In 2018, incidences of ransomware use – cyber pirates stealing or making unavailable proprietary information from a computer and demanding money to return it – will double from 2017.
Data breaches are on the rise, too, according to the Insurance Information Institute (III), a nonprofit dedicated to improving public understanding of insurance. III’s Identity Theft Resource Center reports that breaches hit a new record in 2017 – again – with 1,579 breaches tracked, up 44.7 percent from 1,091 in 2016. The number of records exposed rose to about 179 million, compared with 37 million in 2016.
In 2017, the largest U.S. credit bureau, Equifax, suffered a headline-making breach that exposed the personal data of 145 million people, including Social Security numbers.
Two major United States health insurers were breached in 2015, exposing the data of 90 million customers. The U.S. government also has been the target of hackers, including the Federal Deposit Insurance Corp., the Internal Revenue Service, the Office of Personnel Management and the Department of the Interior.
The average data breach cost globally is $3.86 million in 2018, up 6.4 percent from $3.62 million in 2017, according to a study from IBM and the Ponemon Institute. And these figures do not include the many attacks that go unreported and undetected.
- IT’S FREE | Sign up for The Lane Report email business newsletter. Receive breaking Kentucky business news and updates daily. Click here to sign up
This begs a question: Do business owners need a form of risk management called cyber insurance to lessen the impact of cybercrimes and get their business back in business?
The majority of reported 2017 data breaches affected the business sector, according to the III, with 870 breaches or 55 percent of the total. Medical/health-care organizations were affected by 374 breaches (23.7 percent of the total). The banking/credit/financial sector ranked third as it sustained 134 breaches (8.5 percent of all breaches).
“Pirates plant a Trojan horse (malware) inside your computer system,” explains Joe Maupin, of Joe Maupin Insurance Agency Inc. in Louisville. “You don’t know it. They will then observe your business for up to a year. They can look at all your communications and files and get a good idea of your day-to-day business and its value. They also have the ability to shut down your computer system.
“At some point you will get a telephone call from the pirates: ‘Hello. We’ve shut your computers down. If you wire money into this account we will remove the Trojan from your computer and won’t touch it again.’ You now have a big decision to make. It’s like the Mafia. They went shop-to-shop to collect protection money. This is a new form of that crime.”
IoT adds to the exposure
Cyber vulnerability is increasing exponentially as the Internet of Things (IoT) expands. Already there are more equipment sensors and devices connected to the internet than cell phones, and it is estimated that there will be more than six connected devices per person worldwide by 2020.
Cyber insurance evolved as a product in the mid- to late-1990s as U.S. insurers expanded coverage for a new risk that was rapidly shifting in scope and nature. More than 60 carriers now offer stand-alone policies. In 2015, the market encompassed $2.75 billion in gross written premiums, growing to an estimated $3.25 billion by mid-2016.
“Few companies have an IT team of around five people prepared to find what is wrong with your computer system and fix it within 24 hours,” Maupin said of cyber insurance. “That is true even for companies with a good cyber plan.
“Without protection, you have to call an IT company and then an attorney. They can’t always come right when you need them. In the meanwhile, you face a lot of liability. For example, if you run a restaurant, the criminals may have access to all your credit card records. Considering that you can pay for two years of a cyber policy just to have an IT company come one time, it doesn’t pay to go without it.”
Even for savvy business people, however, it is not as simple as calling an agent and ordering cyber insurance. Policies are still new enough that many insurance agents know little about them and some do not offer them. As with all insurance, there are myriad terms and provisions to learn and understand.
While insurance agents can and should help, Maupin said business owners need to understand these provisions as well.
“Insurance companies are just catching up in the last two or three years,” he said. “I go to three top-level seminars on cyber issues every year. I have to. This is easy money for these hackers. It is so hard to track. We don’t catch many of them.”
Terms to understand
Maupin discussed the most important points to consider if you decide to consider a policy:
Prior Acts Coverage – This is protection for issues that may have happened in the past. Clients can typically go back as far as desired. This coverage should be an additional 10 percent of the overall premium.
