The U.S. government is working with the private sector to bolster the country’s cybersecurity, the White House recently announced. During a meeting on Aug. 25, President Joe Biden called on companies to “raise the bar on cybersecurity” and outlined a number of initiatives to address the growing threat of cybercrime, including plans for the National Institute of Standards and Technology to work with industry partners on new cybersecurity guidelines.
The news came just months after a May ransomware attack temporarily shut down the Colonial Pipeline, one of the largest fuel pipelines in North America, causing gas shortages and consumer panic-buying across the U.S. and resulting in increased gas prices across Canada. This and other recent cyberattacks threatening North American infrastructure make cybersecurity a fitting government and business priority, said Matthew Lefchik, Director, Cyber Risk Management, Node International, Detroit/Farmington Hills, Michigan.
“The Colonial Pipeline attack was so significant because it really disrupted consumers,” he said. “The government is seeing these recent attacks impacting the supply chain and getting involved not only because of the impact on consumers, but also there is relevance to who these bad actors are, and we do not want to be paying them.”
Insurance carriers have also joined the U.S. government’s plans to combat cybercrime, with one provider saying policyholders will need to meet certain cybersecurity standards to access Cyber & Privacy Liability Insurance coverage, and another committing to make cyber risk assessments and monitoring free for any organization, the White House noted in its announcement.
The government is seeing these recent attacks impacting the supply chain and getting involved not only because of the impact on consumers, but also there is relevance to who these bad actors are, and we do not want to be paying them.
Even before the U.S. government’s actions, however, the market for Cyber & Privacy Liability Insurance has reflected a similar push for companies to be more proactive about digital security, said Allison Arnold, Broker, Professional Liability, Burns & Wilcox, Indianapolis, Indiana.
“One thing I am really noticing in the cyber marketplace right now is that trend toward risk management,” Arnold said. “Although business owners are much more aware of cyber risk, due to the rise in ransomware attacks, rates have gone up and there is tighter underwriting for insurance. They may not realize they need risk management tools in place so they can be insurable.”
Cyber & Privacy Liability Insurance applications have ‘truly been revamped’
Cyberattacks have been on the rise in both the U.S. and Canada; an April 29 report by CTV News estimated that ransomware demands increased over 80% worldwide in 2020. Recent ransomware attacks have targeted municipalities, The Washington Post reported on Sept. 7, and other targets have included health care systems and educational institutions.
Cyber & Privacy Liability Insurance is important for all types of organizations and can provide system breach response and other key coverages in the event of a cyberattack. Obtaining these policies has become more difficult starting around late last year, Lefchik said, as “applications have truly been revamped.”
“Rates and premiums have skyrocketed and limits have been reduced,” he explained. “All markets are reconsidering this risk. If you do not have certain minimum- security controls in place, you will not receive a policy for the renewing year.”
Although business owners are much more aware of cyber risk, due to the rise in ransomware attacks, rates have gone up and there is tighter underwriting for insurance. They may not realize they need risk management tools in place so they can be insurable.
While Fortune 500 companies may be further along in implementing cybersecurity standards, the tightening insurance market forces the adoption of these best practices “all the way down to the small- to medium-sized businesses,” Lefchik said.
Common requirements include multi-factor authentication and file encryption. “This is where the bad guys are gaining access, because things are not being encrypted,” he said. “Backups are another issue. If their backups are not tested and encrypted, cybercriminals can access that information and businesses may be locked out of files that are relevant to their needs.”
This applies “across all industry classes,” Lefchik pointed out.
Despite the misconception, implementing tools like multi-factor authentication for employees is often a simple process, Arnold said. “Businesses may think it will be annoying or cumbersome, but it can be as simple as going in and changing your settings,” she said. “More companies are aware that they need a Cyber & Privacy Liability Insurance policy, but they may not have it yet, and they may not be aware of the risk management tools our markets are looking for nowadays.”
Companies face multiple expenses after cyberattack
In early September, Howard University in Washington, D.C., canceled classes after a ransomware attack on the school’s network, CNN reported on Sept. 7. Disruption of usual activities is just one way these attacks can impact organizations, Lefchik said. With a Cyber & Privacy Liability Insurance policy, covered expenses can include ransomware payments, regulatory fines and penalties, repairing reputational damage, digital asset restoration, notification and investigation costs, and services such as credit monitoring for customers.
