11/22/2019

#51.5 – So what is Cyber Security Insurance, anyways?

#51.5 – So what is Cyber Security Insurance, anyways?

On average, a data breach costs $3.9 million. Fortunately, cyber security insurance is now available to help businesses limit the financial damage associated with a data breach.

Cyber security insurance offers financial protection if a business suffers a data breach. For example, if a company loses money due to a malware attack or any other cyberattack, cyber security insurance covers the investigation and recovery costs associated with this incident.

So, is cyber security insurance worth the money? In our latest Grepcast, “So What Is Cybersecurity Insurance, Anyways?” Cleary Insurance Vice President Andy Gregory discusses cyber security insurance, and why it is a must-have for today’s businesses. Read our Grepcast transcript below to find out what Gregory and the Grepcast team have to say about cybersecurity insurance.

Full Disclosure : Cleary Insurance is TSP’s insurance provider. 

Grepcast # 51.5 — So What Is Cyber security Insurance, Anyways?

Adam Fisk: Joining us today on the Grepcast, we have Andy Gregory, Vice President at Cleary Insurance. He’s here to chat about everybody’s favorite topic, and that is insurance, but specifically, cyber security insurance. So, just to get a baseline definition, what is cyber security insurance?

Andy Gregory: Cyber security insurance really is the insurance industry’s response to covering a peril that was not previously covered under traditional insurance. The insurance industry is a causational type of operation and consistently responds to providing a type of product that was needed prior to a specific event. Back in the 80’s, 90’s, and certainly the 2000’s, when cyber events started happening like hacking and such, the existing insurance coverage forms that were available did not exist. So, either the policy form was silent and did not cover it at all. Or, it was expressly excluded. So, cyber coverage is something that has been designed to address those costs that come out of hacking. It covers both the company itself for damage — whether it’s financial or property damage — that is the result of a hack. Or, financial damage to a customer or third party as a result of that. It’s a very, very highly specialized and complicated insurance coverage form that’s different than any other insurance coverage form out there.

 

Michael Oh: What’s interesting, Andy, from my perspective is that we’ve actually seen some of our customers looking at cyber security because of the insurance. It is a reaction from the insurance companies to something that’s happened, but we’re also seeing that clients are becoming more educated about cyber security, and really what the risks are. It’s almost like if there’s a premium and a cost to it, then suddenly it’s real. Whereas with cyber security up to this point, I think a lot of companies have sort of seen it as, “Well, [a cyber event] hasn’t happened so far, is it really going to happen, and do I really need to take any action with my IT firm or internally in order to mitigate it?” But it seems almost like, “Hey, if the insurance companies recognize [cyber events] as a risk, then this is something that I need to act on.” Which is actually a great end result, in my view.

 

AG: Yeah, no question. In IT security and IT services, everything that you provide is, in essence, risk management for the insured. But, for instance, let’s compare it to property insurance for a building. If your building has hardwired smoke detectors and fire alarms, the insurance company looks at that property risk as a good risk. It’s the same thing with IT security. You’re deploying any and all possible standards for your company that help to mitigate or reduce or completely avoid any type of cyber security event, so then you pay much lower premiums, because there is a much better risk overall.

 

AF: So, in this case, we can at least, with a resounding voice, say that cyber security insurance is not the end-all. We have to do our homework first, and we have to make sure that we at least do the bare minimum of protecting ourselves.

 

AG: Absolutely. The whole concept of insurance is that you’re doing your best — it’s risk management — to reduce or mitigate any potential loss to your company. And then the insurance is a backup to that effort. And as a result, [the insurance] is there to protect you, but also, if you’re doing the right thing to reduce risk, you’re going to pay lower premiums than another company that is not doing the same.

 

MO: So how would you recommend that a company that really hasn’t tackled cyber security either from an insurance or risk mitigation standpoint that is working with an IT provider approach this? Is it one before the other? Is it both simultaneously? What do you see out there in the marketplace?

 

AG: That’s a good question. It’s interesting. You talk to people that run businesses — whether it’s a small business owner or a mid-sized company that’s got a controller or chief financial officer — every business is watching the bottom line and focused on controlling costs. Unfortunately, a lot of the time, cyber security and certainly insurance in various forms are overlooked, and it’s also almost on purpose, and they say they have enough insurance. I would say that, first and foremost, a company that works with an IT vendor needs to embrace that relationship and treat [the vendor] as a regular partner to their team. It needs to say, “Let’s meet on a regular basis and make sure that you understand what we’re doing and who we’re doing business with and how our networks are protected. Do we have the latest malware protection? Are we encrypting where we need to be encrypting?” I guarantee that if you sit down with a lot of these small to mid-sized businesses, a lot of them will give you a pretty vague answer when you ask them if their standards are up to date. I’m sure you see this when you bring on new clients. Most companies are not where they should be. And once you have that addressed, then you superimpose the insurance as a backstop.

