Preparing Clients Against the Impact of Cyberattacks

Week after week, hackers and cybercriminals launch new phishing campaigns, develop creative digital extortion threats, and expand scams with the potential to negatively impact business operations in a big way. Cyberattacks can halt online operations in only minutes and take weeks to resolve. In addition, a cyberattack that involves the loss of customer data can result in expensive litigation that seriously impacts a company’s bottom line. Featuring: Darren Valencia is a Vice President located in CRC’s Nashville office an active member of the ExecPro practice group and a member of the Cyber Specialty Team. Mark Smith is a Senior Vice President in CRC’s Seattle office. He is an active member of the ExecPro practice group and a member of the Cyber Specialty Team.

The following is a transcript from this episode:

Dan Wentz: 

important subject today, how do you prepare your clients against the impacts of a cyber attack? It's a big problem. And not everybody's ready for it. CNBC says that only 14% of small businesses can defend against a cyber attack, and 60% of businesses that suffer a cyber attack, close their doors within six months, hackers are launching an attack every 39 seconds according to research and experts predicted cybercrime will cost $6 trillion by the year 2021. Today, we're joined by two members of bcrc cyber specialty team, Deron Valencia is from CRC Nashville, and Mark Smith is from CRC Seattle, they're both very experienced in placing these types of coverage. And they're going to get us updated. Next is the placing you first podcast. I'm Dan Wentz. And this podcast features news and insights from CRC his vast knowledge base of 2000 plus associates who right in excess of $10 billion of premium annually, and we're giving you insider access to what's happening in our company and the types of insurance we

Dave Foxx: 

place. This is the placing you first podcast.

Dan Wentz: 

How has the cyber landscape changed in the last five years? What do you see in Deron?

Darren Valencia: 

Well, so first of all, I think we've been sort of in a in a pretty easy kind of going world with cyber I mean, you know, submission data was, you know, you only needed a certain amount of information. And you could pretty much get, you know, bind double quotes from from markets of all sorts, I mean, whether it was your standard markets as an add on to some other policy or whether you're buying standalone coverage, you know, from from a surplus lines broker in the specialty markets, you know, we were on cruise control renewed, the renewal process was fairly simple. A lot of times underwriters would just be looking for an update on, you know, on whether there's been major changes within the business. But we didn't really get into, you know, really in depth about, you know, risk management, lost control, and certainly the controls surrounding ransomware. Now, just within, it seems like almost we turn the page in the year and I know it started a little bit back in 2020, we're underwriters were starting to, you know, change their way of thinking. But we flipped the year. And all of a sudden, we were in the hardest market cycle that I've seen, probably in the since the existence of cyber and in technology, you know, and what they're they're spending a lot of time reevaluating what accounts they have on the books, whether it's if it's large accounts, they're looking at the limit, they're really looking at limit management, if they're not comfortable with the controls, they're cutting limits, and increasing premiums. They're there, virtually all carriers have created a an additional supplement or additional questions on to their existing renewal applications, looking deeper into those controls that they have for malware and ransomware attacks as well as, you know, monitoring for phishing, emails and things of that nature. underwriters have really taken a consistent approach that it's almost as if they're re underwriting every single account. And this doesn't just impact our large, you know, five, six premium, six figure premium accounts and large limit accounts. This is impacting our small SME business as well.

Mark Smith: 

