By Steven Yahn
It's springtime for the sales of cyberliability insurance among small and medium-sized companies in response to indisputable evidence of a sharp increase in cyberattacks at companies of this size.
From new cyber packages offered by AIG, Travelers, The Hartford and Liberty International Underwriters, to a new Cyber Pro offering from London-based MGA Ascent, to smaller-sized MGA vendor Amerinst Professional Services based in Lisle, Ill., the number of cybercrime insurance packages is growing by the day, experts said.
Sarah Stephens, a San Francisco-based vice president for Aon and a cybersecurity specialist said, "We've seen a major uptick in purchasing of dedicated cyberliability policies from the small and medium-sized segment, which indicates that at the very least that the perceived threat has grown."
Garrett Koehn, the San Francisco-based president of Northwestern U.S. for CRC | Crump Group, observed: "I've been in this space since the late '90s and when cyber policies first came out everybody was really trying to focus on viruses and hackers and the policies didn't get much traction. But now there are more than 30 markets that are playing in this space."
Security vendor Symantec reported that 40 percent of nearly 1.4 billion worldwide cyberattacks reported in the first quarter of 2012 were targeted at companies with 500 or fewer employees. In the Symantec survey, 60 percent of small to medium-sized businesses admitted they have no plan outlining how to respond to and report loss of data due to a breach. The Ponemon Institute reported that the cost of cyberattacks for each individual customer's data is $194, which could add up to costs in the millions of dollars for a hacked company.
In a study by Visa, which reported that small businesses represent more than 90 percent of payment data, the company found that 85 percent of all data breaches occurred at the small-business level.
"A lot of small to medium-sized businesses don't even know they have cyber exposures," said Richard J. Bortnick, shareholder specializing in cyber technology and privacy at Cozen O'Connor PC in Philadelphia.
"But if you're a small to medium-sized company, the impact on your bottom line is much greater than that of a larger company."
For SMBs, as they are known, the first step in creating cybersecurity is to have a plan in place.
"It doesn't have to be complicated," said Jeanne Oronzio Wermuth, senior technical specialist at Philadelphia-based The Graham Co. "It could be just one or two pages saying what does a company do in case of a breach."
Added Larry Racioppo, vice president, risk advisory & brokerage practice at Towers Watson: "An important step is that companies of this size need to bring privacy issues to the forefront. I think it's fair to say that at one time or another every company is going to be faced with a privacy breach."
Kevin Violette, who handles professional liability with RT ProExec, noted that the more sophisticated your cyberdefenses are, the more likely cybercriminals are to look somewhere else.
Outsourcing is a subject that is getting increased attention in the cybersecurity area. "Using a cloud provider and understanding what your responsibilities are and how you should negotiate your contracts is something that small and medium sized companies must pay a lot more attention to," said David Umbers, a director at Ascent in London.
Observed the insurance executive of a medium-sized company: "When we're contracting with a vendor we deem it appropriate that they carry cyberrisk coverage. A year ago or two or three, often they didn't have this kind of insurance. Now it's a requirement."
Added Daren Orzechowski, a New York-based partner at the White & Case law firm: "When we respond to a RFP we get asked about the security that we have. It's a very important thing now."
Orzechowski said that currently many of his clients are asking him about President Obama's recent executive order that authorizes the government to provide private companies that run critical infrastructure networks with "cyberthreat information."
"Insurance companies probably represent critical infrastructure under the financial services type of thinking," Orzechowski said.
In putting cybercrime defense mechanisms in place, there are a number of technical steps SMBs can take, said Greg Leffard, The Hartford's vice president of professional liability, which includes the cyber area.
"It's important to regularly change the default password on point-of-sale machines," he noted. "Another step is to change the administrator password on your router. Also, make sure to regularly update your anti-virus software. And make sure you're updating your operating systems.
"But even with these steps, a breach can still occur, so it is important to have insurance and a breach plan in place," Leffard noted. "For a company that has been proactive in putting a response plan in place before a breach occurs, it actually can be an opportunity to help an organization's reputation. It speaks to being prepared."
Ken Goldstein, Simsbury, Conn.-based vice president and worldwide cyber security & media liability manager for the Chubb Group of Cos., outlined some of the major costs associated with a breach:
* Cost of notification to those impacted by the breach.
* Loss of consumer confidence.
* Regulatory exposure.
"There is a broader exposure beyond hacking," Goldstein said.
