Increased access to the technical tools needed to launch cyber attacks, minimal risk of apprehension and lucrative payouts have created a perverse incentive for criminals to embrace crimes that are cyber-enabled or cyber-dependent.
The nature of cyber crimes, the motivation behind them, the targets and the actors are all evolving. The cyber underworld, once dominated by mischievous computer experts, is now attracting financial criminals, hacktivist groups driven by distinct agendas and nation-states—all of which are targeting organizations of all types, small and large alike. The motivation for hacking has gone from exposing a target’s weaknesses to exposing or stealing sensitive data and disrupting critical business processes.
At significant cost to corporations and their customers, criminals are netting millions of dollars trading personally identifiable information stolen via data breaches or hacking into corporate networks. Recent industries or sectors that have seen the greatest increase in exposure and claims include healthcare, financial institutions, retail, IT service firms, social media, payroll processors and government agencies.
Four common but dangerous cyberattacks face every type of business—including insurance agents and brokers. Here are real-life examples of how the right risk management solution can provide you and your clients with the critical financial protection needed.
1. Breach exposure
Issue: A major source of cyber loss continues to arise from unauthorized corporate network breaches.
Example: Exploiting a then-unknown gap in an insured’s IT network, cyber criminals gained access to sensitive customer data that constituted personally identifiable information (PII) and personal health information (PHI). The potential breach required that about 18,000 customers spread across 22 states (all requiring specific notice parameters) be notified and have their credit monitored.
Solution: Because this client had the proper risk management plan in place, the crisis management team was able to quickly notify affected customers and provide credit monitoring services for a year. Also, because the risk management plan included cyber/privacy cover, the cost of notification and credit monitoring—totaling $255,000—was covered after the policy retention was met.
Companies need to first assess their vulnerabilities and then look into evaluating the right cyber and privacy liability plan based upon the results of those assessments. Cyber liability is associated with electronic systems, the Internet, network access and the network security systems of an organization. Privacy liability is associated with privacy issues, specifically the unauthorized dissemination of information or lack of protection for or release of PII such as credit card information and Social Security numbers.
Nearly every organization is exposed to cyber and privacy liability, but especially one that does business online, accepts credit card payments, manages a network, or possesses any form of PII relating to clients or employees. Short-term cyber or privacy crisis solutions include coverage for notification expenses, credit monitoring and crisis management. Long-term cyber or privacy crisis solutions include coverage for defense and damages along with business revenue protection.
2. Hacking Event
Issue: Hardly a week goes by without news of organized criminals accessing systems to inflict financial or reputational damage—or both—on organizations.
Example: A Midwest furniture chain’s computer systems were attacked by “Backoff” malware, a virus that targets point-of-sale systems used throughout the retail industry. The furniture chain had to suspend operations for four days at five major store locations. Approximately 96 hours was spent on the data recovery efforts, costing the company $19,200. Meanwhile the business lost as a result of the partial shutdown of the store locations totaled $216,000.
Solution: As a result of securing the right coverage, the furniture company’s expenses, including business interruption, were covered in full, subject to the policy terms and conditions.
Businesses should review their existing polices with their agents and brokers to make sure they have best-in-class cyber coverage for hacking events. The cyber policy should include coverage for:
- business Interruption
- loss of income,
- data restoration
- brand/reputational management,
- defense and
In addition, be sure you understand the clauses relating to coverage for forensic investigation and legal review in your cyber policy.
3. Social Engineering Exposures
Issue: Increasingly, social-engineering techniques are used to induce employees to break normal security procedures, leading to a dramatic rise in cyber security incidents and resulting financial losses. Social engineering is a non-technical method of intrusion used by hackers that relies on human mistakes. In many instances, it involves tricking people into breaking normal security procedures, typically using innocuous subject lines from contacts or company-generated emails.
Example: A scammer pretending to be the CEO of a financial services company emailed the firm’s director of treasury in an attempt to induce the transfer of money due to an emergency “transactional need.” The scam email claimed the funds were needed to complete an acquisition.
Solution: Fortunately for the company, a funds-transfer protocol was in place and the CEO was alerted, preventing a potentially costly fraud.
For this type of threat, it’s important to implement pre-and-post cyber incident best practices, and communicate cyber risk updates to employees in every area of your company, continually.
According to a recent cyber risk survey, 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years. And 30% of all victims of social engineering cite an average per-incident cost of more than $100,000 to locate, remediate and protect against further losses from a successful social engineering attack.
Work with your agent or brokerage firm to ensure that your cyber policy contemplates Social Engineering attacks, including phishing and unauthorized electronic transfers, for example. In addition, educating your employees is a firm’s single best defense from a social engineering cyber attack. Ask your agent or broker about cyber webinars, training sessions and updates that can make your employees aware of the latest social engineering exposures seeking to trip them up.
4. Cyber Extortion Risk
Issue: Cyber extortion, which involves a demand for money to avoid a cyber attack or release of confidential information, is on the rise. Although cyber breach and hacking are still the most common types of risks impacting companies today, cyber extortion is the fastest growing cyber threat. Organizations that have fallen victim to cyber extortion include Domino’s, Nokia and Code Spaces, many universities, and several police departments across the country. As a result, companies and organizations are paying out millions of dollars to cybercriminals for the safe recovery of stolen data or to avoid network harm.
Example: A manufacturing firm received an email stating that the functionality of its system was about to be compromised and unless $250,000 was sent to a particular email address/contact drop in one week, major parts of the firm’s network would be destroyed, including proprietary data.
Solution: Fortunately for the company, a strong cyber and privacy liability program was in place, and the cost of the ransom was covered. It’s critical to communicate cyber risk updates to employees in every aspect of the firm, however, so attacks such as this one are brought to the attention of management as soon as possible.
It’s no longer a matter of “if” but a question of “when” a company will be attacked. Therefore, understanding the true breadth of cyber threats and securing risk management solutions that backstop your company’s IT and other departments’ risks can provide critical financial protection from a cyber threat that is very real and growing. Your agent and broker can help you from risk assessment, to risk management, assuring the correct coverage for your organization and ensuring that you have the tools to effectively manage a cyber incident in case one occurs.
Source: Property Casualty 360