A local business owner, the third-generation president of the company, recently walked into his office and the company’s chief financial officer proudly informed him that the $70,000 he wanted wired had been sent. The president said, “I didn’t ask you to wire $70,000.”
The CFO replied, “Yes you did, here’s the email.”
“I didn’t send you this. Look at the address and signature. It’s all wrong,” said the president.
The CFO turned white, then hustled back to his office to call the bank. The CFO was able to stop the transfer from occurring, but the contracting company was almost a victim of an email spoofing scam.
Spoofing is just one of many different deceitful tricks businesses of all sizes need to be aware of and police against to protect their most precious assets: money and data. Other types of problems include phishing, ransomware and insider threats. In a phishing scam, the sender provides a link or attachment asking the recipient to click. Once complete, the target provides an avenue to the operating system for the hacker.
Nefarious actors are now increasingly targeting small business owners with ransomware attacks. The hackers gain access and hold the company’s operating system hostage until a ransom is paid, typically in cryptocurrency. In November 2018, the city of West Haven, Connecticut, paid $2,000 in cryptocurrency to have their system released from a hacker’s clutches. The city of Atlanta refused to pay a $51,000 ransom, choosing instead to restore its system. The most recent estimate reported that the city has incurred $17 million in costs.
The St. Louis Cardinals found out the hard way what an unknown bad actor within the organization can do to a reputation and pocketbook. A former scouting director, Chris Correa, used known passwords of executives who left the organization to join the Houston Astros. He accessed the opponent’s emails, draft boards and scouting reports for many months. After he was caught and pled guilty to a felony, he was banned from baseball for life, fined over $250,000, and sentenced to nearly four years in prison. The Cardinals were fined $2,000,000 and ordered to send two draft picks to the Astros. The Cardinals’ executive team and owner were unaware of the conspiracy, but were held accountable.
All of these threats are growing. How do businesses address them? What is the opportunity for insurance companies that wish to offer cyber risk insurance? The keys to both are assess, plan and execute.
Graduate students in the Cyber Risk Management program at Mercyhurst University were divided into groups and conducted cyber risk assessments for two local non-profit organizations. The results were eye-opening to the participants on both sides of the table. One company had started its cyber assessment journey four years ago and employed sound practices and security. Another didn’t think it needed to be vigilant about security for many reasons, including lack of expertise of the IT professional.
Some work was needed in both organizations. The first did not have its own formal cybersecurity policy to include a data breach recovery plan, a position on system access via personal devices of employees, and training programs for continuing education and vigilance.
The other firm, in addition to having the same issues noted as the first company, needed to beef up compliance with recent standards and legislation related to accepting online payments. In all cases, the students delivered actionable feedback that included free training resources available through various entities.
Each organization will need to prioritize the recommendations and be on the offense to thwart future cyberattacks. They were provided with a road map and will easily be able to fill in as many gaps as their resources, both human and financial, allow.
These simple examples reveal the problems that all businesses, large and small, for-profit and non-profit, face in cybersecurity. The opportunities for insurance companies to offer appropriate protections is enormous. A recent study by the Insurance Information Institute revealed the cyber risk insurance market estimate is $200 billion, and the total amount of premiums written (2017) was $1.1 billion. Currently, only 0.6% of the demand is being met by insurers.
The market opportunity is huge. However, due to the newness of the coverage and, therefore, a lack of historical claims data, the risks are potentially large as well. The industry does not want to have what happened in the long-term care insurance market from 20 years ago occur in cyber insurance.
If insurance carriers are diligent during the underwriting process, then they will set up their cyber book of business for success. Underwriters should be seeking information about a potential policyholder’s risks, cybersecurity policy, breach plan and understand the systems currently in place. Once the underwriter is satisfied the risk meets the company’s tolerances, it should ensure the pricing is fair, adequate and affordable to the policyholder.
Is the claims team equipped to handle the losses? When a covered breach occurs, dealing with it requires quick, decisive action. The response will likely be a concerted effort involving the policyholder’s leaders and IT employees, the claims representative, forensics experts and possibly outside counsel.
First-party issues such as the forensic investigation, data loss, leak plug costs, customer or vendor notifications and the like need to be addressed as soon as possible. Was the backup system or duplicate server(s) adequate and current? If so, then perhaps booting up or reloading from those sources is all that is necessary to avoid paying a ransom to restore the operating systems.
Third-party exposures include notifying any necessary regulatory agencies and possibly dealing with potential litigation resulting from the breach. Outside counsel knowledgeable in cybersecurity regulations will be a key member of the response team. Identifying attorneys and forensic firms before a breach occurs speeds up the response process.
There are many cybersecurity issues that need to be addressed, both by businesses and insurers. The need for cyber insurance is clear. As the local contractor discovered, any business, regardless of size, is a potential target for hackers. Non-profits must either continue to enhance their security measures or institute a cyber program before it is too late. Businesses should complete a cyber assessment to identify their vulnerabilities. Such a review should include assessing the insurance needs of the company. The opportunity for carriers to meet these needs is only growing and is desperately needed to protect policyholders and their customers.
Gary P. Sullivan, CPCU, (firstname.lastname@example.org) is assistant professor of risk management at Mercyhurst University.