Reputation Damage Expense – If it becomes public a company has had a breach, it can take a lot of advertising to defend or restore a good reputation. The insurance company provides money to buy this advertising in an amount based on the company’s current advertisement budget.
Forensic Specialist Expenses – It is important to have the right fit when hiring a forensic specialist, and one who is ready to pounce within seconds, according to Maupin. These specialists go into the computer in the aftermath of a breach to find what has been hidden to answer questions such as: How did this happen? How can we keep this from happening again?
Both Paper and Electronic Data – When companies are hit with a big data loss, they may need 10-15 people to put data back into their computer system. The insurance company will provide any required temporary employees to do data input.
Liability Coverage – It is not required to buy cyber insurance from the agency that provides your liability insurance but doing so means that in the event of a loss, one company has all the information to get started.
Loss Control and Mitigation Services – This includes a loss claims specialist and a forensics specialist. Under this provision, your insurance company can call clients for you while you focus on keeping the business going. You and your insurance company become a management team working together. “This is huge,” Maupin said. “We can make life better after some person sitting behind a computer destroys your business just because they get a kick out of it.”
Business Interruption – This covers lost income for up to 12 months and can pay the difference in revenue you had before a cyberattack versus after.
Personal Cyber Insurance – PCI is important with affluent business owners because “hackers know CEOs often have assets they can liquidate quickly” if they hack a CEO’s personal laptop, Maupin said.
Dark web and deep web?
In addition to keeping up with new insurance terminology, business people need to stay current with all the
new terminology such as the difference in the deep web and the dark web. Cybersecurity expert Milton Bartley, co-founder, president and CEO of ImageQuest in Louisville offered definitions of two of the most important terms.
The deep web is a portion of the internet that is hidden from search engines. Code for these web sites and pages is written so as not to be indexed by Google, Bing, Yahoo, etc. You can browse to the content, but only if you know the exact URL address. It is estimated as much as 90 percent of the internet is deep web.
The dark web is part of the deep web. Special software and sometimes even hardware is needed to access it. Most of the illegal and illicit activity on the internet takes place on the dark web – including cryptocurrency manipulation, sex and human trafficking, black market transactions, narcotics trading, arms trading, etc.
The TOR browser, which you can download and install on your computer, is the most common method to access dark web sites – assuming you know where to find them and have or can get credentials.
Countering threats cooperatively
While each businessperson must consider the needs of his/her company regarding cyber insurance and other issues, Angela Gleason believes it is critical that business leaders join with the government to collectively address this increasing threat. Gleason is senior counsel for the American Insurance Association and considered one of the pre-eminent experts on cybersecurity.
Data security currently is governed largely on a state-by-state basis, Gleason said, but many businesses, including insurance companies, are multistate and do not approach their security at the individual state level. Rather, most apply holistic, systemwide information-security programs that are not differentiated by state jurisdictions. She believes state and federal governments need to pledge more consistency in design and implementation.
“Cyberattacks are a constantly evolving threat,” Gleason said, “and bad actors are very good at adapting to new technology and defenses. Businesses and governments must be allowed to deploy flexible, risk-based approaches to their unique cybersecurity needs.
“Flexibility and a proactive, alert population are essential, but a uniform, consistent regulatory framework is also required. If state governments and the federal government developed this type of approach, it would maximize efficiency and resource utilization as well as enhance consumer protections.”
Tips for staying safe
Experts agree that a strong firewall is the most important step in keeping your computer safe. Cybersecurity expert Milton Bartley, co-founder and CEO of ImageQuest in Louisville, offers more safety suggestions for business people.
• Use two-factor authentication (2FA) on every online account/service you have that offers it. Employing 2FA on your email, social media and financial accounts will make you as close to impervious to the standard attacks as you can be. To check if a service you use offers 2FA – and to find out how to enable it – go to https://twofactorauth.org.
• More than 94 percent of all malware is delivered via email. The “simple” rule is, if you receive an email with a link or an attachment and you do not recognize a) the sender and b) the content, DELETE IT! If it was important, the sender will either send it again or they will call you.
Debra Gibson Isaacs is a correspondent for The Lane Report. She can be reached at [email protected].