Well, yeah, it seems like every carrier has been coming out with a ransomware application the last month or two, and it's becoming mandatory. In from an underwriting standpoint, I just have, you know, the three initials MFA multi factor authentication, it seems like you can't get a boat now with a lot of risks, if they don't have multi factor authentication, particularly with regards to email access, which a lot of our smaller firms don't have I've been looking at. In fact, just today I had a renewal that came up. And the client said, Yeah, we're going to get an inflammation, MFA implemented, you know, in the next several months, well, those months are, you know, several months later, and we're finding out they still don't have it in force. And so my underwriter followed up. So my retentions going to go up from five to 10. I have another account, they jumped it from from five to 15. So we're seeing MFA becoming absolute mandatory. And that's not the that's the case, but really seems like with all the standard markets, so that's, that's been a real wake up call. Because a lot of firms are a little slow to respond to this. I just think the landscape overall is just remarkably different. I mean, five years ago, you know, the light kind of claims were really talked about where the great big, you know, cyber hacks, you know, the anthem attacks and target attacks. And then, lo and behold, you know, in the last 1824 months, you know, it's all been ransomware ransomware all the time. You know, and now the ransomware attacks, we're reading there, we're seeing I haven't seen these, I've had A lot of ransomware claims, but I haven't seen them where they've also, you know, threatened released her data as well as you know, a greater incentive to make the client pay up. But the amount of attacks that are coming out now are at such a pace where, like, you're probably seeing every week, we're having claims hit hit our books every week, and it's primarily ransomware attacks. But don't forget the social engineering attacks, too. I mean, those were always in the background. But those are routine, I had an account that had three separate social engineering attacks. The first one was relatively small, it was 50. Well, it was just the precursor, of course, with a big payday. So they went from 50 to basically 100. And then they came up and went over several 100,000. And all told, you know, it's almost, you know, 300 $400,000 they they've been bringing in, so, so the landscape has really changed with with the nature of the attacks on the frequency has been increasing. And as you said, you know, the underwriting has changed dramatically. And I've seen probably, you have to some of our tears now are putting lower sub limits on the ransomware. I mean, the ransomware coverage, just really extortion. But you know, they're putting some limits on that, or even coinsurance and one particular carrier that that's really well known that has three initials, so their name, you know, sublimate, coinsurance, and that's really a problem. And then we have the other issue, too, that's changed the landscape, which came out last fall was the Office of the Treasury, OFAC came out and said if you make certain payments, and these are on the OFAC list, which that basically saying you may be paying to terrorists, you know, you may be subject to jail or a fine if you pay them, well, what is the client supposed to do? You know, they got to rely upon their cyber carrier, and how sophisticated is their cyber carrier to identify, you know, some carriers are saying, Yeah, we can look at their blockchain wallet, we can kind of identify who we think maybe is on the OFAC list, and we'll have to tell you what don't pay, you know, so then you're not going to get your data back. And so that's going to lead to, you know, a major data restoration claim, business or Russian claim reputation loss claim, and potentially, you know, a breach response claim. So these ransomware claims aren't affecting just, you know, it's not about paying that that ransom, you know, it triggers so many different aspects of these policies. And I think a lot of our small SME clients just don't fully understand of the nature of how these can just morph and expand out and cause them so many different types of losses under this, this policy they're purchasing.

Dan Wentz: 

So you talk about the the costs associated with a cyber attack, what are so what are those costs, right? What are what are these small clients, especially that aren't very sophisticated with when it comes to protecting their cyber landscape, so to speak, what are some of the costs they're going to experience? if they if they have a, an issue?

Mark Smith: 

Well, I will say this, that net diligence came out with a report just recently, they said that the average costs of a ransomware attack, just just the payment, okay? So that's the first cost to talk about, has gone from about $15,000, up on average to $175,000. Well, for a small client $175,000 is a lot of money, okay? I don't care who you are, right? Particularly if you're, you know, if you're buying a 2015 level or cyber policy, you've got to be 175,000. Now, that's on average, okay. But we've also seen some of these claims, you know, have gone into, you know, the seven figure account, and that's not that uncommon anymore. But then you got to jump in, you know, the first thing is clients have to do is you're gonna have to do some sort of a forensic investigation, and that can run you $500, you know, five to $750 an hour to hire those forensic firms. Couple years ago, we had run into a client that had a had an event and the forensic expense, basically, by the time they were done, had jumped up to $250,000. You know, they had to get somebody there, it was in a remote location, they actually flew somebody out. And it took it took several weeks. And that's, that's an incredible amount of money for for anybody to have to bear, especially a small SME account. So you're looking at the present costs, and then of course, the business interruption expense, why your network is down. I don't even really want to quantify that, because that's so different for each client, and how long it's going to take them to get the system restored. And this applies to any kind of event really, you know, if your network is down, so that that can drive the cost through the roof. We had a client happen a couple years ago, we were looking at an event that basically cost over a million dollars of lost business income. So that was actually a combination of their loss of income and their their clients that were relying upon them because they were doing some hosting. So it was a very serious event.

Darren Valencia: 

Yeah. And then I also think, too, I mean, there's the then long term costs, you know what trust is, is still with that that particular insured business and with its client base Do they have long term long term revenue loss or income loss because loss of clientele trust, you know, obviously with the the cyber liability insurance policies today we work very hard to ensure that there's reputational harm expense coverage and things related to that so that they can take so that the insurance can take advantage of that and, and do that that necessary PR work. We all know how easily information and news can spread about pretty much anybody or any business with, you know, social media and, you know, regular TV media so it can spread fast and get through, whether it's a small community or whether it's something on a national level, it can really impact the business as long term. And you know, p&l statement,

Mark Smith: 

you know, with that recovery, you got to restore your data that, you know, to get back up and into operation in you know, some of the forum's actually don't really cover to recreate the data from scratch, some just come out and say, we're going to basically pay you up until the time we find out that we can't actually recreate or restore your data, and you're done. But some of the policies, you know, will actually paid a lot and, you know, physically recreate the data, the electronic data, and I'm in a situation or one right now, where it's it's becoming fairly contentious, because they have used their staff and hire outside independent contractors. And we've got all this overtime coming in right now. So they're paying their own employees some overtime, and they're using outside independent contractors. And next thing, you know, you're talking about some, well, we're on our situation, we've got some serious money right now for overtime. And then I hadn't really thought that through, because I hadn't had that situation before. So that's just one of these other things that might surprise some clients go, Wow, that that adds up quickly.

