Managing Cyber Exposure: 2020 and Beyond – Part 1

LinkedIn
Facebook
Twitter
Email

How is the insurance marketplace responding? 

The industry is seeing an increased interest in coverages related to cyber liability, specifically first-party coverages. Where the focus once was just on third-party liability, we’re now seeing an appetite for cybercrime coverage that is separate from traditional crime insurance programs. Clients are now asking for broader extortion coverage, business income, and extra expense. Data restoration costs are also at the forefront of a lot of people’s minds, requiring the marketplace to remain nimble in response to cyber liability.

Data breach sources and associated costs

The IBM and Ponemon Institute Cost of Breach Report provides some significant data regarding the costs that risk managers need to take into consideration.

For example, human error accounts for 23% of all data breaches and costs an average of $3.3 million. System glitches account for 25% of breaches. Vendor errors cost about $2–$3.3 billion. However, the big threat to look out for is malicious attacks. These attacks account for a whopping 52% of all cyber losses, averaging a global cost of $4,270,000. Of these malicious attacks, 19% are caused by compromised credentials, another 19% by cloud misconfiguration, and about 13% by hackers. Hackers alone create an average of $4.4 million worth of loss.

500 or Fewer Employees
$ 1 M
500–1K Employees
$ 1 M
1K–5K Employees
$ 1 M
5K–10K Employees
$ 1 M

Size Matters.

The Ponemon study also included some interesting information regarding a business’s size and potential losses.

For a business of 500 employees, the average breach costs were about $2.3 to $2.5 million. The average for an entity that has between 500 to 1,000 employees is $2.5 million. For those with 1,000 to 5,000 employees, the cost is $3.78 million on an average basis. If you have 5,000 to 10,000 employees, costs come in around $4.7 million.

This employee data tells us that larger employee groups tend to have more sophisticated tech needs and the staff to meet them. However, when businesses have only about 500 employees, they usually have no tech staff, which causes heavy reliance on vendors and vendor-type aspects.

How can we prevent catastrophic losses?

Forensics, special computer systems, firewalls, and the ability to audit help agencies build better crisis management, communication, and education around cyber risks for their clients can help prevent catastrophic losses.

Here are some things to consider when performing a risk assessment for your clients:

  • What activities is the enterprise doing to protect themselves?
  • What notification activities are triggered when a breach occurs?
  • What are the costs for outbound calls, general notices, as well as state and federal regulatory requirements?
  • Will you need to engage with outside experts to help with brand and reputation?
  • What is the total loss of business? Loss of customers?

Stuff will stack up.

If a computer system hack involved credit information, studies estimate that you could lose upwards of 30% of your customer base. Often, these customers will not return after the breach.

What are the three most important things agency clients can do?

  • Get recertified with your credit card companies.
  • Get a compliance audit done.
  • Pay the fines and penalties you are obligated to under consumer law.

Agents should focus on “the 2020 problem.”

Malicious data breaches are the single, most increasing threat that the marketplace needs to address. These breaches account for about 50% of all exposures, but it’s really the ransomware and destructive malware that cause the biggest problems. This is “the 2020 problem.” We are now seeing destructive malware, such as wiper-style attacks, that create an average of $4.5 million worth of loss. The COVID-19 pandemic has also resulted in a significant increase in ransomware claims because many people now work from home. This alone is reason enough to focus on this cybersecurity issue.

The increased cost of providing goods and services online has also increased the importance of ensuring that online business activities follow cyber security measures. Despite that, you need to understand that ransomware will still come in. Today, insurance companies are not offering any kind of pandemic-related extensions for cyber liability products. Ransomware coverages are starting to come out with significant increases in deductibles, creating even more challenges for insurance and risk management professionals.

Ransomware is a computer malware that cyber-criminals use to encrypt digital data which they use to extort businesses into giving them currency. These threats can include erasing or releasing private information in the public domain. The number one source for ransomware comes through phishing and uses a strain called RSA 2048, a very strong encryption software, which is very difficult to unlock. Most ransomware attacks require virtual currency or cryptocurrency to remove them.

The severity of ransomware claims in 2020 increased by 100% since 2019. The original ransomware attacks focused on payoff but have now changed in methodology. Currently, the focus is not only about stealing data, but also the threat of publishing data and naming victims.

The average cost of a ransomware attack is about $4.4 million and counts for 41% of all active cyber insurance claims. Ransomware has even surpassed payment card thefts in 2020, evidence of a significant shift.

How can you help clients control cyber threats?

First, clients must understand that cybercrime is a huge risk management issue, meaning that a combination of risk management techniques and unique insurance products are needed in order to create solutions. Agents should provide value-added services in terms of risk controls and risk prevention techniques. An agent has a lot of work that needs to be completed long before a client calls and says, “I’ve got a ransomware attack. What do I do?”

The first step in risk management is risk identification. Once the risk is identified, agents can then consider the exposure’s scope as they complete their analysis. This process helps agents understand the extent of the potential risk and helps clients identify the potential costs associated with a breach.

Once bitten, twice shy.

If a client has been the victim of a ransomware attack, they can expect a future attack within the next 14–22 months. The future attack often results in paying double the initial ransom. Since hackers already know the business is susceptible to cyberattacks and are banking on the chance your clients may have forgotten the previous ransomware attack, they will come back. Make sure your clients aren’t still low-hanging fruit.

 

Learn your lessons. Here’s a quick list:

  • Complete all protections and put end-point protections in place.
  • Double your efforts at loss reduction.
  • Get the proper cyber insurance in place.
  • Enhance essential coverages: DLP or data loss prevention, controls, and spam filters.
  • Make sure your backups are adequately screened.
  • Set up better network segmentation.
  • Have better firewalls and segmenting items.
  • Increase the security education for the employees.

But wait, there’s more!

Educate and prepare your clients for:

  • Fines and penalties
  • Increased cyber insurance costs
  • Higher deductibles and other cost increases

Here’s the takeaway.

Remember that the average time it takes to detect and contain a data breach (based on the Ponemon study) is 280 days. A malicious attack takes 315 days. This means your client is not going to have an immediate notification. Make sure they understand that! It’s also good to understand that 61% of the data breach costs are incurred in the first year of the loss, so continuing coverage is going to be highly important. You should help your client understand and evaluate the coverage provided. Do they understand what third-party liability is? What remediation is? Are they aware of regulatory exposures and payment card industry exposures? Is all their data covered? Make sure that you explain remediation services and how data restoration services will work. Most importantly, agents should know that the various coverage triggers for ransomware will vary since there is no universal language for them.

About our Guest: Paul Burkett, J.D., CIC, CRM, CPCU, ARM, ALCM 

Paul Burkett is the President and CEO of Snoaspen Insurance Group, specializing in risk management consulting, insurance education, and expert witness services. Paul is a National Faculty member, teaching Institutes, RGS, and PROFocus series classes online and across the country.  He has also served on the Board of Governors of The Society of CIC. Paul has a JD from Concord School of Law and an undergraduate degree from the University of Minnesota.  He also completed graduate work at the University of Oklahoma.  In addition to his CIC and CRM designations, Paul also has his CPCU, ARM, and ALCM designations.

More Posts

This Content Is Made Possible by our Research Academy

Do you need an answer immediately?

Check out our FAQ page!