Into the Breach
When hackers gained access to a large retailer’s computer network through scam emails to employees, more than 900 store locations were affected, and 2 million customers were impacted before the company was alerted by a security blogger six months later. That led to several class-action lawsuits against the company, attorney generals in multiple states opened investigations, and the affected credit-card companies issued fines.
In another case, a ransomware attack blocked all access to a regional accounting firm’s computer system, and also deleted files. After ransom was paid, it took several days to restore the applications and recover deleted files from a backup. As a result, the firm was unable to meet tax-filing deadlines, causing brand and reputation damage.
Then there was a company that provides technicians to a laptop manufacturer’s repair center. While a young woman’s laptop was in the custody of technicians at the center, her Facebook account was hacked, and several sexually explicit photos were posted to it. She negotiated a quick multi-million-dollar settlement with the laptop manufacturer, which demanded, in turn, that the staffing company compensate it for the privacy breach.
These are only three of many real-life cases detailed by the Hartford Financial Services Group as warnings that companies of any kind and any size are vulnerable to cybercrime.
“That’s where insurance comes in, to mitigate the cost of a claim,” said Chris Rivers, senior vice president of Phillips Insurance Agency in Chicopee. “Small businesses sometimes feel they have less risk than larger ones, but that’s not the case. Anybody can be hacked and be held ransom or have data get out.”
Breaches can come at all severity levels, he noted, from a simple Facebook hack to an attack that steals credit-card information or Social Security numbers from tens of thousands of consumers.
“Small businesses sometimes feel they have less risk than larger ones, but that’s not the case. Anybody can be hacked and be held ransom or have data get out.”
The Hartford reports that the average cost of a data breach in 2020 was $3.86 million, and the U.S. will account for half of all breached data in the world by 2023, when an estimated 33 billion records will have been stolen by cybercriminals.
One of the more severe types of attacks, those involving ransomware, take place every 11 seconds, and the average ransom payment increased to more than $233,000 in 2020. Such attacks result in an average of 19 days of business interruption and downtime.
Again, it’s not just large companies at risk of cyberthreats of all kinds, said Jack Dowd, vice president of Personal Lines and a commercial risk consultant for the Dowd Insurance Agencies in Holyoke.
“The percentage of small businesses that are targeted is significant,” he noted. “A lot of the people doing this know that a lot of small businesses don’t have the infrastructure in place that a larger business does and are more susceptible to attack, and that’s why they’re attacking them.
“It’s important to know, if you’re taking credit cards or you have a system where you store any type of sensitive information with clients, you’re vulnerable,” he went on. “We’ve seen them target people who wouldn’t think they’d be typical targets, and your best course of action is to protect yourself as best you can, and that would include looking into cyber insurance.”
Costs Pile Up
According to the Philadelphia Insurance Companies, the average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public-relations expenses to rebuild an organization’s reputation.
That’s one reason why cyber insurance policies cover two distinct classes of loss: first-party and third-party.
First-party coverages include loss resulting from damage to or corruption of electronic data and computer programs; income reimbursement during the period of restoration of the computer system; customer notification, regulatory fines and penalties, and public-relations expenses; and reimbursement for extortion expenses, among others. Third-party coverages, on the other hand, include legal liability for financial damage and privacy violations involving customers, employees, and other third parties.
“Network-security liability is a coverage that will provide defense and settlement costs in the event a third-party claimant sues the insured over a failure to secure their own computer system,” Dowd explained.
“If you’re taking credit cards or you have a system where you store any type of sensitive information with clients, you’re vulnerable.”
But he warned that these expenses can total much more than the client anticipates. In fact, insurers often include sublimits on certain specific types of losses, and it’s up to the insured party to purchase higher limits.
“A lot of insurance companies give a certain amount, say $50,000, toward notifying people they’ve been hacked. But the notification costs alone, depending on the size of the client book, could be more than that. Then there’s the cost to rebuild data, the cost to secure their network … a lot of things go into cyber insurance that people don’t always consider.”
Rivers agreed. “Within the insurance industry, a lot of carriers have thrown in some smaller sublimits that weren’t there in the past. But you can always buy more, up to what you want.”
It’s easy to see why they would. The Philadelphia Insurance Companies lists many breaches over the past several years that affected thousands of customers, like the international hacking group that gained access to the computerized cash registers of a restaurant chain and stole the credit-card information of 5,000 customers, starting a flood of fraudulent purchases around the world.
Or an employee of a Massachusetts rehabilitation center who improperly disposed of 4,000 client records that contained Social Security numbers, credit- and debit-card account numbers, names, addresses, telephone numbers, and sensitive medical information. The center settled the claim with the state and agreed to pay fines and penalties as well as extending $890,000 in customer redress funds for credit monitoring on behalf of the victims.
Selective Insurance Group relates the case of a payroll employee at a plastics manufacturing company who received a spoofed email from a scammer purporting to be the CEO, requesting that the employee send all employees’ W2s immediately. Which he did, and multiple employees reported that fraudulent tax returns were filed in their name.
This last example is a case of what’s known as ‘social engineering,’ and such phishing attempts have become more savvy and authentic-looking. “They’ve gotten a little more sophisticated in recent years,” Dowd said, which is why companies, often encouraged by their insurance companies, initiate training to reduce the chances of human error causing a breach.
Closing the Circle
Insurance companies provide another human element to the fight against cyberthreats, Dowd said.
“If you have a cyber policy, you have a place to go, a place of refuge, if you will. If you ever go to work Monday morning and your system is hacked and someone is demanding a ransom payment, you don’t know where to begin. But if you have cyber insurance, you can call the company; they’ve been through this many times, and they’ll tell you exactly what to do. It gives you a starting point you wouldn’t have otherwise.”
When quoting a policy, he added, an agency might run a test of the company’s system and let it know of any holes that need to be closed, Dowd added. “Even if you don’t proceed with coverage, at least you know you have those entry points, and you can pass it on to a person able to close those gaps for you.”
Insurers may also supply clients with training and quarterly check-ins, he added. “They’ll have your employees take these quizzes that will supply them with real-life incidents that happen in the cyber world, and have them identify the errors or signs that they were fake or malicious; they can actually give you some real-life practice on that.”
Rivers said many insurers provide an online help center, but many clients don’t use that resource, instead hiring a computer specialist to make sure the company has the correct virus and malware protection and that there are no gaps in security, in both the hardware and human realms.
However they delegate it, keeping up to date with the latest threats, strategies, and technology is critical, he added. Even though there’s a cost associated with that, it can pale compared to the cost of a breach.
“It’s something that is out there, and everyone can be impacted by it, no matter how small or how big they may be,” Rivers told BusinessWest. “The reputation of a company can certainly be impacted by it. It’s something people don’t always think about — or want to think about. They say, ‘I only have a couple computers; it can’t happen to me.’ But it can.”
Joseph Bednar can be reached at [email protected]