving messages for the CFO of the company. I had to keep calling to say “You have to get in touch with them right now and get forensics out there. This is an urgent issue. The client is losing money and that’s going to cost you money.” And they said “We don’t do that.” So, I was left with a client who was knee-deep in the biggest crisis of his business’ career and he had zero help from his insurance company. The insurance company was sending out vendors to help him with lost personally identifiable information, and he didn’t have any personally identifiable information that was lost. He had a Ransomware event and he could not conduct business. It was unfortunate and a learning experience for everyone involved. I can say that more carriers are far more aware of the cyber coverage they are including and more prepared for it. The incident above was several years ago in a very soft and competitive market when cyber risk losses were not mature.
SMW: What are your top tips to prevent being hacked?
ML: You absolutely must have multifactor authentication in place for remote access to the network SaaS accounts like Office 365, privileged access management and Backups. Without that, you’re basically inviting the bad guys to come in. It’s like you’ve left for vacation, locking your front and back doors, but all the windows are open.
You should also be training – general cyber security, phishing, business email spoofing – and do it several times a year. You can have all the best prevention measures and securities, but if you have someone who likes to click on those links, you’re going to let a threat actor in. So, make sure that that training is ongoing. One company out of Clearwater, Florida has been tremendous – KnowB4.com. There’s also gophishme.com. They put together ongoing training that anyone can do on their own time, and they have quizzes at the end. It’s super valuable.
CB: CNA has been recently hit. So has AJ Gallagher. So, it’s hitting close to home with people we know in our industry. The impact is unbelievable. Michelle was way ahead of the curve in educating and helping our producers to understand the value of this product. Unlike with home and auto claims where you get money to repair your property, a lot of this value is legal guidance, the value adds, the consulting, and walking you through the process of this claim.
ML: Absolutely. Don’t wait to buy the policy. Don’t wait until you’re more secure and have all your ducks in a row. Because the reality is that while you’re getting all your ducks in a row, you’re probably going to have an event. For businesses in that small to midsize range, they can’t afford not to, simply because they need to keep their doors open. If you have an event, you’ll be using all of your balance sheet money just to clean up the mess – not to move forward, just to clean up. If you think you can’t afford the premium, I know you can’t afford the event.