Week after week, hackers and cybercriminals launch new phishing campaigns, develop creative digital extortion threats, and expand scams with the potential to negatively impact business operations in a big way. Cyberattacks can halt online operations in only minutes and take weeks to resolve. In addition, a cyberattack that involves the loss of customer data can result in expensive litigation that seriously impacts a company’s bottom line.

Customers are also more likely to avoid businesses known to have experienced a cyberattack in the past, costing companies significantly in lost revenue and opportunities.² In fact, research indicates that the damage related to cybercrime is expected to cost $6 trillion per year by 2021.¹ On average, a cyberattack costs a small business more than $50K, and can cost larger enterprises millions of dollars.⁶

With numbers like that, it comes as no surprise that cyberattacks remain a primary concern in the business world. Recently, Cybersecurity firm FireEye announced that a sophisticated group of hackers broke into their network, and the U.S. government acknowledged that hackers backed by a foreign government breached the U.S. Treasury Department as well as another Commerce Department agency.^9,10 If a cyber security specialist and one of the country’s most secure departments with multiple controls and layers of security can be breached, then no organization is immune to cyber risks.

CYBER CLAIM COSTS & DRIVERS

After reviewing more than 2000 claims, a small subset of all claims, provided by 17 major underwriters and carriers of cyber insurance in 2019, Net Diligence found that the average cost of a breach for a small - mid-size company (SME) with less than $2 billion in revenue was $178K, while the average cost of a breach for large companies was $5.6 million.4 Net Diligence’s 2019 report also found that 43% of cyber breach victims are small and medium-sized businesses.¹ The majority of SME claims were caused by social engineering, ransomware, and hacking while larger companies were more often plagued by hacking, malware, or rogue employees.4 While the claims examined by Net Diligence may not be representative of all insurance companies or insureds, they do point toward cybercrime trends.

While the Finance and Healthcare sectors remain the most popular targets among hackers, insurers are now seeing increased interest in cyber insurance from the Education, Hospitality, and Manufacturing industries as technology continues to revolutionize the way businesses operate.^1,3 It’s no longer a matter of if, but when, a business will face a cyberattack. However, while the data clearly testifies to the havoc caused by cybercrime, less than half of companies have actually purchased cyber insurance.³ It remains unclear why cyber threats aren’t taken more seriously by all, but FICO, a data analytics company focused on credit score services, cites three possible reasons for this glaring disconnect:

1.   Small and mid-size companies assume they’re too small to attract cyber criminals.
2.  Organizational budgets are too tight to accommodate increased spending on cybersecurity.
3. There continues to be a lack of knowledge about what a cybersecurity insurance policy covers and costs.

Unfortunately, ignorance of an issue or vulnerability won’t excuse businesses from the consequences of failing to adequately protect against cyberattacks. CNBC recently reported that only 14% of small businesses have the means to defend against cyberattacks even though more than 50% of all companies reported a breach in the last year, and 60% of companies that suffer a cyberattack close their doors within 6 months due to an inability to recover.⁷ Information breaches can also result in extensive litigation and legal fees. For example, the defense costs for SMEs can range from less than $500 to $2.5M, and settlements swing from $1.5K to $6.8M.⁴ With the European Union’s General Data Protection Regulation (GDPR) now in effect, data breaches also have the potential to sink even the most financially solvent of companies due to the assessment of steep fines.

CHANGES AHEAD

The California Consumer Privacy Act (CCPA), a new law designed to protect the rights of Californian consumers, became effective on January 01, 2020. As the country’s strictest state privacy and data protection law, the CCPA raises the bar for businesses that gather and share consumer data. The new law applies to for-profit companies that meet any of the following criteria:

• Earn at least $25 million in annual revenue.
• Any company that collects, buys, or sells the personal information of 50,000 or more Californian consumers.
• Companies that earn more than 50% of their revenue from the sale of personal data.
• Companies that manage the personal data of more than 4 million consumers.

