The Need for Cyber-liability Insurance Keeps Rising
Everyone’s a Target
While major data breaches in the world of retail make the splashiest headlines — understandable, when, like the 2013 Target hack, they compromise the records of tens of millions of customers — the truth is, the vast majority of cybercrime incidents are aimed at businesses with fewer than 100 employees. That’s where cyber-liability insurance comes in — products that not only protect companies from the myriad financial effects of a breach, but help them understand where their risks may lie, and how they can close the more dangerous gaps.
Bill Grinnell said he recently spoke with the owner of a construction-related business who was hit with a malicious program that froze his company’s computers and followed up with an extortion demand.
“More hacks are happening every day,” said Grinnell, president of Webber & Grinnell Insurance in Northampton. “You wouldn’t think of him as the type of business that might traditionally need cyber-liability insurance, and now he’s facing all these costs — having a company come in to get the computers up and running, potential lost business income if they can’t perform their jobs without what’s stored on the computers, then the cost of the extortion and potentially notifying people, all the customer-relations issues.
“That was eye-opening to me,” he went on. “Any business out there that has any type of sensitive records critical to the running of the business potentially needs this type of coverage.”
The good news, Grinnell said, is that businesses are more aware than ever about the threats that lurk behind seemingly safe computer screens.
“It’s a relatively new insurance coverage, and it’s still evolving. We certainly talk a fair amount about it with clients interested in purchasing coverage, and demand is definitely increasing,” he went on, noting that, until recently, cyber liability wasn’t a hot topic outside of the retail, medical, and financial-services industries, but it’s becoming clearer that many other types of enterprise are at risk.
In a recent article on its website, Ross Insurance Agency in Holyoke noted that incidents like the Target breach in 2013 (70 million customer records exposed) and the Neiman Marcus breach around the same time (1 million customers affected) won plenty of headlines, yet a 2012 Verizon study revealed that 71% of breaches occur in businesses with 100 or fewer employees. Meanwhile, according to cybersecurity company McAfee, almost 90% of small and medium-sized U.S. businesses don’t use any form of data protection.
“This is one of the most forefront issues we have, something we talk about all the time,” Kevin Ross, vice president of Ross Insurance, told BusinessWest. “Coverage is becoming more widely available and broader in scope. We have not experienced any losses here with our clients, but we do know it’s a serious threat that can cause serious financial harm. Just because you haven’t had a fire doesn’t mean fire insurance isn’t important. We protect the financial integrity of clients from loss, and those losses could be severe.”
Indeed, cybercrime costs American businesses more than $100 billion per year, according to the Center for Strategic and International Studies.
“Lack of an incident can breed complacency. Companies think they’re OK, but lack of an event doesn’t mean they’re OK; it doesn’t mean they’ve done a good job,” said Bill Trudeau, president of the Insurance Center of New England (ICNE) in Agawam, adding that, while certain organizations have more to lose because of their customer exposure, almost all companies save employee data digitally.
“Even in a small company, one that makes widgets and gets paid with checks, you could have some data-breach exposure with your employees, so it’s worth reviewing what kind of access you have,” he said. “If it happens to your 200 employees, it’s not going to be a heartwarming experience for you and your employees. You need to take a hard look at your computers and how you transmit information.”
According to the Ponemon Institute, which has been reporting on the cost of cybercrimes for the past several years, the cost to a company that falls victim to a data breach is $188 per record breached. Yet, business- and property-insurance policies typically exclude data risks from their terms, which has contributed to the emergence of cybersecurity insurance as a separate, standalone line of coverage.
That coverage typically protects against a wide range of losses that businesses may suffer directly or cause to others, and these come in two forms: first-party and third-party losses. Grinnell explained that third-party losses involve regulatory fines and lawsuits brought by affected customers, while first-party losses are what the business itself incurs up front, such as business-income loss, data-retrieval services, downtime, and notification of customers, to name a few. On average, first-party losses average about one-third of a breached company’s expenses.
“In a lot of small data breaches, say in a small store or a doctors’ office with 10 doctors, most costs are first-party costs,” Trudeau explained. “Then, later, you’re going to have liability claims because maybe someone did get injured, their identify got stolen, you may owe them compensation, or they could end up suing you, despite all your efforts. So a good cyber policy or data-breach policy has both coverage for first-party costs and a liability component that pays for these different injuries that have occurred.”
