The Expert Podcast

So of course you have heard of cyber insurance. Maybe you're worried about a cyber attack against your business and you want to know how to protect against it. Maybe you're wondering how much it's going to cost, and even if you're eligible to get cyber insurance, we're going to talk about cyber insurance policies as a form of business risk protection and how you can go about making sure you get the best quote and also making sure your business is eligible.

One of the things that's very commonly misunderstood is that you have to be a tech company to need cyber insurance we've talked to many businesses as an example we talked to a builder general contractor and they said look we're not a tech company we hardly even use computers we're Builder we use excavators and jackhammers and framing guns and it's all labor and construction liability for a business like that may be higher than even other companies in fact general contractors are the third most attacked type company why is that well first of all companies that are less technically oriented many times are higher targets because the hackers don't think you have the technical sophistication to prevent the attack may or may not be true but that's what they think so they're going to hit those harder.

What can you stand to lose? Well, think about it: as a builder, you have access to and interactions with lenders and financial institutions for your clients, maybe blueprints, wire transfers, or title escrow funds. You may not directly touch them, but you're going to be emailing back and forth with those stakeholders. Any of those emails are a vector for that hacker to get in and destroy the job, take the money, or lock up computers. So just because your company isn't technical per se or a tech company doesn't mean you're not a Target.

How much do these types of events cost well here's a graph you can say on the right hand side average paid incident response you can see each category the blue is credit monitoring that costs 50 000 per incident the red is forensics 160 000 per incident the other big one is notification a lot of times you're required by law to make notifications to any potential third party that's been effective if you add all these up it's 400 some odd thousand dollars almost half a million per incident so you may have some endorsement on your GL policy for the cover cyber for 20 grand or 25 Grand that's a drop in the bucket for a typical average incident most many incidents are over a million but that's this is the average incident is about half a million dollars these incidents are also becoming more common we'll take a look at that in a second but one of the questions is what do you need to provide in order to get Cyber Insurance what do you need to give your agent as far as information in order to obtain coverage for that risk we'll typically answer a few questions how many employees what's your Revenue do you have any open claims um things like do you use passwords to log in it's basically simple question and answer that you can get done in about 30 seconds.

How much is a policy cost well for many types of businesses you can get a million dollars worth of coverage for about a thousand bucks we've seen some that are quoting the three or four hundred dollar range for some types of businesses some are a little higher but it's pretty reasonable think of the bank for your buck thousand bucks to cover for a million and you can up that you can up it to 2 million or three million one of the most important things to remember is this type of loss to your business is probably more likely than the types of coverages you have you certainly have fire insurance you probably have premises liability insurance you may have if you own a building you may have structure coverage Property and Casualty coverage those are important to have but what are the odds that your building's going to burn down knock on wood versus having a Cyber attack probably not anywhere near as much and you probably don't have coverage for the more likely event and it's probably cheaper not your fault it's in relatively new type of insurance only been around for about a decade where fire insurance has been around for a century so you may not know about your agent may not have made you aware of it.

And here's the types of businesses that are most commonly affected Professional Services that's the big one almost a third of claims are in that industry technology is less than half that 13 of the claims are technology companies so if you're in any kind of Professional Services and other that covers a lot of things too things like car dealerships or retail facilities or restaurants right you get down here to these other Healthcare manufacturing media those are down single digit percentages so these two added together are roughly half of all the claims are the types of businesses that you're in and revenue size that's also relatively small most of them are under 25 million you can see that a quarter you have some that are the big boys 500 million but this is the type of thing that's a misconception that smaller companies aren't targeted they're often more targeted because the hackers think you don't have the resources to prevent it.

How do they get in well they're going to look at things like unpatched apps on your network we had a case where there was a car dealership the hackers got in through a security camera that was on the internet it was an IP address it was open they got into the security camera once they're into that camera which didn't have a lot of security now they're into the whole network downloaded all the customer data what are the types of costs you may incur well think about the third parties that could be involved there could be customers it could be vendors it could be clients could be government agencies that are all affected by your loss you want to make sure that you're looking at those kind of coverages for third-party liabilities that could accrue to you one of the things that cyber insurance does much differently than other types of insurance is mitigation and prevention when you purchase cyber insurance from most companies and you want to make sure you verify this with the coverage is in addition to providing payment after an event they're going to provide you support during the event and prevention before the event they're going to maybe have notifications daily weekly monthly of your vulnerabilities of your network it's almost like having a partner an I.T partner on staff that gives you updates if you have any type of weird thing happen maybe your computer locks up you get a weird screen you take a photo with your phone you message your carrier and they can jump in right away and see what's happening to prevent that Cyber attack from expanding from getting bigger many of these attacks take weeks or months to fully Implement they'll get into your network they'll sit there they'll lurk they'll gather data and then they'll actually take action and if you can catch it early you might prevent all the damage and of course you want to have an insurer that's going to pay for all this work and claims if it does result in something that creates damage or losses.

Couple takeaways from this remember right now on your network you have probably dozens of open web ports unpatched access points that you're not even aware of you're just lucky so far no one's gotten in through those number two you want to make sure that this type of higher risk loss or damage to your business is covered in the same way you have other risks or losses that are covered you have risks or losses that are probably covered with paid insurance that are very low probability and you're paying for insurance for not to say you shouldn't but you want to make sure that the relative probability and the relative consequence of losses is also included in your holistic observation of what could cost you your business the other thing is remember one of these cyber events can result in other types of losses for example it can result in a crime loss if somebody you know hacks your system or fools an employee into transferring money it may result in some type of epli or employment practice if you fire somebody because they made a mistake and you had loss this could also be something that affects your business in a negative way remember you and your employees are going to panic when you have this type of event you want a partner that can step in and be aware of what's going on find the hackers lock things down prevent losses so you're not out there on your own dealing with these professional hackers professional fraudsters infiltrating your network we do this all the time as private investigators we come in after the fact and pick up the pieces many times as insurer Insurance Brokers or insurance agents we look at it from the standpoint of how to prevent it how to cover potential victims so that it's not a life-altering event look things happen right you have insurance for many types of things car crashes fires health insurance life insurance and you want to make sure that all of the potential risks that could be a deal breaker life changer you have coverage for so that it becomes at the very worst something that you'll remember and that you have to deal with but it doesn't throw the the trajectory of your life off look there's a story about an accountant they had a an attack on their business and they didn't have coverage and because they feared that look if if this gets out and they're they're hackers the ransomware attackers released all their clients tax returns and contacted all their clients and said look we hacked your accountant we have your tax returns your social security number um that would be devastating so this person took two million dollars from their retirement account and paid off the hackers that's how much of a life consequence it would have been if they didn't eliminate this event which is what you want to do with insurance you're better off doing it with a thousand dollars or so forth worth of insurance versus 2 million from your retirement account.