 

MO: It’s interesting, because I think one of the things that’s very clear to me is it’s a problem with education about what the risks are so that a business owner can quantify those things. Ultimately, there’s the fear that something might happen, the idea that that might cost five figures or six figures, or, in some cases, more, but there’s really no way to quantify that in a way that gets to the point where they can say, “OK, well that is worth X to me.” But I think what you mentioned is to really start these discussions with your IT provider, with companies like us, because until you start those conversations, everybody is in the dark. We’re not here to just sell a service to our clients. We’re here to educate and inform them about how [a service] is useful and the value you get for that service. I’m sure it’s very similar in the insurance world as well. It’s less about selling something than it is about educating people and bringing them along on that journey of understanding the risks.

 

AG: Yeah, no question. The only way to quantify that is to hang your hat, so to speak, on statistics. First of all, in the state of Massachusetts, any company that has one record that has potentially been breached has to notify the state. As soon as you do that, there are costs that you incur as far as investigation and notification. And if you compare the costs between spending money with an IT service firm that makes sure everything is up to date and spends time with your employees to educate them on finding phishing emails — you’d be surprised at how often employees click right through them and infect networks — and cybersecurity fees and insurance costs with the costs of a cyber breach, then I think it’s a no-brainer. The cost comparison between the two makes it easy to make a decision.

 

AF: In your experience, either historically or where we’re at in present days, are there any industries that are more prevalent for an attack like this? I know for at least ourselves, but even in the Greater Boston IT community, there are definitely areas where [companies] feel like, “Hey, we’re not at risk. We’re not doing something that is going to be heavily trafficked or trying to be stolen.” Are you seeing similar things, or is it across the board these days?

 

AG: Looking at it from two different perspectives, the general statistics suggest that close to 60% of data breaches are targeted toward small businesses. So, small businesses are a target because they are perceived as not as well-funded for cyber security, and it may be easier to gain access to their networks. From an actual sector standpoint, healthcare has been one of the bigger areas that’s been affected. Any type of organization that’s involved in a financial transaction; law firms and accounting firms are two very big areas that are targets of social engineering attacks. We’ve seen several times with our clients where a third party has found a way to hack an email address and redirect funds that are supposed to be going to or from a bank or from a bank to a law firm or a third-party client. So, those are definitely two sectors that are big targets.

 

MO: It’s interesting that you say law firms, financial firms, and these people that are moving money. But at the same time, you’re also saying that anybody that makes transactions. But that’s the fact in small business. What we’ve found ourselves in, even as a small IT firm, is that we’re doing these transactions on a pretty regular basis. Whether or not it’s to pay a vendor using wire funds and that kind of stuff, there’s always the potential for these things to be hacked, if an email gets hacked into and its details are changed. So, in some ways, it does make sense that there are some areas that are more highly targeted. But I think what we’ve found as well is that just because your firm isn’t in one of those things doesn’t mean that you won’t be a target. [Cybercriminals are] basically looking for anyone that may be complacent or hasn’t put in the effort to educate and train users. And effectively, that bookkeeper or controller that’s part of that thread of money moving around in a business is the target, regardless of what your industry is.

 

AG: Yeah, absolutely. I’ve heard some cyber security professionals say in the past that if you think about the industry as a hacker, there’s not just a person sitting there during the work day that’s trying to hack into your system. [Cyberattacks] are constant, 24 hours a day, seven days a week, every day of the year, and they’re all-day-long automated processes. There are networks out there just searching and searching for weaknesses. So, yeah, it is anyone, and once [hackers] find a weakness in a network, they’re going to explore it, and they’re going to dig in there and see what they can find.

 

MO: As you mentioned, insurance is sort of a game of statistics. I recently was looking into some research about family offices; these are offices that are managing quite a large amount of wealth. There was a 2019 report from UBS and Camden Wealth that included a survey of 300 family offices. They said, “When those studied here were asked whether or not they had suffered a cybersecurity attack, 20% said yes, 72% said no, and 8.5% were unsure.” Which, [unsure to me] means a yes. If you don’t really know if you were hacked or not, then you probably were. But they basically surmised that the actual number of family offices successfully hit by a cyberattack is 30%. Because, really, if you look at the answers and knowledge that the people have, and the anticipation that some people will have been hacked but really don’t know it yet — there’s someone sitting on a network and waiting for a transaction to go through and trying to get that big $50,000 or $100,000 wire transfer to the wrong place — that’s a pretty big number.

