Cybercrime is becoming increasingly costly and prevalent, and experts say it’s a matter of when, not if criminals will try to attack a company or organization.
A December 2020 McAfee Corp. report, conducted along with the Center for Strategic and International Studies, found cybercrime costs the world economy more than $1 trillion annually, or just more than 1 percent of global GDP, an increase of more than 50 percent from a 2018 study that found global losses were nearly $600 billion.
Ransomware attacks have dominated news coverage, including Colonial Pipeline, the nation’s largest fuel pipeline, paying $4.4 million to hackers who breached its system. In May, JBS Holdings, which is the world’s largest beef supplier and has operations in Green Bay, paid $11 million to ransomware hackers.
Dave Hynek, general manager of Commercial Lines Marketing for Acuity Insurance, says the ever-evolving nature of cyberthreats means insurers and businesses must remain ever-vigilant. “Bad actors find new ways and develop new technology to efficiently infiltrate systems. Installing malware on computers, holding systems and data for ransom, tricking users into providing information, these are all ways that the bad actors who conduct cyberattacks make money.”
Businesses and organizations must take a multipronged approach to protect themselves, and cyber insurance is often part of the equation. If an organization does suffer an attack, policies can help pay for the resources needed to get back to business.
“In the last six months, we’ve seen, really, an explosion,” Jason Navarro, director of cybercrime insurance and risk management for R&R Insurance, says of the uptick in cybercrime.
While ransomware attacks have gotten a lot of attention, cybersecurity risks of all kinds have increased. Several factors are contributing to that, including more people working remotely and using personal computers and phones to do work, vulnerabilities inherent in working with third-party vendors and customers, and the ongoing threat of longstanding but still pervasive email phishing schemes, says Dan Trochil, assistant vice president, commercial lines for Integrity Insurance.
To make efforts to infiltrate more potent, Navarro says criminals also turn to social engineering to manipulate people into giving up information more easily. Social engineering can accomplish this through techniques that put people into a heightened state of emotion such as fear or curiosity, creating a sense of urgency, and building trust. The treasure trove of information many people share on social media doesn’t help matters and can allow criminals to create more tailored attacks, he says.
Hynek says no business or organization is immune. “Recently, the well-known attacks in the news have affected many consumers, whether it be oil or meat production, so it’s easy to associate attacks with large corporations. The reality is businesses of all sizes are at risk for being subject to a cyberattack.”
Prevention the best policy
While cyber insurance coverage helps in the event of an incident, once a company suffers an attack, it endures other fallout, including reputational damage and the possibility that customers or consumers could lose trust. That’s why insurance companies recommend taking proactive steps to prevent attacks.
“That’s the No. 1 thing we preach is prevention, and the training is the biggest piece of that,” Trochil says.
Though attacks continue to evolve and grow more sophisticated, Trochil says the ways to avert them change little over time, and they often come back to educating employees. Integrity Insurance works with cybersecurity services firm CyberScout to educate both itself and the companies it insures.
When working with businesses, CyberScout can create practice phishing emails. Phishing remains the easiest way for cybercriminals to access a system, through an individual clicking on something malicious and opening the system to a potential breach. If people fail, they receive a notification to that effect and the IT department gets notified, prompting it to have people go through additional training.
Navarro says employees making a mistake is still the top cause of breaches. While the IT department plays an important role, it can’t control for employees clicking on something malicious. In the mock attacks R&R leads, it sees a failure rate of 34 percent, and it only takes one person to let in a bad actor. That’s why education is vital.
With more people working away from the office, Integrity Insurance also stresses the importance of employees using virtual private networks that provide online privacy and anonymity by creating a private network from a public internet connection, as well as multifactor authentication. Other commonsense steps include password protecting everything and choosing passwords that are difficult to guess and changing them often.
To prepare for attacks, Hynek says organizations should maintain a list of roles and responsibilities for incident response team members as well as contact information for third parties that may need to intervene in the event of an attack, such as the insurance company, legal team and public relations firm. He says it’s also a good idea to test the plan regularly and notes that some cyber insurance policies require businesses to use specific companies or processes to get full coverage through cyber insurance.
R&R helps companies by creating a four-step continuity plan before an attack happens. “You have to prepare for the event before it occurs, because it’s a really bad time to figure out on the fly when something happens, where do we go, who’s going to help us?” Navarro says.
He adds that it’s important to work closely with an agent to determine what types of coverage an organization needs. It’s vital for businesses to understand their cyber policy’s inclusions and exclusions. Companies will want to make sure the policy covers as they expect it will, and it should provide coverage tailored to its specific industry.
Acuity, for example, offers a single product that covers a variety of cyber threats, including data compromise response expenses, identity recovery, computer fraud, misdirected payment fraud, computer attack fraud and cyber extortion. Hynek says the insurance industry has seen the percentage of organizations purchasing cyber insurance jump from 25 percent in 2016 to nearly 50 percent in 2020.
In an ideal world, prevention will work. But in the event of an attack, a cyber policy is designed to cover the costs of the response, which may include a rapid response IT team, public relations, legal services and negotiators. “They will swarm on you like no other. That’s what you should expect. That’s what you want,” Navarro says.