It seems like every organization in the world has designated a month each year to raise awareness around a common issue, hobby, or interest. October happens to be Bat Appreciation Month, National Popcorn Poppin’ Month, and National Toilet Tank Repair Month to name a few. It is also National Cybersecurity Awareness Month.
For this reason (and also because many of us are spending more time working remotely), we thought it would be a good time to share what we are seeing in the commercial and personal cyber insurance space these days. We also wanted to share some cybersecurity best practices.
Trends We are Seeing:
There has been a sharp rise in cyber-attacks and cyber claims over the past few months as companies have transitioned to work from home environments. Remote work has unfortunately made businesses and non-profit organizations easier targets for hackers as employees are using home internet networks instead of corporate networks that might have stronger security.
Small businesses and non-profits are often easier targets compared to Fortune 500 companies as they do not have the same level of resources for cybersecurity or full time IT staff.
The most common type of claim recently is a ransomware attack, where malicious software infects your network and the hacker demands a ransom payment (usually bitcoin) in exchange for getting the system working again. We have had multiple clients this summer and fall experience ransomware attacks where large ransom payments were demanded and ultimately paid.
Commercial Cyber Insurance:
We understand cybersecurity and cyber insurance can be stressful and confusing topics. Many of our clients regularly ask us what is included in a cyber policy and what is the cost of a policy.
A commercial cyber policy typically starts with a $1 million limit and can cover:
- Liability and defense costs resulting from a data breach
- Cost of notifying customers or employees of a data breach
- Cost of the extortion payment in a ransomware attack
- Cost of working with IT and legal firms to recover from a cyber-attack
- Cost of restoring data and systems wiped in a cyber-attack
- Reimbursement of lost income resulting from cyber related business interruption
- Reimbursement of money stolen through a social engineering attack
- Regulatory fines and penalties
The premium for these policies varies and is based on the type of organization, annual revenues, and sometimes employee count.
Each insurance company partners with various cybersecurity, legal, and PR firms who can assist policyholders in the event of a claim. We have found it is incredibly important to partner with the right insurance company to have the best vendors available to help you respond to an incident.
Personal Cyber Insurance:
On the personal side, companies such as Chubb and PURE offer personal cyber insurance as an enhancement to homeowners policies.
A personal cyber policy typically includes limits of $25,000 to $250,000 and can cover:
- Costs related to extortion attempts and threats to release personal information
- Reimbursement of money stolen out of a bank account without client’s knowledge
- Cost of identity theft restoration
- Cost of cyberbullying services for children
- Cost of working with cybersecurity, legal, and PR firms to respond to cyber or extortion attack
The typical premium runs from $150 to $600 depending on the limits chosen.
Best Practices for Commercial Clients:
Clients also often ask us what steps should they take to protect themselves and their organizations from a cyber-attack.
Here are some best practices we would recommend for businesses and non-profits:
- Regularly meet with your IT firm or IT staff to discuss vulnerabilities and areas in need of improvement
- Keep a running asset inventory of all computers, mobile devices, etc. connected to your network
- Regularly review access rights given to employees for various internal systems and applications
- Remove old employees from applications, systems, and network on a regular basis
- Provide regular cybersecurity training to employees including phishing exercises
- Create formal information security policies and procedures for the organization
- Create incident response and business continuity plans to prepare in the event of a future incident
- Mock test the response and continuity plans so you know how you will respond to an incident
- Utilize Simpson & McCrady and other third party firms (IT, legal, etc.) as part of these exercises
- Back up critical data and systems on a regular basis
- Consider cyber insurance as a way to protect your organization from a future incident
Best Practices for Personal Clients:
Here are some best practices we would recommend for individuals:
- Do not click on links in suspicious emails or on suspicious websites
- Use multiple passwords for different websites, applications, etc.
- Use complex passwords with multiple characters, numbers, and symbols
- Do not use the same password for social media sites and personal financial sites
- Ask banks, financial advisors, etc. to authenticate funds transfer requests by phone
- Store passwords in a secure password manager application
- Regularly change passwords for critical websites and applications such as bank accounts
- Avoid sending sensitive information such as social security or drivers license numbers or dates of birth through email
- Avoid logging on to critical websites and applications in public places through public Wi-Fi
- Utilize two factor authentication for logging on to critical websites and applications
- Freeze your credit with Transunion, Experian, and Equifax to limit identity theft attempts
- Check your credit at least quarterly to monitor fraudulent accounts set up in your name
- Consider personal cyber insurance as a way to protect you and your family from a future incident
This can be a lot to digest if this is the first time addressing these risks. The important thing to remember is taking it one step at a time and consulting with a risk advisor to help you along this journey will help. Please do not hesitate to reach out to us at Simpson & McCrady if you’re interested in discussing the various risk prevention tactics and cyber insurance options available to you as a commercial or personal client.
About the author:
Will Simpson is an Account Executive at Simpson & McCrady. Will works with both personal and commercial clients and has personal expertise in cyber insurance. Prior to joining Simpson & McCrady in 2016, Will was a cyber underwriter handling Fortune 500 accounts for both Swiss Re Insurance and Zurich Insurance in New York City.
Last updated: 10/5/22