 

AG: I’ve seen statistics that generally show that, when asked, business owners will say that they were aware that they have potentially been hacked, and the rest didn’t actually realize that they had been hacked because they didn’t know it yet. There’s a very high percentage of businesses that have third parties with access to their networks that haven’t actually done anything yet, but the risk is there for the future.

 

AF: So tying everything together, using your analogies in regards to cyber security and insurance, we want to make sure we have at least the baseline, that we have the sprinkler systems, and that we have the fire extinguishers. In your experience, is there something that small business owners, or people who are looking into a cybersecurity insurance option and may not have an IT firm like TSP assisting them, that they want to have before starting the process?

 

AG: Having your virus and malware solution updated on a regular basis — there’s a reason why they do those updates. New threats emerge every single day, and software providers are constantly updating their products to address them. So, that’s number one, and that’s not difficult to do from anyone’s standpoint. The second thing is that if you don’t have a professional sit-down with your employees to talk about these things, do some of your own research so you can tell your employees, “Look, if you get emails from somebody you’re not sure of, then don’t click on things.” Even in the last six months, I’m very surprised at how often I get emails that seem to be from someone I work with. But when I look at the email address, the email is from a different Gmail or AOL email account. Or, the email will say it comes from John Doe’s mobile phone, but when I look at the email, it’s not. So, update your virus or malware software, and make sure that your employees are using their heads when they’re opening emails and working on your network.

 

MO: For the companies that have an IT provider, do you see them taking additional actions like testing their staff on phishing emails or white hat hacking campaigns where you’re creating a phishing email and sending it out to your staff to find out who clicks on it? Is that something that you see out there? And from an insurance standpoint, what does that mean to you?

 

AG: Typically, I would say that I don’t see in-house IT professionals testing employees. I’ve worked for publicly held insurance companies in the past where it was the complete opposite and you have to go in two to three times a year for online education for identifying these threats, and there are quizzes at the end, and you have to get to a certain grade. But I have not seen that in privately held smaller companies that are managed by an IT person or department.

 

MO: In terms of what makes these things real, I think there is this general sense from a lot of business owners and business stakeholders that this is an unknown threat that might happen. Do you seen actual claims coming across your desk for cyber security breaches?

 

AG: We do. Some of the times, we’ll get a notification from the client that says that they’re not sure but they think they might have had a breach. But beyond that, we’ve got three active, ongoing claims for cyber security. And two of them are both social engineering-related. We’ve definitely seen an uptick in social engineering. It just seems that it’s easier and easier for hackers to insert themselves into an email chain and get control of an email account. So, it’s very real, and we see it all the time. I get [malicious emails] personally in my email inbox quite often. We keep a repository of these emails, and we try to let our clients know that these are the emails that we’re receiving, and you may be receiving them. There’s no question that there’s a lot of activity, and it’s ticking up. Let’s put it this way — it’s doubled since last year in terms of the number of reported incidents and related costs.

 

AF: I know, at least from our view, from what we see and what we talk about on the Grepcast, we frequently see larger and larger scale incidences. This causes me to think if we’re only hearing about large instances like Baltimore being completely shut down because of ransomware, there are dozens and dozens of cases involving small and medium-sized businesses that we just don’t hear about. Sometimes, the knee-jerk reaction — just in the case of ransomware — is to just pay it and get going, because maybe [businesses] don’t have the robust backup system and cybersecurity protections that they would need in this case. And, unfortunately, it’s just biting the bullet.

 

AG: Yeah, there’s no question. Hackers are showing some actual business acumen in the instances where they’re making the amount payable. They’re not saying they want $1 million or $2 million; in some cases, they’re saying they want $10,000 or $25,000. They realize that the company, based on what they know about it, will pay the ransom. And it’s almost like a legitimate business transaction. The business pays the ransom, their data is released, and it goes back to doing business. And you’re right, in a lot of those instances, no one ever hears about them. No one really knows the logistics around those because of embarrassment.

Have an idea for a Grepcast episode? We’d love to hear from you! Contact the Grepcast team via email at grepcast@tsp.me.