It’s important to note that the CCPA doesn’t just affect businesses in California. It impacts any business serving customers in California, no matter where the company is based, creating new potential exposures for businesses. Those that are non-compliant with the CCPA could become the target of litigation or face substantial fines. While there was an initial six-month grace period to enable companies to become compliant, that grace period expired at the end of June 2020. Therefore, companies would benefit from obtaining cyber insurance coverage to protect against any unforeseen or unintentional breaches of the law. As for the rest of the country, California is often a legislative front-runner, so it’s expected that the CCPA will act as a game-changer for the U.S. privacy landscape in the years ahead.⁸

BOTTOM LINE

Technology has changed how businesses interact, and the new reality for many organizations includes greater cyber risks. Now is the perfect time for companies to reinforce the use of basic cyber risk mitigation tools and practices to meet increased cyber risks head-on.⁶ A strong cyber insurance policy is yet another vital tool in protecting against the increased risk of disruption, enabling businesses to recover and continue to thrive.

Cyber liability insurance is available to help offset a wide variety of costs involved with recovery after a cyber-related security breach or similar event. Policies may include coverage for data destruction or restoration services, extortion, theft, hacking, and denial of service attacks. Liability coverage is also available to assist with losses sustained by others due to errors/omissions, defamation, or failure to appropriately safeguard data. Insureds can also benefit from regular security audits, post-incident public relations and investigative expense coverage, and payment of legal fees. Many carriers also offer a variety of comprehensive loss control and risk management tools helpful to business owners. However, insureds should be advised that not all coverage or policy forms are the same. There are some forms containing coverage issues that should be identified and corrected, if possible, with the help of a trusted insurance professional. Policy premiums remain affordable due to competition among insurers, but prices can vary with the industry, type of data utilized, and specific level of risk, along with other factors.

CRC Group’s knowledgeable insurance professionals with broad market access are vital partners for agents and customers as they evaluate ongoing cyber coverage needs. Agents with any questions should contact their CRC Group producer to discuss how we can help businesses prepare and protect against cyberattacks.

Contributors

• Darren Valencia is a Vice President located in CRC’s Nashville office and active member of the ExecPro practice group and member of the Cyber Specialty Team.
• Mark Smith is a Senior Vice President in CRC’s Seattle office. He is an active member of the ExecPro practice group and member of the Cyber Specialty Team.

ENDNOTES

1. 29 Must-know Cybersecurity Statistics for 2020, Cyber Observer, 2020. https://www.cyber-observer.com/cyber-news-29-statistics-for-2020-cyber-observer/
2. How Cyberattacks Impact Business, Web RTC World, November 27, 2018. https://www.webrtcworld.com/topics/from-the-experts/articles/440430-how-cyber-attacks-impacts-business.htm
3. Cyber Insurance Sales to U.S. Businesses Picking Up: Marsh, Insurance Journal, March 26, 2020. https://www.insurancejournal.com/news/national/2020/03/26/562458.htm
4. Cyber Claims Study 2019 Report, Net Diligence, 2019. https://netdiligence.com/cyber-claims-study-2019-report/
5. Mass Move to Work From Home in Coronavirus Crisis Creates Opening for Hackers: Cyber Experts, Reuters, March 18, 2020. https://www.reuters.com/article/us-health-coronavirus-cyber/mass-move-to-work-from-home-in-coronavirus-crisis-creates-opening-for-hackers-cyber-experts-idUSKBN2153YC
6. 1 in 99 Emails is a Phishing Attack, What Can Your Business Do?, Small Business Trends, July 12, 2019. https://smallbiztrends.com/2019/07/phishing-statistics.html
7. How Cybercrime Impacts Organizations and What You Can Do About It, Legal Reader, February 21, 2020. https:// www.legalreader.com/how-cybercrime-impacts-organizations/
8. California Consumer Privacy Act: How does it impact insurance?, Insurance Business America, February 7, 2020. https://www.insurancebusinessmag.com/us/news/breaking-news/california-consumer-privacy-act-how-does-it- impact-insurance-212978.aspx
9. White House Confirms Cyberattack Report on U.S. Treasury by Foreign Government, Fox Business, December 13, 2020. https://www.foxbusiness.com/technology/u-s-treasury-breached-by-hackers-backed-by-foreign-government-report
10. FireEye Breach Explained:How Worried Should You Be?, CSO, December10,2020. https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html