Cyber insurance is an emerging area of business insurance that covers your business from a myriad of different risks related to your digital presence. Most of the risks are tied to criminal activity – people actively trying to compromise your systems and networks for financial gain, or because they want to punish your business for some reason.
Here are some of the most common scams, how they work, how much they could cost your business, and how to protect yourself. All of the following would be covered, in whole or in part, by a cyber insurance policy sold by Mitchell & Whale.
Phishing is a scam whereby criminals send emails to victims and try to induce them to either wire funds directly, or open attachments/links that install malicious software on the victim’s computer. In the past, phishing scams were fairly easy to identify and avoid. An email from a Nigerian prince-in-hiding is unlikely to be legitimate, but even if it were, very few people would wire transfer more than a few dollars in response. These scams have become much more sophisticated, and today, you could get an email that looks like it’s from someone you already do business with, with what seems like a very legitimate request for funds related to a real business deal. Anyone could fall for this scam, it could cost hundreds of thousands of dollars, and cause big damage to your business’ reputation. Perhaps even more frightening is the prospect that a hacker impersonates your company to defraud your clients out of their money.
Malware is a type of software that, as the name suggests, is malicious in nature. It is specifically designed to do damage to your business systems. Your systems can become infected with malware if you click through a phishing email or if you go to a website that is infected. Once the software gains access to your systems, it could render them completely inoperable, it could destroy vital data files, it could even infect your hardware.
In one U.S. case from a few years ago, a small hospital was handcuffed by a malware outbreak that affected every one of their systems, and virtually shut down the business for more than two months. The total cost of the attack when all was said and done was over $7 million, the majority due to lost revenues when they had to reroute patients to other facilities. The bad guys in this case didn’t make a cent on the crime. Just wreaking havoc for the hell of it.
Today, many businesses store data in the cloud, via third party vendors. But just because you have a vendor managing your cloud presence, doesn’t mean you are immune from liability for what happens with the information you put there. A construction company in the U.S. had 10,000 customer records compromised when their cloud vendor got hacked. Although the cloud vendor was responsible for a portion of the liability, the construction company didn’t have the right processes in place for managing customer records, and that led to regulatory fines and costs related to notifying clients. Total cost of the cyber claim was over $1.1 million.
Ransomware is a variation of malware that allows a hacker to lock you out of your business systems. Your business could be infected if one of your employees clicks on a malicious attachment or link in an email. One day, you will come into the office and won’t be able to log into your vital business systems. Sometime soon after, you will get a message from an anonymous person letting you know that they’ve locked you out, and that if you want to regain access, you’ll have to pay a set amount of money to an offshore bank account, usually in bitcoin or another cryptocurrency. A small electrical contractor (not the kind of business you’d think would be targeted) was hit with a ransomware attack, and even though the ransom was only $5,000, it cost them more than $80,000 to get their business back to running normally.
Although a general liability policy usually offers some coverage for defamation or slander, the risks are much greater in the world of social media and online communications. Cyber insurance closes gaps in protection. This coverage came in handy in a case where the employee of a consulting firm made disparaging comments about a vendor in an internal email chain that eventually made its way back to the vendor. A defamation suit led to a settlement of more than $200,000, and the total cost of the claim, including legal costs, was over $300,000. The firm’s liability policy only covered a portion, but fortunately, they had cyber insurance to cover the rest.
Some cyber risks are exacerbated by legislation and regulation meant to protect individuals’ privacy and the integrity of their payment card information. Regulations requiring a business to notify clients if their data is compromised is one example of this. Another is the international agreement that applies to all credit and debit card purchases. It states that if a customer’s payment information is compromised, not only does the business have to notify the client, they also have to provide free credit monitoring for a period of one year. This happened to a clothing manufacturer in the states, which lost payment data belonging to half a million customers. The cost of the claim was over $14.4 million, including more than $3 million in fines, notifications and other costs related to the payment card agreement.
Cyber-criminals are not in the customer service business. When they infect your systems with malicious software, they don’t take steps to ensure that once you pay the ransom, everything goes back to normal. One recent ransomware attack targeted a technology company and included a very big ask, for 75 bitcoins (about $580,000 USD), a much higher ransom than would be expected, because the hackers did their homework, and determined that the affected systems were critical to the business’ survival. Although the cyber insurer (one of our partners) was able to negotiate the ransom down to 25 bitcoins, residual problems with the company’s systems led to them having to reimburse customers to the tune of $61,000, and in spite of this goodwill gesture, they still lost 14% of their customers, with a cost of about $230,000. Total cost of the claim was over $600,000 USD.
When online bad guys gain access to your customer records, whatever money they are asking for can seem like peanuts compared to the cost of having to notify your customers about the breach, and perhaps more importantly, the cost of lost customers because they have lost faith in your business. One such example involved an online retailer that got hacked and subsequently lost 90,000 customer records with credit card details into the hands of the hackers. It was estimated that they lost close to half a million dollars because of lost customers in the year that followed.
When a business has its systems infected by malicious software, the instinct is to get rid of that bad code as quickly as possible, in order to avoid costly downtime and additional liability. Sometimes, though, the fix can lead to larger problems. One such case involved a healthcare service provider that became infected with ransomware. As soon as the problem was discovered, the company directed its IT service provider to wipe all the affected systems clean. That got rid of the ransomware, but also deleted evidence that the company would have needed to avoid having to notify affected customers under U.S. federal privacy law. Although it was unlikely that patient records were compromised, the company had to notify 100,000 patients at a cost of $200,000.
Sometimes, there’s no hacker involved in a data breach. If an employee loses their laptop on the subway, depending on the level of security on that laptop and what kind of information it contains, anyone who happens upon that laptop could end up with access to thousands of customer files, passwords and other sensitive information. Likewise, if an employee accidentally attaches the wrong file to an email, a similar breach could occur. That’s exactly what happened to a poor recruiter in the UK, who attached a spreadsheet with 40,000 employee records to an email sent to a job applicant. This led to a number of current and former employees having their identities stolen, and legal and regulatory costs in excess of $325,000.
Want to add to this story? Let us know in comments below! Mitchell & Whale is a fast-growing insurance brokerage in Ontario, striving to make insurance _not suck_ one customer at a time. Give us a call today to discuss any of your insurance needs at 1.800.731.2228.