Many of you reading this have been affected by cybercrime either personally, or professionally. The days are gone when The Nigerian Prince would contact you for help. As business owners and consumers, we are faced with much more challenging things like wire transfer fraud, cyber extortion and social engineering.
As an insurance professional who consults with clients about different methods to transfer their companies’ risk with insurance products, I have seen a steep increase in interest and confusion on what Cyber Liability Insurance is and what value it may bring to a business. This article is intended to shine light upon and dispel some confusion on Cyber Liability.
A cyber breach in today’s business is devastating. It can completely shut down the business operations and be publicly embarrassing.
Much like an earthquake policy, Cyber Liability is there for a devastating loss. The insurance isn’t going to prevent a cyberattack. Resources from insurance carriers are reactive not proactive. When working with clients, my first suggestion is to have the best offense possible and use a Cyber Liability Policy as part of their overall Cyber Security Program. Mitigation is crucial to properly protect a business’ exposure and I highly recommend working with a third-party cyber security firm to help mitigate that risk.
This is becoming the number one cybercrime. Criminals use people’s emotions and perceived authority to bypass security controls. A typical claim would look like: a person in the accounts payable department receives an email from their “CFO” informing them that a longtime vendor has new wiring instructions. They accept and send out payment using the new instructions. They later get a call from that vendor saying their bill is overdue. That email from their “CFO” was a criminal and they have just become a statistic. In the world of insurance Social Engineering is confusing. Depending on the carrier they have different strategies to cover this cause of loss.
Trojan, Ransonware, and Cyber Extortion are another favorite of the cyber criminals. Hackers gain access to a computer or network by embedding malware in an email or security patch. We have all gotten those weird emails that don’t feel right; those are the obvious ones. The not so obvious ones that are clicked allow the criminals access and they take or deny access to the affected company. The hackers then contact the affected company and request payment for the return of control of the information. Payment is typically in the form of digital currency, like Bitcoin. Insurance carriers that insure against this cause of loss will step in and handle the negotiation and payment of the ransom. In fact, Cyber Extortion has become so prevalent that insurance carriers know the tenancies of most hackers and know how to work with them to have the best outcome possible for the client.
Many companies see the cyber threat as a technology problem and have invested heavily in the latest and greatest hardware and software. It has become increasingly apparent that technology investment alone will not keep the criminals at bay. Companies that have incorporated procedures and ongoing employee training score better when their cyber mitigation is tested. Social Engineering and Cyber Extortion preys on people not technology. Criminals know that people can be a weak link and they exploit that weakness.
Good, Better, Best
The insurance industry offers a wide range of Cyber Liability coverages, some better than others. In my market research and working with carriers, I have found that there are generally three buckets that cyber policies fall under.
These policies offer basic coverage with low limits. They are easy to obtain, typically without an application. Coverage is centered on regulatory requirements set by the Federal Government. Cost is low and is seen as a throw in coverage to a business office policy.
Policies under this bucket require a short application. Coverage will start to include losses like cyber extortion and forensic costs. Offered limits are typically higher. They can be a standalone policy or be attached to a package.
Best policies offer the broadest coverage, highest limits and are always a standalone policy. They require an in-depth application that is centered on current cyber mitigation in place by the applicant. The best policies will have coverage for losses like, phishing, social engineering and cyber extortion. As well as provide after loss mitigation like intellectual property rights infringement, defamation and public relations.
Cybercrime is a threat to businesses and is here to stay. The insurance industry is responding and is offering products for businesses to choose from. Insurance is just a portion of a company’s overall cyber security strategy. Mitigation and training are necessary to holistically protect your business from cyber criminals. It is important to discuss coverage and exposure with your trusted insurance advisor, understand your exposure and be very deliberate about how you will manage that risk.
By the way, The Nigerian Prince just emailed and needs some money right away.
Mike Connelly is a licensed business insurance agent and can be reached at Davidson & Associates Insurance, 360-514-9550 or firstname.lastname@example.org.