Patrick Costello is a Principal and co-founder of Evolve, a cyber liability specialist Managing General Agent founded in 2015. The Evolve team works directly with retail insurance brokers and has 20 full-time cyber specialists in six offices across the US.
The city of Atlanta suffered a crippling ransomware attack in March 2018, bringing municipal functions like billing for utilities to a standstill for weeks. The ransom, which the city never paid, was $50,000. The entire ordeal is estimated to cost the city at least $2.6 million.
But get this: Atlanta had a cyber insurance plan in place that saved the city from total catastrophe.
Pretty cool, huh? Let’s take a closer look at the typical ransomware case and what kind of policies are emerging to cover the risk.
Holding Your Data Hostage
Here’s a quick definition of ransomware: a malicious software that blocks access to data or systems unless a ransom is paid, typically requested in bitcoin. The attacker holds the systems and data hostage, perhaps threatening to publish data and damage the organization. Once paid, the attacker provides the decryption key — or they might not. (That’s why the FBI advises against paying ransoms.)
Cybersecurity experts estimate that criminals made more than $1 billion from ransomware in 2016. At Evolve, we see ransomware claims from companies in almost every industry on a daily basis. We’ve even observed a scenario where a criminal acted as a ransomware broker, offering ransomware software on the dark web for free in exchange for a commission of every ransom.
“We see ransomware claims on a daily basis.”
While the cyber takedown of Atlanta made headlines, the typical attacker doesn’t want to be in the news; they just want to get paid.
Consequently, attackers prefer to target small and medium-sized enterprises and ask for ransoms they know victims can afford, making friction-free transactions more likely. Small and medium companies also stand out as attractive marks because they often have little to no procedures in place to combat cyber scammers.
Your business doesn’t need to run a mobile app or have an advanced website to be at risk. If you use computers and networks to run your business (so that’s basically… everyone), you need to think what would happen if you suddenly lost access to that technology.
What is cyber insurance?
Simply put, cyber insurance protects your intangible assets affected by cyber theft.
The costs of an attack can include:
– forensic experts ($350/hour)
– data breach attorneys ($350/hour)
– notifying third parties involved ($3/individual)
– PR firms for crisis communications ($200/hour)
– credit monitoring ($2/impacted individual)
– business interruptions
– recovering lost data
– reputational loss
Today’s typical cyber insurance policy covers all of the above. But it’s always important to get the most up-to-date policies worded to reflect the latest cyber risks.
While the threat and cost of ransomware are very clear, most businesses don’t yet understand cyber insurance. Most brokers don’t understand it, either, and the underwriting process can be intense and lengthy. (Evolve’s application, on the other hand, is one page.) It’s such a new part of the insurance industry that a lot of producers and account managers don’t feel comfortable explaining the exposures to clients. Finding an experienced broker is key to getting the right coverage.
Boost your cybersecurity
– Educate employees. Facebook gets creative when training employees. Every October, they launch Hacktober, a month-long initiative designed to create a cybersecurity-conscious culture. The cybersecurity team unleashes phishing tests, mock attacks, workshops and more.
– Encrypt everything. Underwriters may reward actions such as encrypting employees’ devices.
– Start on day one. Introduce good practices for spotting malicious emails and creating secure passwords during onboarding to avoid issues further down the road.
– Watch trends. Verizon’s annual Data Breach Investigations Report is a great place to start watching how ransomware has evolved worldwide since 2009.
We’re in a soft market right now, where you can still find a minimum premium of $1000. We expect premiums to rise in the next few years as the insurance marketplace develops and ransomware becomes more widespread, as also anticipated by the Geneva Association.
About 20-30 years ago, employment practices liability came onto the insurance scene. Today, the newcomer is cyber. I don’t expect either to go away anytime soon.