Law enforcement likes cyber insurance because insurers press clients to maintain the best defensive practices.
“The insurance policies I’ve seen,” said Stephen Oakes, supervisory special agent with the FBI’s Louisville Field Office, “require a company to maintain readiness in order for the policy to pay out. If it puts them in a better defensible position, I am in favor.”
One constant about cyber insurance is that it is constantly changing—because the manner and breadth of threats also is constantly changing and growing.
At first, cyber insurance was an add-on to other business insurance, according to Joe Davis, cyber practice leader with Houchens Insurance Group in Bowling Green. It was relatively inexpensive. Not hard to purchase. Not that complicated. Policies focused more on the type of industry. Most carriers had simple applications and did not get too deep into IT security.
Then boom! In the 2000s ransom attacks grew more prevalent and costly. The pandemic sent employees home to work remotely. New laws took effect regulating defense and penalties loss. For example, AT&T agreed to pay a $25 million penalty to the Federal Communications Commission for exposing the personal identification information (PII) of 280,000 customers—about $90 per PII exposed.
“Cybercriminals realized that businesses have access to proprietary and employee information, rely heavily on their network and electronic data, and will pay ransoms to regain access to their systems,” Davis said. “In many cases, these companies have subpar online security.
“Cyberattacks have been wreaking havoc across every industry, and companies may not realize that there are laws and regulations that must be followed in the event of a cyberattack. You cannot just unplug the computer or buy new equipment. If you do, you can open yourself up to litigation, fines, loss of business and reputational harm.”
Attacks create many expenses
Cyber insurance can pay the costs of a cyberattack, with agreements providing coverages such as liability against the insured’s customers who suffer damages because their personal data—medical information, credit card and Social Security numbers—was breached. Insurance can pay to notify potentially breached individuals and credit monitoring required by state laws, forensic investigation costs, business interruption loss, hardware replacement and public relations.
“Most small and mid-sized businesses think they don’t need cyber liability but they are very vulnerable and do need it,” said Angie Myers, executive vice president, commercial, with Lexington Insurance Agency. “About 62% of cyberattacks hit small to mid-sized businesses.”
Darin E. Smith, a partner and licensed consultant with Insuramax in Louisville, concurs.
“Cyber-related incidents are consistently identified as one of the top risks facing organizations of all sizes around the globe,” he said. “Businesses small and large, profit and nonprofit, local and international, are all now at similar risk.
“The larger firms have more funds to go after, but they also tend to have much larger IT budgets and tools to defend their networks. The smaller businesses may have less to go after, but there are many more of them and they often have limited safeguards, making them easier targets. Small businesses (under $25 million in revenue) have seen claims severity rise 56% in cybercriminal attacks over the past year.”
Cybercriminals today, the FBI’s Oakes said, usually do not even target a specific business. They direct attacks in every direction at everyone when they learn about a new exploit or vulnerability they can work.
“The bad guys just hit everyone they can without knowing who they are hitting,” Oakes said. “If they have an exploit, they will hit everyone possible. Then they triage their victims to determine whom to ask for ransom.”
Many experts agree it is not a matter of if, but when, you are hit by a cybernetwork event, Smith said.
The experts have the statistics to back up their statements. Nationally in 2021:
• Overall cyber claims severity increased 28% to an average of $197,000 per claim.
• Ransomware demands are up 20%, pushing the average settlement to $1.8 million.
• Funds transfer fraud (FTF) jumped 78%, with an average of $388,000 lost before recovery efforts.
• Small businesses have seen a 56% rise in claims severity.
• Phishing attempts remain the most common cyberattack method, representing 42% of all incidents.
Multifactor authentication is a good defense
But Smith said there is some good news: Tools such as multifactor authentication (MFA) can block more than 99.9% of account compromise attacks.
Such tools are considered critical parts of a risk-management program beyond the policy itself, he said. Many insurance companies offer policyholders free tools and advice to safeguard networks, train employees and lower the chance their systems will be impacted by a fraudulent act.
More and more businesses are becoming targets due to weak security controls, Myers said. If a business uses email, online banking, a management system, digital payments, they should have cyber insurance, she said, and they need to be sure employees/vendors know how to spot a phishing email. Controls should be in place to secure invoicing and wire transfers.
“Controls along with cyber insurance is the key,” Myers said.
Still, Smith emphasized that using MFA and having a firewall in place is not enough protection.
“Businesses must remain alert and invest in continued education, training and cyber-risk management resources now more than ever,” he said. “The cyber insurance market is evolving to cover and offer more, but the cybercriminals always are one step ahead.”
In Bowling Green, Joe Davis, who deals with two to three cyberattack claims every week, also has advice for businesses. He has three broad recommendations.
The first echoes what Smith said: Use multifactor authentication.
“MFA is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction,” Davis said.
“Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
“MFA should be required for all remote access to the network for employees, contractors and third-party providers.”
Davis’s second recommendation is to implement end-point detection and response (EDR) that is monitored 24/7. An integrated security solution that combines real-time continuous monitoring and collection of endpoint data with back-ups off site on a completely different (air-gapped) network.
“An air-gapped backup is a copy of your organization’s data that’s offline and inaccessible,” he said. “Without an internet or other network connection, it’s difficult for your backup device to be remotely hacked or corrupted.”
Davis also had a lot to say about what businesses should look for in a policy while recognizing that cyber policies are now hard to obtain. He said obtaining a policy requires a more in-depth description of the IT security protocols as well as additional steps outside of IT such as education for employees and a written breach response plan. Businesses will also need to provide scans of forward-facing networks to identify efficiencies and to use as part of the underwriting process.
Earlier this year, Kentucky became the 21st state to adopt a data security law that will require insurers and larger agencies to increase measures to help prevent cyberattacks and data breaches. House Bill 474, which goes into effect Jan. 1, 2023, was modeled on the data security law of the National Association of Insurance Commissioners.
Click here for more Kentucky business news.