VOL. 10 | NO. 35 | Saturday, August 26, 2017
Computer Attacks Underscore Need for Cyber Insurance
By Andy Meek
The cyberattack that hit FedEx subsidiary TNT Express in June, temporarily disrupting the company’s worldwide information systems, was a reminder about the fragility of digital systems that Herb Davis didn’t need.
FedEx subsidiary TNT Express was hit by a ransomware virus in June that caused widespread disruptions in its worldwide information systems. FedEx later disclosed it did not have cyber insurance to cover the attack. (tnt.com)
Among the facts that emerged in the aftermath of the Petya ransomware virus entering the TNT system through the company’s Ukrainian operations before spreading to the whole system, was that FedEx didn’t have any kind of cyber insurance plan to cover the attack. Davis, a vice president with Smith-Berclair Insurance in Memphis, has been writing such policies for years and wishes more companies – especially small businesses that don’t have the deep pockets of a company the size of FedEx – would decide to use them to proactively protect themselves.
The benefits of such plans typically include things like covering a business’s liability when its systems are breached, leaving the personal information of customers exposed and vulnerable to electronic theft.
Meanwhile, despite the barrage of headlines about attacks and data breaches across the corporate landscape, Davis said he still finds too many companies with dangerous misconceptions about what they need to know – one of the most common being that they’re “too small” to get attacked.
“Many small businesses think that because they’re not Blue Cross or Home Depot or Target, that they’re too small to bother with it,” he said. “And that’s not true. Criminals like to go after the low-hanging fruit. And small businesses represent the low-hanging fruit.”
Davis says the first standalone cyber policy he wrote was for a law firm that practices family law, including a lot of divorce cases.
“I was talking to the managing partner, and I said, ‘Tell me, what kind of financial information do you have on your clients?’” he said. “She rolled her eyes and said, ‘We have everything. Their social security numbers. All their bank account numbers. All their investment numbers. Driver’s licenses. Everything.’”
That “everything,” of course, being a target-rich environment of personal, identifying information that cyber-crooks could use to wreak havoc on not just a small business, but the lives of its clients. And what likely comes as no surprise: the frequency and severity of such attacks is expected to only get worse with time.
Charmy Shrode, vice president of underwriting for Tennessee-based insurer SVMIC, points to forecasts that suggest health care organization will soon be the sector most targeted by cyber criminals.
“As a physician-owned mutual insurance company providing medical malpractice insurance to the majority of Tennessee’s physicians, SVMIC understands this risk and the concern it creates among health care providers, as well as patients,” Shrode said. “To help our policyholders address this risk, we collaborated with NAS, a leading provider of cyber coverage, to offer a limited cyber benefit to our physicians.”
Shrode says the company also encourages all health care providers to assess the risks in their practice and buy additional supplementary cyber coverage as needed.
In terms of the kinds of coverage that’s out there, Lipscomb Pitts Insurance senior vice president Sonya Dunn said her firm works with many carriers offering products that can respond to the different needs of clients.
The policies, she explains, are generally written to cover things like the expenses, damages, regulatory fines and penalties that occur with a cyber-related event or privacy breach.
“Recently, some clients were struck by the Petya ransomware attack where their computer systems were locked down until they paid the extortion in the form of bitcoin demanded by the culprits, or either restored their systems to their latest unaffected backup,” she said. “Coverage for this type of event is provided by cyber extortion or network extortion clauses added to a cyber policy.
“Security event costs or notification costs cover the expenses related to a privacy breach. These expenses can include mailing costs for notices, credit protection, computer forensic costs, as well as public relations costs to protect the insured’s brand and reputation. … The coverage forms from the carriers are not standardized, so each one should be reviewed and compared to find the best policy for the customer.”
Another benefit her firm provides clients is online training resources for their employees to teach them practical steps to avoid risk. She adds that along with the purchase of coverage, many carriers also offer cyber security training, best practices guidelines, risk assessments, incident response planning, as well as newsletters and support hotlines.
Still, the misconception that small businesses need to disabuse themselves of is that it can’t happen to them.
“There are people out there,” Davis stresses, “especially hackers operating out of Eastern Europe, China, who are constantly trolling, looking to find breaches and get private information.”