Loss of business income during a shutdown may also be covered. “If your systems are all frozen, for example, business interruption coverage is going to be very important,” Lefchik said.
The cost of notifying those affected can also add up quickly, Arnold noted. “If you have one client in one state, you have to follow the laws of that state for notification,” she said. “It can be tough to know all of the state’s laws and abide by them. This can be very complicated and expensive.”
When companies are running a mile a minute like everyone is right now, having an added resource and legal counsel teams can be a huge advantage. Our policies provide access to unlimited advice and consultation with these experts.
Without the right insurance coverage, Arnold said, a company can be severely damaged. “It can take a significant chunk out of your year if you are not prepared,” she said. “It is phenomenal how quickly these things add up and how quickly they escalate. Cyber & Privacy Liability Insurance includes help from professionals in that field who do this all day long. Navigating that on your own would be very difficult.”
Access to these experts is a valuable benefit, Lefchik agreed. “When companies are running a mile a minute like everyone is right now, having an added resource and legal counsel teams can be a huge advantage,” he said. “Our policies provide access to unlimited advice and consultation with these experts.”
When choosing a Cyber & Privacy Liability Insurance policy, business owners should be sure to ask about cybercrime, Arnold recommended. Ransomware attacks fall under cybercrime and there may be separate limits for this type of incident. “This is where a lot of claims are coming in from right now,” she said. “Cybercrime is a huge component to a cyber policy.”
They should also ask about coverage for bricking, which refers to the loss of use, impairment, destruction, or corruption of electronics or equipment due to malicious code. “This is a hot topic in cybersecurity,” Lefchik said. “If a client has software, servers, or computers compromised, this is where the Cyber & Privacy Liability Insurance can come into effect.”
Cyberattack prevention and detection services may also be included in Cyber & Privacy Liability Insurance. Burns & Wilcox policies through Node International provide a “library of tools and resources” for clients to learn about their risks and improve their digital security, Lefchik said.
Cybercriminals becoming more sophisticated, all businesses at risk
In Canada, a recent survey by KPMG found that while 94% of small- and medium-sized companies monitored for potential cyberattacks, only 56% tested their effectiveness and even fewer felt prepared to fully detect and fend off cyberattacks, Yahoo! Finance reported on Sept. 28.
On Sept. 23, the Port of Houston revealed it was the target of an attempted cyberattack in August that involved a password management program, The Hill reported. Port officials said they were able to successfully defend against the attack and that no systems were impacted. As attacks increasingly target critical infrastructure, preparation is more important than ever, Arnold said.
It is not ‘if’ [a cyberattack] will happen to your business, but ‘when,’ because it is happening so frequently. No one is really safe.
“It is really about educating clients on what insurance policies can offer and the risk management they will need to have in place to be insurable,” she said, adding that a good insurance carrier can help companies identify gaps in their security protocols. “We are here to help educate on risk management.”
Although higher-profile cyberattacks frequently make headlines, smaller businesses can be even more vulnerable in some cases.
“A hacker’s goal is to make money. No matter your size, they can hold you for ransom,” Arnold said. “Even if you do not have data on customers, you have it on your employees and yourself and those can be hacked into. It is not ‘if’ it will happen to your business, but ‘when,’ because it is happening so frequently. No one is really safe.”
Companies that choose to forgo Cyber & Privacy Liability Insurance may wrongly believe they are not at risk, Arnold explained. “The common myth is that it will not happen to you, but it is proven day in and day out that it is likely going to happen to your business,” Arnold said. “If you cannot afford the policy, you are really not going to be able to afford a hack.”
Being prepared with cybersecurity controls and insurance is simply part of operating in the “new normal,” Lefchik said.
“If you are just starting to think about cybersecurity now, you are behind the eight-ball,” he said. “If they do not have the budget or know-how, a lot of companies will need guidance from insurance carriers and brokers to advise them on how to do it.”
When government agencies and small businesses alike are being targeted, being uninsured for cyberattacks is a serious risk, Lefchik said. “You might think, ‘Why would someone care about my small business?’ That individual may be the easiest target,” he said. “Start understanding your risk. Think of what it took to get to where your business is today. How would you feel if that was taken away in a matter of hours or days? A small business may not have the investment or insurance to get back up on their feet again.”
Cybercrime is becoming more sophisticated every day, Arnold added. “The cyber hackers are working while we are sleeping at night,” she said. “We try to implement all these controls, and they can still find a way to get through. I do not see that changing anytime soon.”