Your star employee, who processes twice the average business in a day and receives hundreds of emails, gets what appears to be an action-required memo from the boss. In her haste to reply efficiently, she clicks on the referenced link in the email. While she is staring at a blank screen, the malware embedded in the link she clicked has already accessed her user protocols and is invading your company’s entire system…unbeknownst to your employee or your IT staff.
Within a half an hour, your proprietary data and your entire communications network is in the hands of a hacker, who may use that information to invade customers’ systems, shut down your network or sell private personal data scooped up from your archives.
The costs of closing the breach and rectifying any damage done to your business and your customers could be astronomical. And if that cyber incident isn’t accidental, you could be looking at an employee crime.
The good news is that both intentional and accidental cyber losses can be insured. It’s just a matter of getting the right mix of coverage.
Cyber risk dominates threat concerns
Cyber risk remains the top concern for business executives across multiple surveys. From the record-setting Yahoo and Marriott data breaches to the infamous WannaCry and NotPetya ransomware, companies’ bottom lines and reputations have suffered.
Though many cyberattacks are perpetrated by hackers outside a company, insider incidents — whether intentional or accidental — are becoming more of a threat. According to a 2018 report from CA Technologies, regular employees and privileged IT users pose the biggest insider security risk to organizations, followed by contractors. Research states the most common reason for an insider threat is accidental exposure by employees.
Sixty-seven percent of cybersecurity experts interviewed for the report said they view phishing attempts as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact and encouraging recipients to open malware attachments or hyperlinks to compromised websites.
Intentional cybercrime can include:
- data theft
- transmission of proprietary information to unauthorized entities
- embezzlement
- social engineering (a form of cyber manipulation)
- fraudulent transfer of funds
- data lockdown
- malicious damage to systems
Do you want to learn more about the types of cyberattacks you could encounter? Read our blog, "Types of Cyber Attacks & How To Prevent Them."
Manage the risk of cyber threats from within
The most encompassing way to manage and avoid the risk of cyber threats is with an established Cyber Incident Response Plan.
The following are other ways you can minimize intended or accidental cyberbreaches.
- Analyze the risk. Perform a systematic initial qualitative assessment of your organization’s cyber risk to provide an enterprise-level foundation for a cyber risk management program.
- Get buy-in. All quality cyber-risk programs require buy-in from the top. Executives are typically most interested in affordability, return on investment and effectiveness. A top-down directive based on clearly stated goals, measured benchmarks and rewards for success can generate and sustain systemic hardening.
- Implement cybersecurity software and controls. In 2019, a group of large insurance companies announced they would collaborate to rate the efficiency of cybersecurity software and technology. Businesses using highly rated technology would be eligible for better terms on their insurance policies. Types of controls to put in place include:
- Identity and access management
- Endpoint and mobile security
- Cloud access security
- Intrusion detection and prevention
- Log management
- Train personnel. According to cybersecurity firm Sensei Enterprises, every time a company trains its personnel on cyberattacks, its risk of falling prey to phishing attacks decreases by 20 percent. Keeping employees educated about cybersecurity is the best risk management tool to thwart potential attacks. Employees should be adequately trained — and retrained often — to spot suspicious emails that could harbor malware or phishing attempts.
Cybersecurity insurance is another form of protection businesses should purchase as part of their risk management program.
What does cyber insurance cover?
While crime insurance, or a fidelity bond, may insure your business against some forms of internal cyber impropriety, such as theft or embezzlement, it likely won’t cover other kinds of bad cyber behavior — accidental or intentional. And your commercial general liability and commercial property insurance policies may have specific exclusions regarding cyber-based losses.
Cybersecurity insurance, on the other hand, is designed to mitigate losses from a variety of cyber incidents, including data breaches, cyber-related business interruption and network damage.
Typically, cybersecurity insurance policies can be written to cover expenses related to first parties (the named insured) as well as claims by third parties (those harmed by the policyholder’s cyber incident). Although there is currently no standard cyber policy, the following are common reimbursable expenses:
- Investigation
- Business losses
- Breach notification
- Lawsuits and extortion
- Data restoration
- Replacement of damaged hardware or software
- Credit monitoring for affected victims
- PR professionals to prevent or lessen reputational damage
Many companies forgo available insurance, citing the perceived high cost of those policies, confusion about what they cover and disbelief that their organizations will be victimized by a cyberattack. In fact, only about one third of U.S. companies currently have some type of cyber insurance, according to PwC.
The threat of cyberattacks is currently at an all-time high and is expected to increase in coming years as hackers grow more sophisticated and the amount of sensitive data stored on company servers and in the cloud grows. Small and midsize businesses are no less a target of attack than large companies and, in fact, may be more vulnerable because of their limited risk management capabilities.
A good mixture of crime insurance, cyber liability coverage, and cyber risk insurance with business interruption protection can enhance your cybersecurity program immensely. Your insurance professional can advise you on cyber insurance coverage and can also help with cyber-risk resources that should increase your ability to prevent and shut down attacks. Interested in determining what your specific business might need? Give us a call, or contact us.
Blue Ridge Risk Partners is a top 75 independent insurance agency in the United States. With 22 offices and counting throughout Maryland, Pennsylvania, and West Virginia and access to hundreds of carriers, we are able to meet your unique insurance needs.