Cyber extortion is growing. Risk Management professionals are dealing with the issues of unintentional disclosure of data, damaged and stolen data, data restoration, and malicious breaches. We are also witnessing more unauthorized data collections of intellectual property which cause significant losses that are typically not covered under cyber policies.
In addition, we are aware that devices are constantly fighting phishing, spoofing, farming, and smishing attempts. We must also account for vendor errors as well as the technology errors and omissions claims that come with them. Not to mention losses caused by business interruption, extra expenses, and expediting expense exposures. As the world of cloud computing continues to explode and data remains at risk, what are we to do in response to these evolving exposures?
On this episode of Nat Alliance NOW, Host and Director of Faculty Development, Jay Williams, CIC, CRM, CRIS, MLIS, AIP, AAI, ACSR, interviews Paul Burkett, J.D., CIC, CRM, CPCU, ARM, ALCM, on what industry professionals can do to protect their clients from cyber threats.
How is the insurance marketplace responding?
The industry is seeing an increased interest on coverages related to cyber liability, specifically, first party coverages. Where the focus once was on just third-party liability, we’re now seeing an appetite for cybercrime coverage that is separate from traditional crime insurance programs. Clients are now asking for broader extortion coverage, business income and extra expense. Data restoration costs are also on the forefront of a lot of people’s mind, requiring the marketplace to remain nimble in response to cyber liability.
Data breach sources and associated costs.
For example, human error accounts for 23% of all data breaches and costs an average of $3.3 million. System glitches account for 25% of breaches. Vendor errors cost about $2 – 3.3 billion. But the big threat to look out for are malicious attacks. These attacks account for a whopping 52% of all cyber losses, averaging a global cost of $4,270,000. Of these malicious attacks, 19% are caused by compromised credentials. Another 19% by cloud misconfiguration, and about 13% from hackers. Hackers alone create an average of $4.4 million worth of loss.
The Ponemon study also included some interesting information regarding a business’ size and potential losses.
For a business of 500 employees, the average breach costs were about $2.3 to 2.5 million. The average for an entity that has between 500 to 1,000 employees is $2.5 million. For those with a 1,000 to 5,000 employees, the cost is $3.78 million on an average basis. If you’ve got 5,000 to 10,000 employees, costs come in around $4.7 million.
This employee data tells us that larger employee groups tend to have more sophisticated tech needs and the staff to meet them. However, when businesses have only about 500 employees, they usually have no tech staff which causes heavy reliance on vendors and vendor type aspects.
How can we prevent catastrophic losses?
Forensics, special computer systems, firewalls, and the ability to audit help agencies build better crisis management, communication, and education around cyber risks for their clients.
Here are some things to consider when performing a risk assessment for your clients:
- What activities is the enterprise doing to protect themselves?
- What are the notification activities that happen when a breach occurs?
- What are the costs for outbound calls, general notices, as well as state and federal regulatory requirements?
- Will you need to engage with outside experts to help with brand and reputation?
- What is the total loss of business? Loss of customers?
Stuff will stack up.
If a hack on your computer system involved credit information, studies estimate that you could lose upwards of 30% of your customer base. Often, these customers will not return after the breach.
What are the 3 most important things agency clients can do?
- Get recertified with your credit card companies
- Get a compliance audit done
- Pay the fines and penalties you are obligated to under consumer law
Agents should focus on “the 2020 problem.”
Malicious data breaches are the single most increasing threat that the marketplace needs to address. These breaches account for about 50% of all exposures but it’s really the ransomware and destructive malware that cause the biggest problems. This is the 2020 problem. We are now seeing destructive malware, such as wiper style attacks, that create an average of $4.5 million worth of loss. The COVID-19 pandemic has impacted the significant increase in ransomware claims as well because many people now work from home. This alone is reason enough to focus in on this cyber security issue.
The increased cost of providing goods and services online has also increased the importance of ensuring online business activities are following cyber security measures. Despite that, you need to understand that ransomware will still come in. Today, insurance companies are not offering any kind of pandemic related extensions for the cyber liability product. Ransomware coverages are starting to come out with significant increases in deductibles, creating even more challenges for insurance and risk management professionals.
Ransomware is a computer malware that cyber-criminals use to encrypt digital data which they use to extort businesses into giving them currency. These threats can include erasing or releasing private information in the public domain. The number one source for ransomware comes through phishing and uses a strain called RSA 2048, a very strong encryption software, which is very difficult to unlock. Most ransomware attacks require virtual currency or cryptocurrency to remove them.
The severity of ransomware claims in 2020 increased by 100% since 2019. The original ransomware attacks focused on payoff but have now changed in methodology. Currently, the focus is not only about stealing data, but also the threat of publishing data and naming victims.
The average cost of a ransomware attack is about $4.4 million and counts for 41% of all active cyber insurance claims. Ransomware has even surpassed payment card thefts in 2020, evidence of a significant shift.
How can you help clients control cyber threats?
First, clients must understand that cybercrime is a huge risk management issue, meaning a combination of risk management techniques and special insurance products are needed in order to create solutions. Agents should provide value-added services in terms of risk controls and risk prevention techniques. An agent has a lot of work that needs to be completed long before a client calls and says, “I’ve got a ransomware attack. What do I do?”.
The first step in risk management is risk identification. Once the risk is identified, agents can then consider the scope of the exposure as they complete their analysis. This process helps agents understand the extent of the potential risk and helps the client identify the potential costs associated with a breach.
Once bitten, twice shy.
If clients have been the victim of ransomware attacks, they can expect future attacks within the next 14-22 months. These future attacks often result in paying double the initial ransom. Since hackers already know the business is susceptible to cyberattacks and are banking on the chance your clients may have forgot the previous ransomware attack, they will come back. Make sure your clients aren’t still low hanging fruit.
Learn your lessons. Here’s a quick list.
- Complete all protections and put end point protections in place
- Double your efforts at loss reduction
- Get the proper cyber insurance in place
- Enhance essential coverages: DLP or data loss prevention, controls, spam filters
- Make sure your backups are properly screened
- Set up better network segmentation
- Have better firewalls and segmenting items
- Increase the security education for the employees
But wait. There’s more!
Educate and prepare your clients for:
- Fines and penalties
- Increased cyber insurance costs
- Higher deductibles and other cost increases
Remember that the average time it takes to detect and contain a data breach (based on the Ponemon study) is 280 days. A malicious attack takes 315 days. This means your client is not going to have an immediate notification. Make sure they understand that! It’s also good to understand that 61% of the data breach costs are incurred in the first year of the loss, so continuing coverage is going to be highly important. You should help your client understand and evaluate the coverage provided. Do they understand what third-party liability is? What remediation is? Are they aware of regulatory exposures, and payment card industry exposures? Is all their data is covered? Make sure that you explain remediation services and how data restoration services will work. Most importantly, agents should know what the various coverage triggers for ransomware will vary since there is no universal language for them.
About our Guest: Paul Burkett, J.D., CIC, CRM, CPCU, ARM, ALCM
Paul Burkett is the President and CEO of Snoaspen Insurance group, specializing in risk management consulting, insurance education, and expert witness services. Paul is a National Faculty member for TNA, teaching Institutes, RGS, and PROFocus series classes online and across the country. He has also served on the Board of Governors of the SCIC. Paul has a JD from Concord School of Law and an undergraduate degree from the University of Minnesota. He also completed graduate work at the University of Oklahoma. In addition to his CIC and CRM designations, Paul also has his CPCU, ARM, and ALCM designations.