Texas is an increasingly attractive target for cybercriminals across the globe with its 28 million residents and target-rich environment of energy, technology and hospitality companies.
The state, in fact, suffered the highest number of malware attacks in the U.S. during the first quarter of last year, according to data released in June from security firm Malwarebytes. While that fact may not have been known, it certainly wasn’t lost on the patients of San Antonio women’s medical practices Northeast OB/GYN Associates and the Institute for Women’s Health. They received the startling news in August that hackers may have stolen some of their personal information or credit or debit card data.
The San Antonio obstetrics practices, both under the same parent company, Consultants in Women’s Health, said a so-called keylogger virus was installed on their networks on June 5. The virus was discovered July 6 and the practices took action to remove it “from the majority of all network computers and terminal servers by July 11, 2017, resolving it completely by July 13, 2017,” both said in statements at the time.
It’s a growing problem for big and small companies alike as hackers grow more and more brazen – and skilled at their jobs. It’s particularly challenging for smaller businesses that don’t have a dedicated staff or big enough IT budget to guard against attacks. The increasing threat has given rise to the need for cyber insurance for small companies – a type of protection once reserved for big corporations with significant IT budgets.
“Cyberattacks oftentimes have severe consequences for small businesses, including in many cases precipitating bankruptcy, just due to some of the lack of resources,” said Patrick Thielen, senior vice president of financial lines at Chubb Limited, which offers cyber insurance.
Only about 40 percent of medium- and small-sized companies buy the coverage, according to a report released in November by Argo Group International Holdings, a Bermuda-based underwriter of specialty insurance and re-insurance products.
Employees at both Northeast OB/GYN and the Institute for Women’s Health said in nearly identical emailed statements that their practices had cyber liability insurance in place before the incident, and continue to carry such coverage. While cyber insurance policies differ, they generally cover lost revenue as well as the cost of recovering data from an attack.
“This kind of insurance should be considered as part of any business plan in this day and age,” wrote Nancy Villa, IT director for the Institute.
Both practices also said they had security measures in place, such as “network filtering and security monitoring, firewalls, antivirus software and password protection” prior to the attack, but implemented additional safeguards after the keylogger virus infiltrated their system.
Large companies like Equifax, which suffered a massive data breach that exposed sensitive data on almost half of all U.S. consumers in July, are constantly at risk for cyberattacks.
The WannaCry ransomware attack, which has been blamed on North Korea, took down computers at organizations of all sizes from Russia to Taiwan in May. But smaller companies, especially those in Texas, are increasingly attractive targets for hackers, according to a June report published for the first quarter of 2017 by the security firm Malwarebytes.
Texas consumers and businesses reported losing about $77.1 million to internet criminals in 2016, according to the Federal Bureau of Investigation’s annual Internet Crime Complaint Center report released earlier in 2017. More than $4.5 million was lost that year in the state just to corporate data breaches, according to that report.
“Texas is a primary hotbed for malware activity,” Malwarebytes warns, with its combination of a large population, highly targeted industries and sheer number of malware incidents.
Argo Group, which surveyed 200 organizations in the U.S. and U.K. in September, found that a little more than 60 percent of the small- and medium-sized organizations experienced some kind of cyber incident in the last 12 months.
While a large company may be seen as “more of a target for the hacking community,” due to the large amounts of data they collect, it doesn’t mean small businesses are safe from cyber criminals, said Simon White, senior vice president of cyber for Argo Group, which offers the coverage.
“A lot of these hackers want to potentially get to the larger insureds via infiltrating a smaller business,” White said. “So for example, a vendor’s got a relationship with a large national entity, and the hackers think: Well, we can actually utilize the lack of security on the smaller firm side to get to the larger.”
To further complicate the issue, small businesses aren’t investing as many resources to secure their business against attacks, White said.
Brett Piatt, CEO of San Antonio data security firm Jungle Disk, said that can make it difficult for small businesses to qualify for cyber insurance.
“It’s really complicated to go through the underwriting process right now to fill out an application. And then when you fill out an application, a lot of them get rejected because they’re not doing the technical things that they need to be doing in order to be able to be insurable,” Piatt said.
When small businesses try to start the process to get cyber insurance, they are sent a questionnaire anywhere from 10 to 25 pages long in which they are expected to explain their “IT processes, controls and systems,” Piatt said.
“Small businesses don’t have answers to all of these questions,” Piatt said. “And if they go through and get a consultant to come in and help them answer all of these, then they basically end up with a risk profile where the insurer basically says: I can’t underwrite insurance for you until you go do all of these things you’re not doing.”
He used an analogy of running a restaurant and having slippery floors because they are covered with castor oil.
“Your general liability insurance person is going to be like, you need to clean that up or I’m not going to insure you for slip and fall. And a lot of small businesses are running their IT in that way,” Piatt said.
Andrew Kellett, an analyst at digital research and consulting firm Ovum, said small businesses increasingly need cyber insurance to protect themselves from both financial and regulatory damages.
“I think it’s still reasonably early days, especially when you’re looking at the smaller end of the marketplace, because those sorts of organizations are probably just starting to look at the costs and the budget issues that would be involved in doing something like that,” Kellett said. “In terms of do they need to do it, yes they probably do need to do it for a number of reasons, for their protection when things go wrong, for the regulatory issues that probably will start to push back.”