Why buy it? What’s the point of specialized cyber liability or data breach insurance?
The world is changing. And the threats are increasingly complex and sinister. According to a major carrier, claims increased from $75,000 in Q1-2019 to over $350,000 by Q4-2019. And everyone has liabilities. Even a snow cone stand.
Privacy law and data ownership, as well as cyber insurance, doesn’t differentiate on how you store data. Personally Identifiable Information (PII) is Personally Identifiable Information, no matter where it’s located. Cyber liability insurance will respond either way, and you’ll be liable legally to respond to a breach. Whether your data is kept on paper or in the cloud, on your computer, or on your phone – it’s all the same.
Whitney Tabash, a Broker with All Risks, Ltd, recently sat down for an interview and answered the following questions. You can jump to her answers by clicking on the links below.
Cyber Liability Self-Assessment
What are the typical small business cyber vulnerabilities?
An open laptop with unencrypted information in a public area is a common example. It could be a co-working space, or somewhere public like a coffee shop. Or an employee could lose their cell phone.
One of the biggest first cyber claims was a medical student in Boston. He left records that he had taken home from the hospital on a subway. Notice how there was no computer involved in this case.
The biggest cyberattacks are criminal ones. A lot of that has to do with transferring money, but there’s also a value on Personally Identifiable Information (PII). They can sell name and addresses on the dark web for money. There are a lot of phishing scams that are purely designed to get you to click a link, once clicked you’ve given access to your system to someone who’s not authorized. Traditionally we think of them as hackers.
What size business are getting hit?
All businesses are susceptible, no matter their size. But cyber criminals know that most of the time small businesses don’t have teams that are in-house that are designed solely to keep the cyber defenses of the business up. And, if they do have things like firewalls or anti-virus, they’re most likely not the best products out there, and there’s a good chance they’re not constantly being updated. So, in many ways, criminals think of small businesses as being easier to attack.
Does my antivirus software protect me?
It can. But you must remember that cyber criminals are some of the smartest people in society today. You’re talking about people who know coding and may have graduated with honors from places like MIT. It’s impossible to guess what they’re going to do with coding next. The way I think about it is we’re not cybersecurity experts, and I’m definitely not a mathematician or an IT expert – to predict what they’re going to do next would be pretty much impossible.
It’s hard to outthink someone who is highly intelligent, and spends every day, all day, figuring out how to gain access to your system. It’s impossible to stop the number of attacks that are coming, and the number of different people that are doing it.
There are governments that employ hundreds of people just to figure out how to access companies that are in the United States or other areas. So, it’s difficult to anticipate what could be coming next.
The antivirus products are stopping as much as they can, but it’s impossible to stop it all.
What are the different categories of attack?
Malware
Cyber criminals might send a malware link in an email. It looks like it comes from someone that person knows. All it takes is one click and then whoever in the system got the email has given access to the entire system to that bad actor*.
Extortion
Extortion is one of the highest cybercrimes right now. Someone takes over your system and demands you pay them a certain amount (ransomware), usually bitcoins, for them to give you back your system.
There are a lot of issues that come up with extortion because you don’t know if they’re really going to give you back a clean version of your data. When we say clean, we mean, there’s no malware on it and they can’t take it again. It’s exactly how it was before they had access to it.
If you don’t have a clean version of your data to go back to, that’s a real problem. Trying to replicate that data costs a lot of money. It costs a lot of time during which you’re not running your business. If you’re sidelined for five days (for example), what kind of impact long term is that on your small business?
Social Engineering
Social engineering is basically someone tricking their target into divulging sensitive information. When we talk about social engineering regarding cyber insurance, we specifically mean getting someone to spend money somewhere that a bad actor* controls. It’s also someone trying to get login information. It’s not just money in the overall scheme of cyberattacks.
Businesses like title agencies, any kind of real estate, they are being specifically targeted because social engineering criminals know that they often transfer money online. It’s easy to dupe people into sending it to the wrong place.
The first kind of social engineering claims that were publicly known were from the Nigerian prince from the 80s or 90s. We’ve probably all gotten it, or we know someone who has. “I can’t get access to my account. If you send me $1,000, then once my account is opened up, I’ll use that $1,000 to do that. I’ll send you back $5,000.” And of course, you never get your money.
Spear Phishing
A lot of social engineering claims today are what is referred to in the cybersecurity world as spearfishing. They use malware to gain access to someone’s computer.
They’ll get access to someone who is high up on the company’s email account and watch that email for several weeks. They’ll also watch that person on social media. They’ll know what’s going on in the business, and who that person talks to. The spear phisher knows the kind of things they say and how they talk. And they know the types of things they might spend money on, or authorize money to be spent on.
So, using Daniel’s Head as an example, if they were thinking about purchasing a small insurance agency from someone else. They might watch, wait until the person (CEO, CFO, someone high up) they’ve been watching goes on vacation. Then send an email from that person’s email to someone in accounting that says “in order to make sure this transaction goes through, we need to go ahead and send $50,000 in good faith to the agency principal. Here’s the routing number of the account that I want you to send it to.”
That email might even reference what the person’s doing on vacation that day. Like if they’re watching their social media, they might be able to see that he had taken the kids surfing that day. And he might reference “I took kids surfing this morning. Now taking a break, going to get some work done” and then say that you should transfer this money.
It’s highly profitable. It works well. People want to please the people above them. So, often the person who receives the email immediately goes through with the transaction. And of course, once the money is spent, it’s gone forever.
Phishing
Question: So about once a week I get an email from somebody who found a very, very old password I used to use. They claim they’ve recorded me doing naughty things on my computer and I have to send them bitcoin. What type of attack is that?
Answer: That’s a phishing scam. For insurance purposes it’s not really something that would trigger a cyber policy until you respond and they get something out of you, or get access to your system. That kind of thing most people can delete.
A phishing scam, they send the same exact email to thousands of people. Our government would definitely say report it. It’s a crime and they’re trying to crack down on cybersecurity scams.
Summary
Small businesses face increasing threats from bad actors seeking to breach your data and systems. We’ve listed a few of the ways they’re doing it. But the threat against exposing your vulnerabilities evolves daily.
Assume a breach will happen. Get ahead of the situation and create a plan. Your fastest path to recovery is knowing how you’ll respond when it happens. Most insurance carriers will coach you through your response. So, have your policy number and insurance agent’s phone number handy in the event you get breached.