Business Guidance / Insurance Protection

What Businesses Need to Know About Preventing a Cyber-Attack

It’s imperative that insurance brokers do our part to raise awareness about the importance of cybersecurity for individuals and businesses. Cyber insurance is a component of a healthy cybersecurity strategy yet many businesses, both small and large, continue to operate without proper coverage. I recently sat down with Travis Whitmill, Vice President of Evolve, a nationally recognized cybersecurity insurance specialist, to discuss everything cyber insurance.  Evolve was named “Advisen Cyber MGA of the Year” in 2020 and 2021.

1. Cyber insurance is still foreign to many businesses. How would you describe it in 30 seconds to a business owner?

Cyber insurance provides coverage for a wide variety of businesses that fall victim to a cyber-attack. Examples of these types of attacks are ransomware, wire transfer fraud, data breaches and bricking. These types of events have become more frequent over the last few years with statistics showing there is no sign of slowing down. Cybersecurity Ventures has predicted that globally businesses in 2021 will fall victim to a ransomware attack every 11 seconds.

Source: https://cybersecurityventures.com/cybersecurity-market-report/#:~:text=Cybersecurity%20Ventures%20expects%20that%20businesses,every%2040%20seconds%20in%202016.

2. Why should every business, regardless of their size, carry cyber insurance?

In 2020, the FBI Internet Crimes Report gathered that an estimated $4.2 billion in losses stemming from cyber-attacks took place in the United States. At Evolve, we have seen a significant increase in the frequency and severity of these attacks. Common misconceptions are that small businesses do not have a cyber exposure or that hackers do not target small businesses. We hear the pushback of, “our business does not collect sensitive data” all the time. The harsh reality is that the majority of the cyber losses Evolve sees stem from first party related issues typically in the form of ransomware and social engineering (wire transfer fraud) which are both caused by human error. According to Coveware, in 2020, 55% of ransomware attacks impacted enterprises with less than 100 employees. Also, many businesses do not consider the fallout of a cyber event and how it can impact their reputation and income. Another statistic from Coveware, shows that ransomware downtime costs organizations more than $64,000, on average.

Sources:
https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report#1
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases

3. Cyber insurance has dramatically evolved (no pun intended) over the past 10 years. How do you see the industry changing over the next few years and how can business owners protect themselves?

The cyber market has dramatically changed over the last year and a half, and with that, we have seen increased underwriting requirements, coverage restrictions, rate increases, new minimum-security requirements and more. Although the market is changing, cyber insurance products offer more than just traditional insurance. More often than not, cyber markets are offering cyber security risk management resources, continuous vulnerability scans, dark web monitoring, and other risk management resources designed to help prevent a cyber-attack from taking place. In a lot of cases, these resources will come free in addition to the policy.

Some of the largest cyber insurers in the world have started mandating controls (MFA/backups) to be in place or they will not consider writing the insurance for that business. Furthermore, cyber markets are beginning to sublimit extortion coverage (ransomware), or request participation from the insured in the form of coinsurance. The burden is now on the business owner to clean up their cyber hygiene and meet the minimum control standards of these cyber insurers. If a business owner is not taking proactive steps to better their cyber security, chances are they will not be able to attain competitive cyber insurance.

4. How has the pandemic changed the threats that many small and medium sized businesses face?

At the start of the pandemic, we experienced a significant shift in the way that we conducted business with remote working. Because of this sudden change, many businesses were not properly set up to facilitate remote working. Employees were accessing their company’s network remotely, using personal computers, and hackers took advantage of these vulnerabilities. Implementing multi-factor authentication for any remote access to the network is one of the controls Evolve, among other cyber markets, are looking for when reviewing a risk. The remote working activity is likely here to stay, so business owners must realize this adds another level of complexity to the overall cyber hygiene of the firm.

5. What are a few things that most businesses can do today (besides carry insurance) to help protect themselves from a cyber breach threat?

There are three steps that a business owner can take to help protect themselves from experiencing a cyber-attack:

Determine your vulnerabilities. Whether this be conducting a penetration test on your network, running a vulnerability scan on your website/online presence, or hiring a cyber security consultant, business owners should tap into resources to get an idea as to what their current exposure looks like.

Implement basic controls immediately. Multi-factor authentication and offline daily backups are two controls that every cyber underwriter is looking for when reviewing an application. The FBI Internet Crimes Report shows that $1.8 billion in estimated losses stemmed from business email compromise in 2020. This is where a hacker steals the login credentials of your business email and logs in. Multi-factor authentication can help avoid those types of issues.

Train your staff. Human error is a leading cause of cyber-attacks that take place on commercial entities. Whether an employee clicks on a hyperlink or wires money to a fraudulent third-party bank account, training your staff on current cyber trends is a great way to make sure your team is aware of these issues. Risk management vendors like KnowB4, Cyber Risk Aware, and Ninjio can help a business owner stay on top of cyber trainings for their staff. The goal is to build a “human firewall.”

Source: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

6. If there is one item that you hope any business owner can take from this interview, what would it be?

The ball is in their court. Days where a business owner could qualify for good cyber insurance and sign on the dotted line of a policy with no cyber security controls in place are behind us. Cyber insurers have experienced tremendous losses over the last few years and now the onus is on the business owner to have these controls in place.

We hope this Q&A provided you with additional context and guidance as you explore your options for cyber insurance. At Univest Insurance, we have access to the nation’s top cyber insurance carriers and a team with experience crafting insurance solutions to fit the specific needs and risk appetite of each business. Contact one of our Business Risk Consultants at 800-220-3077 or insurance@univest.net.

 

Insurance products offered through Univest Insurance, Inc. are obligations of the issuing insurance companies, not obligations or deposits of or guaranteed by any bank and are not insured by the FDIC or any other agency of the United States.