To Insure or Not To Insure
It wasn’t too long ago that Colonial Pipeline and JBS weren’t household names. If you only recently discovered who they are, it’s likely their notoriety came as a result of their much publicized ransomware attacks.
For Colonial Pipeline, who controls approximately 45% of the fuel in the eastern United States, the cyberattack led to panic buying and fuel shortages. JBS, on the other hand, is one of four major food processing companies in the United States and is considered the largest meat packing company in the world. A consequence of the ransomware hack was a forced shut down of several JBS operations in the U.S., Canada, and Australia, which triggered a rise in meat prices. Colonial and JBS made $4.4M and $11M in ransom payments, respectively.
In Oldsmar, Florida, a water treatment plant fell victim to hackers attempting to increase the amount of sodium hydroxide to toxic levels in the city’s water supply. Luckily, a plant manager noticed something suspicious and was able to take action before any harm could be done.
These are a few of the many cyber incidents that have taken place since 2021, but the extent of cybercrimes are not limited to the examples listed above. Cybercrimes range from malware to denial-of-service to man-in-the-middle and more. Though ransomware gets the headlines, there is one that has had a broader impact.
Phishing has accounted for more than 80% of cybersecurity incidents. Per the Federal Trade Commission, phishing is the sending of emails or texts pretending to be sent from reputable companies in order to trick receivers into providing personal information such as passwords and credit card numbers. These emails have served as the vehicles for infecting computers with malware, which come in the form of viruses, spyware, adware, and ransomware.
So can any of this be prevented?
There are a number of checklists you can find on the internet that will detail preventative measures you can implement to protect your company. A well-developed and communicated cyber and computer policy is now essential as many companies remain in remote or hybrid work environments. Regardless, such planning may lessen the likelihood of an attack, but it doesn’t necessarily prevent an attack. Experts are seemingly uniform in their opinion that it isn’t a matter of if but when a company will be the victim of a cybercrime. If that is the expectation, in the event your business is victimized, it’s best to have a comprehensive cyber insurance policy in place.
Let’s first identify what is exactly cyber insurance.
In insurance jargon, cyber insurance, also called cyber liability insurance, provides coverage for losses as a result of data breaches. In layperson’s terms, it helps your business recover from computer-related crimes and losses. Essentially, if you have an online component to your business or if you store employee and/or client data, cyber insurance should be part of a conversation that you have with your insurance agent. There are two sections to cyber insurance: first party and third party. First party is coverage of losses and damages to the company directly from the cybercrime. Third-party cyber liability insurance provides liability coverage for businesses that are responsible for a client’s online security (i.e. coverage for the expenses associated with suits filed by your clients against you as a result of damage from the cybercrime).
As with anything, there will be arguments for and against cyber insurance.
Let’s start with those against.
Simply put, cyber insurance doesn’t cover everything.
Cyber insurance doesn’t repair trust or reputation, both of which are rather difficult to regain. Currently, some insurers will reimburse insureds in the event that ransoms are paid. Unfortunately, there is a growing movement to prohibit victims from paying ransoms as well as forbidding insurers from reimbursing insureds for ransom payments. The thought process—and it does have a measure of truth—is that paying ransoms will only embolden hackers and perpetuate the cycle of cybercrime. Companies held hostage by ransomware find themselves in a desperate position of protecting their livelihood in addition to the livelihoods of those they employ, not to mention the business they’ve built and the customers they’ve acquired. Lastly, qualifying for certain cyber policies means having a cybersecurity plan in place, which in many instances you will need to maintain if you want to avoid losing the policy. This could potentially translate into an additional, recurring expense. In summation, cybersecurity insurance isn’t a replacement for an effective and evolving data protection plan.
The case for why you need it?
“Many companies don’t have robust IT departments or the funds to spend on legally mandated notifications and the needed vendors, such as forensic analysis or public relations experts,” explains Crystal Romero-Sherman, Executive Vice President at Century Risk Advisors. “An insurance policy can absorb these costs and help your company recover after a cyber incident.”
Essentially, recovering from a cybercrime can be expensive.
According to a 2019 Accenture study, the average cost of a malware attack on a company is $2.6M. Fundera, an online marketplace that connects small businesses with a number of online lenders in its partner network, conducted a study that revealed 43% of cyberattacks target small businesses. As a consequence, a reported 60% of small businesses close as a result of a cyberattack. Contributing to the issue is that, per the Fundera study, 91% of small businesses do not carry cyber insurance. This is an extremely risky approach considering small and medium businesses (SMBs) have seen attacks increase by more than 20% since 2016, according to the Ponemon Institute study, Global State of Cybersecurity in Small and Medium-Sized Businesses. The opinion that only large firms are vulnerable or targets of such attacks isn’t entirely true.
So do you need cyber insurance?
The frequency, if not severity, of such cyberattacks has continued to rise and there does not seem to be an end in sight. In May, President Joe Biden signed an Executive Order with the aim of improving cybersecurity and preventing cybercrime threats. But the impact of such an order, if any, aren’t likely to be felt overnight, let alone within a reasonably accepted amount of time. Since the Executive Order was signed, JBS was attacked and approximately 200 businesses were struck by a separate ransomware attack on Florida-based IT firm Kaseya.
“We are seeing insurers enhance their underwriting processes,” explains Romero-Sherman. “Underwriters are contacting us months in advance to have short questionnaires completed to determine if they will be able to offer renewal. This is even before the application is completed.”
Regardless, having a cyber liability insurance policy has quickly become an integral part of a business. According to Fitch, the number of cyber insurance premiums that were written rose 22% in 2020, triggered by the rising number of cyber-related incidents dating to long before the pandemic.
“While premiums are increasing, Cyber Liability remains relatively inexpensive and likely one of the least costly insurances in the overall budget,” adds Romero-Sherman. “The coverage it provides could mean the difference between weathering a cyberattack and going under because of one.”
A twist to the previous question would be: Should you have cyber insurance?
Home and car owners are required to carry home and auto insurance, both of which are legally required unless, in the case of your home, you don’t have a mortgage. But having insurance isn’t just to protect what is valued, but to have the ability to replace what is lost. This is the suggested view a business should take with regards to a go or no go on cyber liability insurance. Ultimately, cyber insurance cannot prevent an attack any more than a homeowner’s policy cannot prevent a hurricane strike.
“We speak with clients about cyber exposures daily,” says Romero-Sherman. “While the insurance is part of the plan, it cannot be the only method of defense. Having a Cyber Preparedness plan is critical.”
For more information contact:
Crystal Romero-Sherman, Executive Vice President, Century Risk Advisors
Photo Credit: Feature image by Gerd Altmann from Pixabay: