August 13, 2021
The Rising Threat of Cyber Risk and How to Control It
When insurance companies started offering cyber insurance a few years ago, it was to take advantage of what seemed like mostly just a marketing opportunity.
In exchange for taking on a minor risk, the principal aim was to capture premium dollars. That was then.
A new report from insurance credit rating agency A.M. Best calls the cyber insurance market “grim,” warning insurers they need to urgently “reassess all aspects of their cyber risk, including their appetite, risk controls, modeling, stress testing and pricing, to remain a viable long-term partner dealing with cyber risk.”
The report, Best’s Market Segment Report, “Ransomware and Aggregation Issues Call for New Approaches to Cyber Risk,” names the main challenges facing insurance companies who offer cyber insurance:
- As Exposure to cyber losses rapidly increases insurers are not applying enough underwriting controls.
- Cyber criminals are quickly becoming more sophisticated in their ability to exploit malware and cyber vulnerabilities — much faster than companies have been able to protect themselves.
- Cyber losses are prone to create cascading losses, unlimited by geography or commercial relationships, impacting a wide array of vulnerable targets.
The report notes that although more cyber coverage is now included in package policies, the number of standalone cyber policies has grown 28% in the last year, representing the escalating concerns of companies that want to buy more specialized and comprehensive cyber insurance. These are also the policies that have experienced more frequent and larger losses the past few years.
The kinds of cyber losses have also changed. The report notes that hackers’ motives appear to be migrating from stealing identities (third-party claims) to shutting down systems for ransom (first-party claims).
Total claims rose 18% in 2020 owing strictly to first-party ransomware claims, which were up 35% in 2020 and now account for 75% of cyber claims. “The recent Colonial Pipeline hack — for a multi-million-dollar ransom — is an example of first-party claims that have become so prevalent,” said Christopher Graham, senior industry analyst, AM Best.
Obviously as a business, your takeaway should be to increase control over your cyber vulnerabilities.
The following cybersecurity best practices from the Small Business Administration offer a good start. But we also highly recommend that you include carrying cyber insurance in your risk management plan. Please call us if you’d like to review your cyber liability preparedness.
Cybersecurity Best Practices
Train your employees!
Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber-attacks. The Department of Homeland Security’s “Stop. Think. Connect” campaign offers training and other materials.
Training topics to cover include:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
Use antivirus software and keep it updated
Secure your networks
Use strong passwords
- 10 characters or more
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Multifactor authentication requires additional information (e.g., a security code sent to your phone) to log in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Protect sensitive data and back up the rest.
Back up your data
Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or in the cloud.
Secure payment processing
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Control physical access
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.