Companies whose cyber liability insurance plans are up for renewal may be faced with some big IT challenges: Make your operations more secure or don’t be renewed.
“I am seeing a definite trend from business customers. They are being held accountable by their insurance carriers to make meaningful improvement to their cybersecurity,” said Michael Senkbeil, partner with Chortek LLP. “The insurance carriers are insisting multi-factor authentication must be used everywhere.”
Multi-factor authentication can make systems, email accounts and websites more secure against outside threats. And with cyberattacks increasing in frequency as well as severity, security is on the minds of many business owners, said Jason Navarro, director of the cyber crime insurance and risk management for R&R Insurance Services.[caption id="attachment_552868" align="alignright" width="300"] Jason Navarro[/caption]
“It’s all about the ransoms. They are incredibly lucrative, and people will pay to get their businesses back,” he said.
Navarro said to make no mistake about it: Cyber criminals operate like businesspeople. For them, attacking a company is a business transaction, he said.
“You have to be prepared for this, you have to train … as a business owner, you as an individual, this impacts all of us. You have to be prepared for cyber risks like any other known exposure in life,” Navarro said.
Navarro said R&R Insurance established its cyber crime insurance division about five years ago and it remains one of only a few insurance companies in Wisconsin with a dedicated cyber division.
When the division was started, it was “an evolving segment of claims for the business customers that we were representing,” Navarro said. The intent was to protect existing R&R Insurance customers while trying to attract new ones. In the past few years, the demand for cyber security insurance has grown substantially, Navarro said.
Navarro compared a cyberattack on a business to a specialty physician. He said that an IT employee is like a primary care doctor, but then when something more severe happens, such as a heart attack, you go to a specialist. Such is also the case with a cyberattack, he said, explaining that insurance companies help their policy holders bring in the specialists to deal with the attack because of the severity and urgency of the issue.[caption id="attachment_552867" align="alignright" width="300"] Kevin Bong[/caption]
Having insurance will pay for the costs to react and recover, said Kevin Bong, a director on Sikich LLP’s cybersecurity team. The insurance carrier will provide a lot of resources, such as a breach coach who will help a company understand what the next steps are and how to manage the breach. Legal counsel may also be used so a company can understand their legal exposure and how they must notify others.
“An insurance policy allows you to do it thoroughly and do it right,” Bong said.
As Senkbeil puts it, “The bad guys only need to be right one time; the good guys have to be right all of the time.”
Often a company can be crippled by a cyber criminal who forces it to shut down until they pay a ransom, commonly in the form of cryptocurrency.
“An attacker will break into a 30-employee manufacturer, and they are using very sophisticated tools and techniques against these little manufacturers. It can feel like you are overwhelmed because the attackers are using these sophisticated techniques and (the company doesn’t) even have a full-time IT person,” Bong said.
With the drop in Bitcoin values, cyber criminals are left with a choice: Increase the amount of the ransom or increase the frequency of the attacks.
Bong, who leads Sikich’s forensics response team and works with insurance companies to respond to incidents, said no one is immune. In fact, he said small manufacturers are a significant target because they typically have not invested as much into protecting their network, but should a cybercriminal get a hold of it, the company may have to pay $100,000 or more to be able to be back up and running within a few days.
Ransoms may be willingly paid, he said, because the attackers have encrypted the company’s data, so it needs to buy the password to get its data back. Or, before the criminals encrypted the data, they also stole it. In the case of stealing, they may put a small portion of it on a “shaming website,” Bong said, and will threaten to post more if the ransom isn’t paid. Having a system backup also doesn’t guarantee you are out of danger, Bong said, explaining that attackers can even access and then destroy the backup.[caption id="attachment_552869" align="alignright" width="300"] Michael Senkbeil[/caption]
However, “the scourge of ransomware seems to be diminishing because of preventative measures,” Senkbeil said.
The trend is now moving toward phishing, allowing the attacker into the system to do more lateral movement and digging in the company’s systems.
The FBI defines ransomware as malicious software that prevents users from accessing their computer files, systems or networks and then demands a ransom payment for their return. Phishing, on the other hand, involves “spoofing techniques to lure you in and get you to take the bait,” according to the FBI. Criminals conduct phishing scams to get information from their target.
Recently, there have been more cases where people’s emails were taken over by a criminal who tricks a person into making a money transfer to the wrong account, Bong said. For example, they will get into an email account and contact a customer to say they need to pay a bill and provide a “new” bank account to send the money.
Before a loss can occur, Navarro says, R&R Insurance will assist with pre-loss mitigation so that if a loss should occur, it would help to lower the impact. Companies of all sizes need cyber insurance, Navarro said. Realistically, every business that has network access, or has information on customers, employees, products and vendors.
Navarro said it’s important to take into consideration what you would do if an attacker forced you to shut down your business. “All the work you have done to grow your business, and you have your business crippled likely by a foreign entity who is trying to scam you and shut you down,” Navarro said.
The cost for cyber insurance varies on the business and how many records it keeps. For smaller companies, it can range from $2,000 to $5,000 for an annual premium and up to hundreds of thousands of dollars per year for a large company, Navarro said.
However, requiring a company to implement multi-factor authentication and other measures to shore up its technology isn’t always an easy sell.
“The concern is that the cost of being cyber prepared is going to be high, and they are concerned that they will lose efficiency and productivity,” Senkbeil said. “I have found that in the last several years, business owners know that the risks are serious and need to do more. I have been pleasantly surprised that they have been more receptive in most recent years.”
Chortek has been an outsourced IT department for many companies and encourages its clients to be patient with their employees who may need a little more time for work with multi-factor authentication installed.
In the future, Senkbeil wants to see companies who have implemented robust protective measures to get a better rate from insurance companies.
“I think they deserve to have lower premiums. I think it’s coming,” he said.