Although I knew it was just a demo, it was still unsettling to watch.
At a panel presentation titled “Hacked: The Implications of a Cyber Breach,” hosted by Travelers in New York City, Kurt Oestreicher, digital forensics specialist/cyber fraud, and Chris Hauser, 2nd vice president/cyber risk, both with the carrier’s Investigative Services division and experts on cyber security, demonstrated for a captive audience how an unwelcome visitor can take control of—or “own,” in hacker-speak—a fictitious retailer’s website.
Their digital infiltration took all of 10 minutes—and that was with Hauser and Oestreicher explaining to attendees exactly what they were doing, each keystroke of the way. Without having to provide that exposition, the same task could be accomplished in less than four minutes.
Through the use of open-source tools created specifically to perpetrate cybercrime, it was made plain just how easy it is to sneak in and explore the “back end” of a website (where customers’ credit applications and the site’s controls are kept), shut it down, and hold it for ransom.
Small to mid-sized businesses, explained fellow panelist Mark Greisiger, president of cyber risk assessment and data breach services firm NetDiligence, are those at the greatest risk for such threats. Their level of preparation is low for such an attack, in which customer data can be stolen and the business can face state fines; sizable costs of notification for its customers; and the fees for forensic experts to come in and remove the threat, to say nothing of the reputational damage that can result. These costs can spell the end of these businesses, particularly those with no insurance when the attack comes.
It’s no longer a question of if, but when an attack on your website will be attempted, said Tim Francis, Travelers’ enterprise cyber lead. Of those parties that do suffer a breach, he added, one-third of them, at best, will have insurance.
“There are far too many companies that need this protection that don’t have it,” added John Mullen, managing partner of the Philadelphia office for Lewis, Brisbois, Bisgaard & Smith LLP and chair of the U.S. Data Privacy & Network Security Group. Mullen’s firm consults with at least one new breach victim each day.
What does this mean for producers, aside from having to take stock of their own cyber exposures? It means that there’s an enormous opportunity to sell Cyber policies to small and medium-sized businesses, if agents and brokers can do two things: Become well-versed in the complexities of what a cyber attack entails and what it can do to a client or prospect’s business, and convey that very real level of threat to the customer in making the sale.
Small to medium-sized businesses are the highest at risk, they suffer the most breaches (62% of all those reported) and could be put out of business by one good-sized breach. These prospects need a Cyber policy more than anyone.
So what are the selling points for a Cyber policy? Ideally, the policy will provide a professional assessment of the client’s risks by forensics experts, including vulnerability testing; consultation with a breach coach prior to any attacks, to shore up defenses; access to PR and call center professionals who will be deployed if necessary; as well as other protections.
One stark, bite-sized statistic that’s worth conveying: A small to mid-sized business that gets hacked that doesn’t have a Cyber policy in place will pay up to three times as much for the three things it will need if customer information is compromised (the forensics experts, the PR squad and the call center personnel), and it will be forced to use vendors who haven’t been vetted by a major insurer.
As a producer, the case for Cyber is yours to make—and if you can, the opportunity gained could be well worth the investment of time and education, both for yourself and the client.