Smaller agencies may mistakenly think they fly under the cybercriminal's radar. But no agency is immune to cyber risk. (Photo: Gorodenkoff/Shutterstock) Smaller agencies may mistakenly think they fly under the cybercriminal’s radar. But no agency is immune to cyber risk. (Photo: Gorodenkoff/Shutterstock)

Cybercrime is profitable and low risk. The World Economic Forum reports, “Cybercrime is a growing business model, as the increasing sophistication of tools on the darknet makes malicious services more affordable and easily accessible for anyone that is willing to hire a cybercriminal.”

The forum reports that the likelihood of a cybercriminal being caught in the U.S. is estimated at 0.05%. U.S. regulators, corporations and policymakers are struggling to improve that rate.

Four resources for agency cyber defense Design by Chelsey Fredlund/ALM | Photo: arthead/Adobe Stock

But this low rate proves that independent agencies must not merely wait for law enforcement to catch up.

Insurance firms are prime targets for cybercriminals. We have the customer data they want, from financial and personal to health information. Not only do we store structured data (names, dates, addresses, numbers, etc.), but we also store unstructured data (emails, incident reports, contracts, etc.), which is more difficult to protect. That’s because it can’t be compiled into a standardized format, and its creation, use and management are usually at the discretion of the employee, not the firm.

Smaller agencies may mistakenly think they fly under the cybercriminal’s radar. But no agency is immune to cyber risk, from global carrier to small independent agency. The Small Business Administration warns: “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.” Furthermore, a small firm is more likely to founder after a cyber breach because it has fewer resources for recovery.

Here are the five major security threats your independent agency must defend against:

No. 1: Computer hacks

Hiscox, in collaboration with Forrester Consulting, produces an annual cyber-readiness report. This year’s report discloses that one in six firms attacked in 2020 “said they almost went under ”after being hacked.

The report also places the average direct cost of a cyber hack for a small business at $25,612.

The indirect costs are greater — loss of data and employee hours spent on recovery, reputational damage, and the consequent loss of customers, as well as possible penalties, fines and litigation costs.

No. 2: Ransomware threats

We’ve all heard about the increase in ransomware threats and should heed lessons learned from the attack on CNA this year. In its Internet Crime Report, the FBI says ransomware complaints increased by about 20% in 2020 over 2019, to about 2,500 total. At the same time, however, the total cost of the attacks increased by more than 200%, from $8.9 million in 2019 to $29.1 million in 2020. In July 2021, the FBI issued a statement citing ransomware as “a growing threat to the health and safety of the American people and our national and economic security.”

No. 3: Data leakage

Insecure external storage devices are the primary cause of data leakage. They’re portable and can easily fall into the hands of unauthorized personnel, as Vertafore can attest.

No. 4: Phishing scams

The elderly or vulnerable are the stereotypical victims of a phishing scam — email from a criminal posing as a legitimate company seeking information. But, yes, even big insurance companies are vulnerable. Just ask Unum and Paul Revere life insurance companies, which paid a state regulator a $1.8 million penalty for cybersecurity violations. And agency employees have fallen for phishing scams.

No. 5: Internal threats due to malice or negligence

A customer service representative may leave their desk unattended. Passwords may be visible on a sticky note. A disgruntled or ambitious employee may grab it before leaving the company and taking valuable information.

If your agency hasn’t made cyber protection a priority, I am ringing the alarm for you now. It’s critical to improve both our technologies and our policies.

Mike Foy is president and owner of Foy Insurance Group, a family of independent insurance agencies in New Hampshire, Maine, and Massachusetts. He is past-chair of insurance technology association NetVU (Network of Vertafore Users) and an active industry leader on cyber issues, including with ID Federation’s SignOn Once credential management solution. He can be reached at 603-772-4781.