CyberEdge Group revealed in its 2020 Cyberthreat Defense Report that 80.7% of organizations surveyed had fallen victim to a cyberattack the previous year. That number is up from earlier years and will most certainly rise as cybercriminals have ramped up efforts to separate you from your money.
If your company has not fallen prey to cybercriminals, it is only a matter of time. The severity of an attack and how well protected you are will determine if your business survives or not. Although managed services providers can deploy the most advanced measures to mitigate the possibility of a cyberattack, an IT vendor simply cannot prevent all threats.
Therefore, it is up to businesses to make sure they have sufficient cyber insurance to help them recover in the event of an attack. We spoke with two prominent cyber insurance specialists to learn more about the importance of having sufficient cyber insurance. Chase Burnette of Burnette Insurance and Ralph Pasquariello of Snellings Walters Insurance Agency provided valuable insight on the biggest mistakes business owners make that can lead to disaster.
Both Burnette and Pasquariello agreed that being underinsured is the cardinal sin of cyber insurance. “With cyberattacks and claims ever on the rise, premiums have been increasing over the last few years,” said Burnette. “There can be a knee-jerk reaction to sacrifice on coverage to save money. Cyber insurance is more important for businesses, particularly small businesses, than it has ever been before.”
The Consequences are Real
Here is a real-life horror story that was shared with Pasquariello: Hackers recently attacked a local Atlanta manufacturing company with ransomware and demanded $750K to restore their data. The attack brought all production to a standstill for four days. That translated to a loss of $85K each day for a total of $340K. That loss plus the cost of paying the ransom (which is almost never advisable) ending up costing $1,090,000 in damages. Their measly $1 million cyber policy didn't come close to protecting the manufacturing company from losses which already total $90K NOT including forensics, impending legal fees and damage control.
With that, here are seven mistakes that business owners make that lead to insufficient coverage and the risk of losing it all in the face of a cyber incident.
1. Not Having First-Party AND Third-Party Claims Coverage
First-party expenses are expenses incurred by you in the event of a claim. Third-party are damages you pay to your clients, vendors, employees, or partners in the event of a claim. Should a client sue your business, the resulting legal fees, court costs and settlements could be devastating for an SMB. Third-party insurance helps ensure your business can survive the financial aftereffects of a cybercrime.
2. Thinking That Commercial General Liability Insurance Will Cover a Cyber Event
A common misconception is that general business liability insurance covers cyber exposures. It does not and many business owners find that out the hard way. If a cyberattack cripples your business and it takes weeks or months to recover, you are not insured against business interruption because there was no physical damage to your property. A cyber policy with a business interruption clause is needed to protect your business from a disastrous shutdown.
3. Foregoing a Full Business Assessment to Determine Sufficient Coverage
It is common for organizations to require vendors with which they do business to carry a certain amount of cyber insurance. For example, a client (at the request of their insurance company) might require that a vendor they do business with carry “X” amount of cyber insurance. This allows the client to check the compliance box. The problem is it might not be sufficient to cover the costs associated with an actual cyberattack should that vendor fall victim. Business owners should never blindly allow a client’s minimum requirement to be the deciding factor in how much cyber insurance his business will need to stay afloat in the event of a cyberattack. “Companies should undergo a full business assessment to determine the appropriate amount of coverage,” said Pasquariello. “You have to peel back the layers. Are you insured for bricking? Are you insured for response and remediation? What are the forensic costs going to be? What are the attorneys going to cost? What about court attendance? It adds up. You have to consider what it is going to cost to stay in business.”
4. Failing to Insure Against Social Engineering AND Invoice Manipulation Crimes
Cyber insurance policies differ from carrier to carrier. There is no standard cyber insurance policy so business owners need to carefully examine what is and is not covered. Social engineering clauses protect your business if one of your employees is duped into voluntarily parting with money, products, services or goods. On the other hand, invoice manipulation is when a bad actor gains access to your systems and manages to tamper with invoices that are subsequently emailed from your servers. Your customer or vendor is tricked into delivering a payment, products, services or goods to a location or offshore account that is controlled by the bad actor. Social engineering clauses do not cover invoice manipulation crimes, so you need to be sure your policy includes both.
It is important to note that most social engineering and invoice manipulation clauses top out between $150K and $250K of coverage. As a business owner, you’ll end up eating any dollar amount above the sub-limit. To combat the risk, companies would be wise to invest in security awareness training for their employees.
5. Overlooking Exclusions and Sub-Limits
Beware of sub-limits and exclusions in insurance policies. Except for social engineering and invoice manipulation clauses, you’ll want to check each line item to ensure there are no surprises. For example, if you have a $3 million cyber insurance policy, you’ll want to check to ensure all line items are fully covered up to that limit. Same with exclusions – some carriers will deny a claim if certain minimum security standards are not adhered to. For example, your claim could be denied if your company does not have payment verification controls in place for online payments or wire transfers.
6. Purchasing a “Throw-In” Policy from Your Payroll Company
In an effort to be all things to all people, some payroll companies are offering “throw-in” cyber policies to their clients. These boilerplate policies may be cheap but they are not as robust and will not provide all the state-of-the-art coverage that is available in today’s changing market. “As hackers come up with new creative ways to attack your systems, insurers have to often expand coverage constantly to provide the correct coverage to protect you,” explained Burnette.
7. Using a Broker Who Doesn’t Specialize in Cyber Insurance
This one should be a no-brainer, however many business owners insist on buying cyber insurance from agents they’ve been doing business with for years. “What really should be a business decision is often based on the relationship a business owner has with his insurance broker,” said Pasquariello. Cyber insurance coverage can be complex and requires the knowledge and expertise of a broker who can help you navigate this ever-changing market. “Clients usually don’t know enough about cyber insurance to know what they need. Therefore, the conversation needs to be broker-driven.”
For years, SMBs have turned a blind eye toward cyber insurance. Many mistakenly feel that they are simply too small to warrant the attention of cybercriminals. But report after report suggests this is not at all the case. Cybercrime is a $20 billion industry and no business is immune to the risks associated with it. As a managed services and cloud provider, MIS Solutions strongly encourages all SMBs to purchase a robust cyber insurance policy.
If you would like more information or need help finding a reputable agency that specializes in cyber insurance, call our office at 678-745-5109.