When Kirk Reisner started his career more than 20 years ago, cyber liability insurance wasn’t even a blip on the industry’s radar.
Despite the ubiquity of the internet even then, Reisner – chief financial officer and head of the commercial department at Millennium Brokers LLC insurance agency – said the concept of insuring against business losses associated with data breaches, hackers and ransomware didn’t take rise until about 2010.
“That’s when companies started excluding cybercrimes under their general liability policies,” Reisner said.
Insurance companies realized cybercrimes were on the rise and warranted separate coverage.
Reisner likens it to industry changes involving pollution.
“In 1970, you could buy a general policy that would still cover pollution,” he said. “Then when we started having oil-spill sites and asbestos issues, insurance companies were all ‘whoa, whoa, whoa’ and started excluding those on their general policies. Basically, the same has happened with cyber.”
This year has seen a record number of cybercrimes. According to the Identity Theft Resource Center, a nonprofit organization established to help minimize the impact of identity theft and other cybercrimes, there were more publicly reported cybercrimes in the first three quarters than all of 2020. According to the ITRC’s data breach analysis, publicly reported cybercrimes were up 17% through Sept. 30, and cyberattack-related data compromises were up 27% compared with all of 2020, with phishing and ransomware attacks most common.
“They’re usually successful,” said Shannon McMurtrey, an expert on cybersecurity and assistant professor of management information systems at Drury University. “The bad guys want to get paid.”
Cybersecurity Ventures – a cybersecurity researcher and publisher of Cybercrime Magazine – predicts ransomware damages alone will cost about $20 billion globally this year.
“I probably took out my first cyber policy for my agency in 2016,” Reisner said. “It went from me talking to people and looking at me like I was crazy to it becoming one of my best-selling policies.”
Business at risk
Colonial Pipeline, the nation’s largest fuel pipeline operator, made global headlines earlier this year when it paid $5 million to Russian-based cybercriminals. But McMurtrey and Reisner say companies of all sizes are at risk.
McMurtrey said awareness of the threat is the first step toward protecting a company.
“It becomes less scary when you educate yourself about it,” he said.
After that, it’s a matter of observing good cyber hygiene and doing basics, such as turning on two-factor authorization everywhere and using a password manager to prevent using the same passwords in more than one place.
“Your goal is to not be the slowest gazelle in the jungle, and if you do those two steps alone, you’re ahead of 85% of the others in the jungle,” McMurtrey said.
Reisner warns that business risks have risen with the increase in working from home, sometimes on personal devices, and proliferating cloud-based data solutions.
“I think most businesses would be surprised how much information they have and how exposed they are on the internet – cloud servers, emails, customer management services. Your local plumber is storing stuff on the web, and you don’t even realize it,” Reisner said.
Being a victim of a cyberattack is expensive even for the smallest companies.
Reisner cites a personal example. Last year, the insurance-agency management company Vertifore experienced a data breach. Because Reisner used Vertifore’s service to manage his company, thousands of his clients were caught in the breach. Reisner had to send letters to the clients whose data he knew was leaked as well as to those whose data he suspected was leaked. That letter alerted clients to the breach and gave them the option of free credit monitoring.
Reisner’s expenses were covered, but if this same situation had happened to someone who didn’t have coverage, the expenses could quickly escalate.
The cost of the letter with postage is probably somewhere around 80 cents, Reisner said. “Federally, you’re required to pay for credit monitoring. Even if you get a bulk rate, you’re looking at minimally $120 per person,” he said, adding that cyber policy premiums can range from $500 to millions of dollars, depending on the size of the company and its data.
Before deciding on cyber liability insurance, McMurtrey advises starting with a risk assessment. “Get a feel for what’s the worst thing that could happen. What data if we lost it would be catastrophic? What are we doing with our data?” he said.
You also need to examine how data is handled.
“When you get a policy, there are a lot of things that they expect you to have in place: a response plan, cyber hygiene. If those things are missing, they either won’t write it or won’t pay it. It can turn into a needless expense,” McMurtrey said.
It’s imperative to create a disaster plan for network outages and cyberattacks, he said.
“You don’t want to create a disaster response plan when you’re in the middle of the disaster,” McMurtrey said. “You want to do it upfront when there’s no emotion. Table-top it with your team and think rationally: when to contact the law, attorneys, media, customers; what regulatory burdens do we have? All of that needs to be decided and documented upfront and practiced.”
Businesses also need to be aware of threats introduced by the recent expansion of remote working. McMurtrey said there are ways to deal with the potential for those heightened security risks.
“When companies issue laptops and they’re locked down and can’t do anything other than work, it’s frustrating, but it’s doing what they’re supposed to do,” he said. “If they’re using personal devices, they’re recognizing they can’t protect that data so use cloud and VPNs and put it in an area where they have more control over it.”
When data breaches or cyberattacks happen, Reisner knows from experience that things happen very quickly.
There are two immediate goals, he said. The first is to get the business up and running again by either negotiating ransom or paying whatever cyberattackers are holding the company hostage for.
The other is to find out what information the cybercriminals accessed and how many clients are impacted.
At this point, cleaning up the mess begins.
McMurtrey said he would like to see the small-business community push this issue into the spotlight.
“Talk about it at trade organizations, lunch-and-learns, bring in someone to talk about the topic. Tell war stories,” he said. “When they do get hit, they don’t want anyone to know about it. So many of these things go unreported. The net result is no one else is allowed to learn this threat exists.”
County lockup comes in on time and under budget.