Cyber Chaos: The Risks of Going Without Cyberinsurance
Download MP3We see cyber attacks happening every day in our insurance and investigative industries, and here's an article in the Wall Street Journal that describes it even more. This article displays where small businesses are now seeing an uptick in cyber attacks, and the reason why is because many hackers see them as soft targets. Many small businesses don't have the budgets to put in place strong security prevention, so they become bigger targets. Hackers don't believe they’re a target, so these businesses don't make security a priority. According to the article, cyber attacks are becoming more common for these businesses because they’re not prepared for it, and hackers know it. They see these businesses as easy targets. Small businesses are also more willing to pay even smaller amounts quickly.
How much more? Well, small businesses were attacked at twice the rate of larger organizations, according to a cyber expert at Mastercard. Data breaches at small businesses jumped 152% compared to the prior two years.
Many small businesses are more focused on keeping their heads above water with the pandemic, finding help, and dealing with supply chain issues and inflation, so they don’t focus a lot of attention on cybersecurity. Here’s the key: businesses are aware of the threat but don’t realize they aren’t insured against it. Many small businesses still incorrectly expect to be covered under their property and liability policies, where there are exclusions for this. So, make sure you get with your insurance broker or agent, or look into cyber protection. Usually, a standalone policy is what you’ll end up having.
The side effect of signing up for cyber insurance from some companies is that they will also give you a lot of free resources to prevent an attack in the first place. Even if you have insurance, you don’t want to experience an attack. It’s kind of like having fire insurance—having it doesn’t mean you want your building to burn down. It’s still going to be a hassle if you face an attack, so you want to avoid it.
According to the insurance industry, commercial business insurance tends to exclude items like legal fees for an attack, the cost of repairing infrastructure, and other expenses from a cyber event. So, what happens if you have insurance? This alternative metals company, an aluminum manufacturing company in Florida, had cyber insurance that covered a ransomware attack. The insurance company dispatched experts who quickly determined the attackers had not compromised sensitive information. Aware that nothing had been compromised, the company owner was able to rely on a backup and rejected the attacker’s ransom demand of 2.4 million dollars in bitcoin. The insurance company did pay a claim of 180,000 dollars for attorney fees, hard drive replacement, forensics experts, and the cost of new software.
Let’s review the other one again just in case—it's worth repeating. A company in Maine had 250,000 dollars stolen from it. It cost them 218,000 dollars. Their insurance company, which was not a cyber insurance company, paid a little bit, but they lost a few years of their lives. Two hundred thousand dollars and a whole lot of aggravation.
What about the market? Is it available? Cyber insurance is a good thing to have, but it’s becoming more difficult to obtain. Pricing for the policies has gone up 10 to 15 percent annually. However, many renewed policies don’t have the same increase as if you just buy a new policy. The reason why is if you have an existing policy, you’re known to be a certain type of risk and have certain procedures, which we’ll discuss. Small businesses, on a percentage basis, are being turned down due to tightening underwriting requirements.
What other requirements might companies now face? They may now be required to have multi-factor authentication, as well as for vendors and third parties to ensure that they’re safe. Multi-factor authentication reduces the risk. Insurers may also require small businesses to encrypt backup data and have a response plan.
Here’s the thing: if you put all that in place first and then apply for insurance, you’re more likely to get a good policy from a good company at a lower price. What kind of companies should you look for? Small businesses may be able to skip some underwriting requirements by purchasing a policy from a technology company that sells insurance, rather than an insurance company that sells cyber insurance. What is that called? That’s called an "insure tech." They automate underwriting by using artificial intelligence, which pings your computers and servers to assess your risk. They know how to write the policy accordingly, but you're probably going to be required to regularly improve your cybersecurity as a condition for maintaining coverage.
That’s going to help you, but it’s also a burden. If you get a policy from an insure tech, you’ll be required to constantly review your cybersecurity policies. If you don’t, the risk for a cyber attack increases, which means your insurance company is more on the hook.
This is an excellent review of what's going on with cyber insurance. You don’t want to be like this person who lost two hundred thousand dollars. For many small businesses, two hundred thousand dollars could be make or break, so you want to have the right kind of policy.
How much do they cost? We quote policies all the time for small and medium-sized companies that cost around 100 dollars a month. It’s not that big a deal, but you have to make sure you abide by the guidelines of your insurer to make sure you're using best practices for your cyber protection.
