No reward for ignoring cyber risk
Today, virtually every business uses a computer, connects to the internet, and collects payments, meaning virtually every business can benefit from cyber liability insurance.
(page 1 of 3)
From the pages of In Business magazine.
Hacks. Data breaches. Ransomware.
Operating in such a connected, data-driven world, these are real threats facing companies and industries beyond just the retail, health care, and financial sectors.
It’s why any good disaster management and cybersecurity plan should include cyber liability insurance, say the experts we spoke with.
“These policies ought to be considered by anyone who relies on computer programs to run their business, which is to say just about everyone,” comments David Kruse, a client executive for Hausmann-Johnson Insurance. “Not every business will be at risk for a major data breach, but anyone with internet access could be subject to a ransomware attack, a zero-day attack, or a DDOS (distributed denial of service) attack; anyone who uses email or has access to another’s network could pass malicious code to them; and if you have a website, you could be sued for trademark infringement due to your online content.”
If that sounds like just a lot of worry about something that isn’t likely to ever affect your company, you could be right. But ultimately business owners and executives need to ask themselves if it’s really worth the risk of not carrying cyber insurance.
“Like any insurance, people don’t need it until they really need it,” notes Stephen Lyons, government affairs and communication advisor for the law firm Husch Blackwell, who has worked with a number of clients following a data breach. “When entities go through this experience, the number one thing they say again and again is, ‘If I had known how complicated and expensive this was going to be I would have paid [for] the coverage.’”
According to Lyons, a simple mistake like opening an attachment, downloading a file, or sending information to a wrong email address could be the difference between the success of a company or that company taking drastic measures to pay for the damage done.
“For example, I’ve seen instances where the company has had employee personal information stolen and then the company had to downsize to help pay for the breach — it’s heart-wrenching,” Lyons says. “On the flip side, I have worked with companies that prepare for this situation. When it happens, experts are brought in, the costs are covered, and the company can continue to focus on the things they need to focus on to thrive in the marketplace. I assure you, these executives sleep better at night.”
Kruse says the risk analysis process should start from the following mindset: It’s not if a cyber event will happen; it’s when.
“The most common objections I hear from clients regarding cyber insurance are: ‘I’m too small,’ ‘I don’t have anything they want,’ ‘They would never look for me since I’m just a local [contractor, manufacturer, restaurant, etc.],” explains Kruse.
“Here’s where we need to change our thinking,” he continues. “Hackers often start by finding your network’s weaknesses before they’ve even found out who you are. Using search engines like Shodan, bad actors can scan entire IP address networks, find software and devices with known vulnerabilities, and then exploit the vulnerabilities. It really doesn’t matter how big you are — if you are an easy target, you will likely be targeted.”
Cyber liability policies are not your grandfather’s, or even your father’s, insurance. They’re still relatively new to the insurance marketplace and as such are still changing.
Cyber liability insurance has evolved immensely in the last three years alone, notes Derek Lacniak, account executive director of cyber practice for M3 Insurance. While the cyber liability product has been around for over a decade, it was initially reserved for very large, high-risk exposure organizations. The insurance marketplace began by building the cyber liability programs for these specific types of clients, and tailored the coverage to their specific needs.
“A few short years ago, many insurance companies simply tossed in cyber coverage as a free coverage,” explains Ted Nickel, Commissioner of Insurance for the State of Wisconsin. “The idea of cyber coverage was often assumed to be covered under general liability coverage or other coverages in a personal or commercial policy. The rapid development of cybersecurity risk, associated breaches, and losses focused the attention of insurers and risk managers on the issue of cybersecurity coverage.”
Lacniak says in the last three years, cyber liability has hit “Main Street” and become accessible to businesses of all sizes from all different industries. “The rise in insurance carriers entering this marketplace has been dramatic, with the marketplace now having well over 50 different insurance carriers, which would have been around 30 three years ago. As more insurance carriers have entered the space, it has created a very competitive marketplace that is buyer-friendly.
“What continues to lag in the marketplace is true actuarial data and underwriting comprehension,” Lacniak continues. “Cyber liability is an exposure unlike any others, and carriers continue to struggle on how to underwrite or rate these types of policies. Policies are being priced on the amount of revenue the organization generates — a typical rating basis in insurance — without any regard for the security controls in place or the type of data the organization has access to. Until we have the same type of actuarial loss database that other mature lines of coverage like property insurance, product liability, and auto liability have, we expect to see relatively soft pricing.”