There was a time where the biggest worry in any industry was the cost of doing business and delivering a quality product or service to a customer.
However, when Dr John Lilly said that our only security is our ability to change, he essentially confirmed the belief that change is the only constant we experience in our lives.
We currently experience more change in a single year than our great-grandparents experienced in their entire lifetime. Every industry in the world is becoming increasingly defined by technology where the treadmill of change constantly increases its speed.
The industry’s safe harbour
In the midst of this, industries that deal with sensitive client information have found a safe harbour in the form of cyber insurance. While not a new concept or product, it is constantly changing form with each iteration being more comprehensive than the one preceding it.
However, it seems as if not every company is willing to bulk up their cyber protection. There are rumours among insurers that small and medium companies erroneously think they are immune to cyber threats.
However, this is untrue. Criminals are increasingly adopting hit-and-run tactics and we see them targeting businesses where they can make a quick buck. Cybercrime among smaller and medium-sized companies are at times some of the insurance industry’s biggest claims. Criminals target these companies because their IT controls are low and the skills dealing with these threats are in many cases not specialized.
This is a big issue which is only increasing in relevance. In the past, it was safe to sit back and say that the situation will be dealt with if it happens. However, the status quo has changed and is now a case of dealing with it when it happens.
Claiming ignorance will not be an excuse for much longer. It will eventually come to stage where company directors will be held liable in a personal capacity when a cybercrime is committed. Proactive steps need to take centre stage and become commonplace.
So how do companies go about this? The first step is to build a network of cyber specialists who will ensure that companies will be able to stay up to date and aware of the latest developments and lessons learned from international markets. Obviously, a lot of lessons will be learned from professionals who have already had to deal with a cyber incident.
Companies need to be on their toes when dealing with cybercrime. In essence, they need to think like a cyber criminal. They also need to realize that there is no blanket offering when it comes to cyber liability.
The cyber protocol of a company needs to go through a trial by fire to see whether it will withstand an attack.
Perhaps a good tactic will be to get in cyber specialists to do vulnerability testing and penetration testing. Once changes have been implemented, then retesting needs to take place. The seriousness of this cannot be underestimated.
Dropping the ball
There are other basic mistakes that companies are making.
Data has become the new oil within nearly every industry in the world. As such, it can be used as a major bargaining chip when dealing with a cyber attack. When one considers this, it is baffling that certain companies are still not splitting sensitive data from normal data. A distinction needs to be made.
Another major issue, which is of particular concern to brokers and advisers, is that social engineering is a major issue. Cybercriminals will log onto a social media page and copy the identity of a person, even the way that they speak. They then go about their business of committing crime. Directors and managers need to be aware of the threat. It is real and can be catastrophic.
While there is undeniably a debate in the industry as to whether there is a need for smaller companies to purchase cyber insurance, interest in the product is increasing.
I recently read an interesting article on techrepublic.com which highlights this. But there are many important differences between large and smaller companies when it comes to cyber insurance needs.
The article points out that large corporations are more likely to be targeted in hacks, buy coverage directly from insurers, and have their own legal, public relations, and technology expertise. Smaller companies are becoming cyber insurance buyers when they work with larger corporate partners. They usually shop through agencies and typically need outside crisis management help.
So it may be a sign of the times that United Parcel Service debuted cyber insurance coverage for smaller firms through its UPS Capital division last week.
The article adds that owners of smaller companies sometimes mistakenly believe that general business insurance covers cyberattacks. It doesn’t, and a cyber attack can easily cost a small business from $80 000 to $150 000, which could be avoided with a $1 million plan costing around $3 000 to $5 000 per year.
“That’s really what got us focused on it is we found that many of these small and medium-sized businesses don’t have the protection that they need,” Zamsky told techrepublic.com. “The impact of a cyber attack is going to get larger and get more devastating to their business as they start to grow.”
UPS can share its attack response experience and resources, not just offer standalone insurance services, he noted.
The article pointed out that businesses of any size may get tax breaks for having cyber coverage in the near future. The US government intends to re-introduce his Data Breach Insurance Act sometime in the current 115th Congress, spokeswoman Ashley Verville told TechRepublic. The bill ended in committee during the last term.
But in many cases, what pushes small businesses to buy cyber insurance coverage is when they don’t have a choice—larger partners of small companies often require it. Zamsky said UPS is probably involved in similar conversations with its own smaller partners. “I’m sure at some point, or if not already, those are conversations that are being had,” he said.
The article added that it’s definitely happening in telecommunications. Liza Navarro, in San Jose, CA, owns a Sprint authorized reseller called Wizardrix. She has just a few employees. “It is required by Sprint because technically we are Sprint in front of the customer,” she said.
Navarro bought a $1 million plan for $1,383 from CyberPolicy, of San Francisco, earlier this year. The plan covers liability, regulatory claims, breaches, and extortion. She was previously turned away by Hartford Financial Services for being too small. Her advice for fellow small-business owners is straightforward. “I think the best thing would be to understand the coverage that you are required [to have]. I would have loved to have a couple of quotes. I didn’t have a chance to do that,” she explained.
At the end of the day, cyber insurance is beneficial and is there to support companies in need. Can we afford not to use it?