Unlike traditional business risks, such as fire and workers compensation, the cyber-risk landscape continues to evolve. As with any relationship, agents must first establish trust and address risks honestly and then educate and provide practical and usable recommendations to insureds to minimize risk.
To do so, agents must expand cyber-security knowledge. Those who don't, risk losing business to competing agents as well as being disintermediated by holistic solutions sold directly by a growing number of savvy and well-capitalized online insurance and security providers.
To many small and medium-size enterprises (SMEs) and their insurance agents, the terms "cyber security" and "cyber insurance" trigger equal amounts of anxiety and confusion. In the words of one security consultant, "People don't actually know what the names of the tools they need are. They don't know the proper, technical words that are going to lead them to a solution."
In our experience, most SMEs are not confident about the security of their networks. They are not sure what their biggest cyber risk is and are confused by the current information security landscape. Most know of other businesses that lost money and data due to attacks targeted at employees resulting in ransomware and wire transfer fraud. These executives want to know what are the most cost-effective things they can do to mitigate risks to cyber attacks.
A security consultant reflected that, when people see depictions of cyber incidents on television and in the movies, "the computer looks like some kind of magic box where somebody touches it, and zing! They attacked our network and taken our children, and look, they've wilted our lettuce!"
Julie Haney and Wayne Lutters, "It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security, University of Maryland, Baltimore County, August 14, 2018.
The Latest Scary Stuff
As many cyber-security experts will admit, the cyber-security industry is broken. Despite astounding market growth for security software and services, the increased frequency of attacks is equally astonishing.
In 2017, the cyber-security market was worth over $120 billion (up from $77 billion in 2015), yet incidences of successful hacks continue to rise.1
Ransomware attacks saw a 350 percent increase in 2018.2
Only 10 percent of small businesses surveyed had a separate budget for cyber security.3
The 2018 Cisco Cybersecurity Report: Special Edition SMB found that 53 percent of midmarket companies in 26 countries experienced a breach.
Over 40 percent of companies have sensitive files that are unprotected and open to every employee.4
Most research suggests that more than 90 percent of successful hacks and data breaches stem from phishing scam emails crafted to lure their recipients to click a link, open a document, or forward information to an unauthorized party.
According to the results of a survey by Barkly (now AlertLogic), of 60 companies that were hit by successful ransomware attacks over the past 12 months, 77 of respondents said the attacks bypassed email-filtering solutions, 95 percent bypassed firewalls, and 52 percent bypassed antimalware solutions.2
Cryptojacking is where a device is unexpectedly taken over to use its computational power to mine cryptocurrency. Cryptojacking is one of the fastest growing cyber-security threats in 2018, with 25 percent of all businesses already falling victim to crypto mining exploits.2
68 percent of US businesses have not purchased any form of cyber liability or data-breach coverage.2
Beyond Antivirus and Firewalls
Most small to middle market business executives assume that if they spend $40 per employee for a firewall, patch, install the latest antivirus, and use the cloud, they have a padlock on the doors that keeps the bad guys out. All are great foundational tools, but they are not designed to stop evolving ransomware attacks. Using email, attackers easily bypass these technologies altogether when users are victimized by email fraud, credential theft, and vendor risk. In our experience, the most cost-effective cyber-risk management tools that will prevent loss are easy, cheap (if not free), and readily available.
Limit User Administrative Privileges
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. The most common delivery method is phishing spam or attachments that come to the user in an email that is disguised as trusted files. Once downloaded and opened, the criminals take control and block network access until a ransom is paid. The vast majority of ransomware exploits are prevented by making sure users are blocked from downloading any software onto the network.
Ransomware claims are best prevented by limiting user privileges, according to Crum & Forster Vice President of eRisk Nick Economidis.
We frequently offer insurance buyers the opportunity for a lower premium in exchange for implementing simple risk controls that, we believe, will significantly reduce the occurrence of the type of claims that we see most often. One of the things that we frequently will suggest is restricting administrative privileges on PC's/computer workstations so that software can only be installed by an IT-administrator. We believe that this can significantly reduce the possibility of ransomware (or other malware) infecting the machine. If a user clicks on a rogue link or attachment, the machine will not install the malware because the user is unable to provide the administrator password (and even if they have the administrator password, we hope that the fact that the machine is asking for it will be enough of a warning).
According to Verizon's 2018 Data Breach Investigations Report, email fraud accounts for more than 93 percent of enterprise attacks that result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. In our experience, the most effective form of training is the use of phishing simulations.
Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. A well-designed phish-testing program trains employees how to spot a phony email and are proven successful in reducing risks of a successful ransomware attack. When combined with typical user training, the results are astounding.
Phase one is establishing an initial baseline. A phishing test template is designed based on the employer's unique environment and a landing page (often a training site) is created for users after they click. The users are provided a summary of what was missed, and the employer is provided charts indicating "phish-prone" rate. Most vendors also provide a comparison to others in the subject industry vertical. Additional tests are sent out randomly during the course of the following 12 months.
Leading training vendor KnowBe4 conducted a study5 of 6,000,000 users in 11,000 organizations encompassing almost 250,000 tests. Across several industry verticals, initial baseline click rates ranged 25–35 percent for SMEs under 1,000 employees. At 90 days, rates ranged 10–17 percent, and at 12 months, rates dropped to 1.5–3.2 percent.
These programs are simple and easy to implement. Several vendors offer free phishing simulation service for companies with up to 500 employees including online registration, monthly phishing exploits, and detailed analytics to isolate opportunities for improvement. For advanced versions, pricing runs from $5 to $15 per seat per year.
Multifactor Authentication (MFA)
In our experience, multifactor authentication (MFA) is possibly the single most cost-effective strategy for SMEs to mitigate a litany of risks. An insured can install antivirus, firewalls, deploy encryption, and perform vulnerability tests but, without multifactor authentication, all of these measures are easily bypassed.
MFA strengthens access security by requiring two or more factors to verify a user's identity. These factors can include something you know (username and password) plus something you have (smartphone) to approve authentication requests. Most of us are familiar with the process of getting a code texted to your phone to log into banking and other applications. This tool is highly effective against phishing and other forms of social engineering as well as password brute-force attacks and secures logins from attackers exploiting weak or stolen credentials. Without the code, malicious actors are not able to gain access to your system.
Versions of MFA are available free with Office 365 and the Google suite (make sure your insureds turn it on!). Expect to pay up to $6 per user per month for advanced versions.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
Email spoofing is the use of an email message from a forged address that hides the sender's true identity. The objective is to trick the recipient into taking an action designed to perpetrate business email compromise and email scams leading to the growing frequency of social engineering attacks that often lead to successful wire transfer fraud.
Domain-based message authentication, reporting, and conformance (DMARC) acts to provide greater assurance on the identity of the sender of an email message and gives email domain owners the ability to protect their domain from unauthorized use, often referred to as email spoofing. Once DMARC is turned on for the insured's domain, only emails that pass the authentication will be trusted and delivered. Emails that fail the check are quarantined or rejected.
DMARC is free, but you may need the Web host or email administrator to assist enabling since DMARC is not turned on by default.
Business Vendors: Get a Prenuptial
There is an increased awareness that vendors are often the weakest links in the security defenses of most organizations. In the past few months alone, we've seen several claims resulting not from actions (or inactions) of the insured but due to breaches suffered by contracted vendors. One involved a healthcare provider infected with ransomware delivered via a record transcription service with access to patient files. The claim resulted in over $100,000 of remediation expense and business interruption. Managing vendor cyber risk is not unlike contract risk management services that agents provide to clients for routine matters.
In addition to typical requirements, such as favorable hold harmless and indemnity provisions, vendor risk management contracts should include the following.
Descriptions of the personally identifiable information and protected health information and confirmation of authorized user access.
Minimum required security controls, including basics such as the use of firewalls, antivirus, patching, and encryption. Vendors also need to be compliant with relevant regulatory and industry requirements such as the Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard when applicable.
A security audit clause, so the organization has the right to audit security controls periodically.
Incident reporting requirements, stating under what circumstances and means a security event is reported to the contacting organization.
Insurance requirements for a stand-alone cyber policy that include first- and third-party coverage parts. The contract should require additional insured status (when possible) and provide a minimum limit of $1 million.
Knowledgeable agents can assist an insured's conduct vendor risk management (VRM). Some agents use cyber-insurance applications as guides to develop templates. More complex risks need to consider VRM products that provide vendor security scores, vendor onboarding, and ongoing monitoring of third-party networks. VRM software products are easy to install and use, with prices starting around $500 per vendor.
Beyond a fundamental understanding of how cyber insurance responds to a claim, our most successful agents also possess a basic understanding of what security tools offer the biggest bang for the buck for their insureds. These agents close at 2–3 times the rate of agents relying on the insurance policy to sell itself and are most likely to retain business and keep new direct writing insurance platforms at bay.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
1 "At 12% CAGR, Cybersecurity Market Size Will Reach 300 Billion USD by 2024," Market Study Report, February 13, 2019.