Dan Wentz: 

Yeah, so why should clients not handle these incidents on their own? I mean, there's probably some clients out there, I think they can handle it right, we'll just make it go away on our own. Obviously, there's a lot of reasons that you guys have already specified. But what do you think?

Darren Valencia: 

I mean, you know, one thing that I think going back to one example that mark just mentioned about, you know, what we have the issues we have with OFAC and, and how they're handling, you know, extortion payments. But again, I've actually experienced some some of my larger accounts that, you know, they they've spent a lot of money on insurance, they buy large limits, they have, they have sophisticated IT staff and support, internally, they think that an incident or attack is manageable in the beginning, once they realize that it's going to, it's going to, you're going to need, you know, a different type of engineer or forensics specialist to come in and really address the issue because it's a larger problem than originally anticipated, you might have already created more problems for yourselves, the malware is in there, the bad actors could continuously be trying to steal information, they could continuously be committing fraudulent instruction claims or invoice manipulation type events, while while the you know, IT staff is trying to address the problem. Once the case, if you have insurance, and if a carrier tries to step in you, you might have already created more of a mess. And again, it's all about, you know, expense management. The one thing is while the costs are continue to rise and evolve with cyber attacks, our industry and especially the forensic sides have become efficient. And they have learned how to deal with things a lot quicker and differently than they did say 10 years ago. So it's really important to rely on the experts who have the experience who are dealing with these that data breaches every single day. And these cyber attacks to get in there and do the work necessary to get networks back up and running to ensure that that information is safe and protected. And you know, I've had situations where a cyber attack, it turns out not to be as big of an issue that it was originally thought. And then vice versa. We've seen those attacks where we thought that wasn't really that big of a deal can probably be straightened out pretty quickly with some some quick updates or changes within the network. And it turned out it was a it was a real major problem. And it was a massive attack and it created a larger scale problem. So again, it's just like, we're insurance brokers. I would not you know, if I was a non insurance person, I would not go out and try to place my own insurance for my business. Same thing if I you know, was in got sued, I wouldn't try to defend myself in a court of law I would hire an attorney to to represent me. It's the same thing. Let the cyber liability experts the insurance carriers and the forensics people represent the business owners and get the the attacks under control quickly.

Dan Wentz: 

It sounds like from what Mark said earlier, a small attack could turn into a big attack that could be just the precursor to you know, a much larger, much more sophisticated attack. They're just kind of feeling out. So if you don't respond quickly enough, it could turn into something huge.

Darren Valencia: 

And it could from a regular whether it's regulatory issue, because you didn't respond quick enough. And you, you know, there was some there was a more traditional type of data breach where, you know, PII or pH I had been impacted. But also an example, I had actually turned out to be one of my agents that they had a malware attack. There, IT professionals took care of it pretty quickly that it did not lead to any ransom, or extortion threats. But about nine months later, they realize that the malware was still sort of lingering in their network, and they had a couple of social engineering type attacks. And they realized that it was actually happened to be around tax season, they realized that they were unable to access some documents that were on a hard drive, that they were important, and were needed for their CPA to do taxes. So that information was lost, and it was going to cost 1000s of dollars to have to recreate it. And so it the problem manifested further, even though they thought that it was it was taken care of.

Mark Smith: 

Yeah, I have, I have a story about a non buyer. We presented the cyber coverage we wrote, we wrote the rest of their account. And we received the notice that they had midterm not renewed their policy, we thought, Oh, well, that's interesting. And, you know, you get a notice of, you know, requests, you know, last balls release council policy. And we read in the bus Regent journal, just like a couple months later, here's our insurance, we found out they went bankrupt. They had a cyber event, they didn't buy the policy, we had the quote in the file that was presented, they thought they didn't need the coverage. And here they had such a large data breach, and there's no way they could, you know, pay for for the notification, and then all the response costs, you know, and I thought about that a little bit later, while they went bankrupt. But that still doesn't excuse them from a potential regulatory claim, they weren't able to even notify. So I thought, Oh, my gosh, they probably got sued as well, particularly because they're in California thought there's a double whammy. So clients are thinking, Oh, we can handle this on our own, you know, when it gets too expensive, and they can't, it could force a lot of companies of bankruptcy. In fact, there was a few articles that came out a few years ago, that talked about the number of SME businesses that did not survive a data breach, and that should close their doors, you know, then to think about that they could have a regulatory plane. Following that situation, they're gonna be hurt.

Dan Wentz: 

The first thing I was gonna say is you hear a lot about cyber attacks, you'll hear about them in the news, but you don't hear about all the companies going bankrupt, or all the results from it. So it seems like a really, really big issue, especially the way you describe it, Mark. How has coverage changed? Recently, you know, cyber is is definitely always evolving based on the attacks and the threats. And, you know