"On the internal side you could have a disgruntled employee who wants to get back at you by taking information and selling it to others for a profit."
Or it could be something as simple as employee negligence, Goldstein added.
"For example, an employee has a mobile device with private information on it and they leave it somewhere," he said.
"From an external view we see everything from traditional hacking, to phishing episodes, or a malware attack where you click on something and it sets off a virus."
Goldstein observed that notification issues are especially important since there are 46 states--plus Washington, D.C., Puerto Rico and the Virgin Islands--as well as the federal government that have compliance regulations in the cybersecurity realm.
A lot of anti-hacking steps SMBs can take are relatively inexpensive, noted Oliver Brew, New York-based vice president, specialty casualty at Liberty International Underwriters.
"Obviously a baseline of technology protections is important, but a lot of measures, such as password policies and education and awareness and training of employees in handling personally identifiable information are not expensive," he added. "They just require a level of sophistication among the leadership in taking responsibility and control."
From his perspective, Robert G. O'Shea Jr., New York-based managing director, executive liability practice for Beecher Carlson, said an important goal when a breach occurs is to handle the forensics properly.
"This will help determine the breach source, identify the nature of the data compromised and protect evidence," O'Shea noted.
"Additionally, when a breach is discovered we recommend companies contact their attorneys and appropriate law enforcement agencies as soon as possible."
O'Shea said Beecher Carlson recommends that SMBs establish a tested loss prevention plan that ideally includes all appropriate departments and fully outlines the process and timelines to effectively address the issues.
John Gambale, head of personal liability, AIG, and Lexington Financial Lines Executive, U.S. and Canada, noted:
"When we think of a breach we think of hackers but it also can involve the human element: someone sending out an email with a wrong attachment that contains information about salaries or Social Security numbers."
That has caused significant financial damage to SMBs that have to notify all affected parties, Gambale added.
"So how to manage human capital is very important, to have the right management training in place and the right policies and procedures and having that automated as much as possible."
CRC | Crump's Koehn noted another important internal security consideration, one especially affecting SMBs. "It's known as 'bring your own device,' " he said. "People are using their own personal devices at work as well as company equipment, which gives the company less control in trying to protect all these things that are being used."
Another piece of that, Koehn added, is that so many employees are online all the time. "When I walk into the office with my laptop and my iPhone, which are mine, they automatically hook up to my company's network," he said.
Koehn's firm has just introduced a new cyberprotection program for technology companies with revenues under $75 million through its Corona Underwriters, which has partnered with Lloyd's of London.
Kyle Nieman, president and CEO of Amerinst Professional Services, Ltd., observed that in addition to laws that require companies to notify their clients of a data breach, there is also the responsibility in many cases to provide credit monitoring services for a period of time.
Tim Francis, Hartford, Conn.-based cyberrisk enterprise lead for Travelers, said the key, and he said this is especially true for SMBs, "is to make sure they're looking at each of the respective silos of security, whether it's technical or risk management, and the linkage between those operations and making sure there's an understanding of this at the management level. It's not a technical issue, it's not a human relations issue, it's not a physical security issue, it's all of these combined."
Francis emphasized that there needs to be an understanding that no process or system is impenetrable or without vulnerability.
"So like with many other things when you reach that conclusion that it's important to look for a risk transfer solution through insurance to protect against the outcome when systems and processes fail to protect," he added.
"There's a variety of different insurance products available in the market," Francis noted.
"Travelers, for example, just launched Cyber First Essentials, which is specifically for small commercial enterprises in which they get basic cyber coverage added to their general liability policies."
Surveying the landscape of cyber insurance offerings, Nieman at Amerist sees everything from stand-alone cyber policies to coverage added on to professional liability policies or as a part of a general liability policy.
However the cyber policy is crafted, there is little doubt that the offerings are becoming much more plentiful and that prices are becoming decidedly cheaper.
At the same time, observed CRC | Crump's Koehn: "The automated hacking devices have gotten greatly improved. These devices allow the hacking of smaller companies more easily."
"If you're a small to medium-sized company it's really important to have a partner in the brokerage community who has a specialty in the area," noted Clark Schweers, a managing director in the Washington, D.C. office of BDO Consulting.
STEVE YAHN is a former editor with Advertising Age. He can be reached at firstname.lastname@example.org.
April 12, 2013
Copyright 2013© LRP Publications