Some cybersecurity-insurance carriers pose a long series of questions on their application forms about the details of a company’s exposure to data risk, Trudeau said, and if the underwriter isn’t satisfied with the answers, they may not write the policy until certain practices have been changed and safeguards put in place.
Go HERE to download a PDF chart of the region’s Insurance Companies
“When it comes to a data breach which has occurred, a lot of what you do to take action up front can reduce your liability. If you self-report to authorities and if you have a turn-key response to it, that’s good,” he went on, noting that carriers that specialize in this type of coverage, like Beazley and Chubb, have turn-key response operations as part of the policy. “They’ve got forensic computer analysts that get into the system and see what went wrong, public-relations people who understand this issue — it’s not their first time trying to calm customers and the public as to what went wrong with your organization — and they also have third-party notification operations.”
Trudeau recommends that businesses hire a third party to poke around their computer systems and challenge their operations when necessary.
“People get used to their own surroundings and don’t know what they don’t know,” he said. “Just because you think your business isn’t super attractive to hackers doesn’t mean they’re not going to pick you. I think it’s important that people are always challenging their IT department or IT vendor, saying, ‘is this the best form of firewall?’
In fact, he added, ICNE works with a company that will provide an ethical hacker, which is someone not out to steal data, but to break into a system and then show the business what they found and how they got in.
“There has to be a discussion with the client about what they’re doing, how they’re identifying threats,” Ross added. “Everyone needs to be aware of it. Any time you’re dealing with any type of customer information, especially dealing with credit cards, Internet sales, anything that has to do with the web in any form or fashion, you could be exposed to liability should you be hacked and clients’ information be exposed. That’s the threat.”
Knowledge Is Power
The impact on businesses can be severe and long-term, the report noted, citing an Economist Intelligence Unit consumer survey conducted in 2013. It found that 18% of respondents had been a victim of a data breach, and, of those individuals, 38% said they no longer did business with the organization because of the breach. Meanwhile, 46% said they advised friends and family to be careful of sharing data with the breached company.
However, data breaches don’t always have malicious origins. According to the data breaches it serviced in 2013 and 2014, Beazley reported that the two most common sources of breaches are unintended disclosure, such as misdirected e-mails and faxes (31%), and the physical loss of paper records (24%), which is particularly prevalent among healthcare organizations.
Breaches due to malware or spyware represented only 11% of breaches in 2013 and 2014, but they have been increasing, the firm reported, with the total number of breaches in this category growing by 20% between 2013 and 2014. Due to heavy forensics costs — money spent to find out exactly how the breach occurred — these breaches are on average almost five times times more costly than unintended disclosure.
Still, considering the sheer number of cases of accidental data exposure, employers can take steps to prevent data theft, Ross noted. These include protecting every computer connected to the Internet or the internal network with anti-virus and anti-spyware software (including any laptops that connect wirelessly); installing security-software updates promptly to stay ahead of hackers; securing the company’s wi-fi network by requiring passwords or even configuring the wireless access point or router to hide the network name; securing computers and network components and requiring log-on passwords for all employees; and continually educating employees on security guidelines for computer, network, database, e-mail, and Internet usage, as well as penalties for violating those guidelines.
“The bad guys are always thinking up new things. It’s important to stay on top of it,” Trudeau added, noting that data breaches may not be doubling or tripling in frequency year over year, but they are rising slowly. The financial industry alone saw 642 incidents in 2014.
As a result, “the number of people willing to buy data-breach insurance continues to increase year after year, as more customers start seeing it as something that should be part of their insurance portfolio,” he went on. “You need to be vigilant of the fact that someone may have come up with some way to hurt your organization that you’re not aware of yet.”
Grinnell told BusinessWest that there’s still too many holes out there, due to nothing more complicated than complacency.
“A lot of people think it it’s big businesses getting hacked — ‘they won’t get me.’ I think that’s beginning to change, but there’s a long way to go,” he said. “We need to get the word out and let people know the exposures that lurk out there and help them address them, both through insurance means and making sure they have the proper firewalls in place to prevent attacks as much as possible.”
In other words, anyone can be a Target, and there’s ample evidence that some common-sense precautions — and perhaps a well-written insurance policy — can go a long way.
Joseph Bednar can be reached a [email protected]