The loss of confidential customer and employee data remains the top cyber-related concern for smaller businesses whereas, for large companies, their biggest concern shifted in 2017 from data breaches to managing reputational and regulatory risks, according to USI Insurance Services’ 2017 Cyber Security and Data Privacy Study.
Damage to the reputation of an organization that experiences a breach can be catastrophic or minimal — it depends on the public’s perception and understanding of the event. Engaging the right people at the right time to communicate a well-thought-out message is the first step to managing an organization’s reputation in the wake of an incident and is a critical part of an incident response plan.
The 2017 study, based on a survey of decision-makers (equally representing large companies with annual revenue of more than $100 million and smaller firms with revenue of $5 million to $100 million) provides unique insights into how firms of many sizes view cyber and privacy risks, the challenges companies face when reviewing their exposures, the prevalence of impostor fraud and ransomware attacks, and the ways companies are dealing with business interruption threats due to malicious cyber attacks.
The study also reveals that more companies are expanding information technology budgets, purchasing insurance, and developing incident response and business continuity plans to address the increasing complexity and frequency of cybersecurity risks and data privacy incidents.
Escalating risks: Ransomware, data breach & impostor fraud
Of the survey participants representing smaller firms, 32% confirmed being a target of impostor fraud; 25% reported being targeted by ransomware attacks; and 32% reported experiencing a data privacy incident, all in the past year.
The fact that money moves quickly in today’s fast-paced transactional environment has led to a massive uptick in impostor fraud incidents, also known as social engineering or business email scams. In many of these cases, fraudsters, pretending to be trading partners or employees of the same company, employ scams to divert company funds to hacker bank accounts.
According to the survey, large businesses that were the target of impostor fraud in the past year experienced a financial loss of between $100,000 and $500,000. Smaller business losses from impostor fraud ranged from $25,000 to $250,000. Although smaller businesses were less likely to have been targeted, overall half of the targeted businesses reported suffering monetary loss, the survey shows.
Large businesses are more likely to experience a data privacy incident and ransomware attack, although theft of portable devices or hard drives by someone external to the organization was more likely to occur at smaller businesses. Cyber extortion and ransomware attack losses were under $250,000 for a majority of survey participants; however, approximately14% of large businesses indicated their losses were more than $1 million. USI expects the frequency of ransomware and cyber extortion threats to increase and become more severe for businesses of all sizes in 2018.
The cost of dealing with cyber incidents continues to grow, and so does the concern over less, easily quantifiable losses. Among large companies, the study showed a notable increase in concerns about maintaining reputation and compliance with regulations. This concern jumped to the No. 3 spot, with 20% of respondents indicating they were worried about it compared to just 9% in 201. Reputational harm includes the loss of revenue that often follows a cyber incident announcement.
Insurance & risk management
Businesses need to take aggressive steps to ensure their cyber risk management practices, third party service providers and cyber insurance policies are equipped to respond effectively to ransomware attacks. These steps must also include putting together a robust response plan listing all organizational losses and any potential liabilities resulting from an attack.
According to the survey, the majority of smaller businesses (82%) reported purchasing cybersecurity and data privacy risk insurance to protect from financial loss and 74% cited preparing for a data privacy breach as their top reason for buying the coverage. Less than half of smaller businesses reported having purchased impostor fraud coverage as part of their insurance portfolio.
Also, a majority of smaller businesses cited finding a policy to fit their unique needs, followed by cost, as the most significant challenges to acquiring insurance to protect against cybersecurity and data privacy. Notably, the survey shows 30% of smaller businesses are unsure of how to begin looking for cybersecurity and data privacy risk insurance.
USI recommends that companies undertake a cyber risk assessment to identify the strengths and weaknesses of their data security plan, develop appropriate strategies for improvement and speak to an experienced cyber broker. While purchasing cybersecurity and data privacy insurance is an important step, it should be used in tandem with developing and testing a comprehensive incident response plan.
Visit USI’s website to access the executive summary and a copy of the full cyber report.
Dena Cusick is USI National Practice Leader Technology, Privacy, and Network Risk Practice (Dena.Cusick@usi.com). Paul King is USI Management Professional Service National Practice Leader. (Paul.King@usi.com)