ransomware

Ransomware: Are You Protected?

Estimate, protect and insure your organization for cyber liability

If you were one of the fortunate organizations that survived last weekend’s worldwide ransomware attack, you might be asking some serious questions right now:

  • What would happen if we were attacked?
  • How would we handle it?
  • How much would it cost?
  • Are we insured for it?
  • If not, how much would that cost?
  • What are we doing to protect ourselves?

As it happens, we asked one of the country’s top cybersecurity insurers to talk with our clients in early May about those very questions. Michael Costello, of Evolve MGA, started his career working with technology-related errors and omissions insurance. That gave him a front row seat for the evolution of cybersecurity risk management. Today, his firm is one of the best in the country on this subject.

Given the involvement of cyber liability concerns in the recent election, Costello said, the topic has gone well beyond the business world and will be making headlines for the rest of our lives. Some telling statistics:

  • Cybersecurity is the No. 1 sector for private-equity investment right now.
  • We’ve seen a 6,000% increase in ransomware attacks since 2013.
  • At an average of $4 million per incident, data breaches are expected to cost businesses $2.1 trillion in the next year.

Three Main Attack Types

1 – Ransomware locks your data

In a ransomware attack, the hacker encrypts all your data and demands a fee – payable by untraceable bitcoin – to release it. The average cost of such attacks, said Costello, is $6.5 million. And, while 70% of executives give in to the ransom demands, you can now hire an expert to unlock your data for you – and close the back door that allowed the hacker in.

2 – Hackers steal data

In a classic attack, hackers steal information about your clients and other stakeholders. They’re usually located in countries with lax regulations. And they seldom use the data themselves; this type of data often gets sold and re-sold.

3 – Social engineers gain access to cash

Over the last few years, we’ve seen the rise of social engineering – where a hacker finds a way to trick employees into sending money or financial access information to a third party. Too often, we’ve heard about a CEO impersonator sending an urgent message to the CFO while on vacation, asking her to wire money to a client’s account. With a tiny, almost unnoticeable change in the email address and account number, the hacker has tricked the CFO into sending him a large sum.

You are at risk!

While large companies like Target and Ashley Madison get the most attention, Costello said 80% of hacking happens in small and mid-size organizations. If you have a website, you are vulnerable!

You can quantify your exposure

Costello shared a simple formula his firm uses to help you quantify your risk. First, look at the type of information you’re collecting. Do you have customer names, Social Security numbers and financial information? Next, consider what a hacker could do with that information. And then apply an “x factor” to get a rough estimate of the coverage you may need.

Stolen data usually falls into one of three categories: personally identifiable information, payment card information or protected health information.

To calculate the cost for lost personally identifiable information, he listed these components:

Notify employees or customers affected $3 per person
Forensic analyst to find out what’s been taken and how $350 an hour for a week
PR firm to handle reputation damage $150 per hour for 10 hours
Legal advice $250 per hour for 8 hours
Credit monitoring service for everyone affected $7 per individual
Class action lawsuit ???

When payment card information is stolen, you’ll need to add fees for:

  • Payment Card Industry fines (up to $500,000)
  • Card re-issuance
  • Fraud committed on the cards

The third category, protected health information, is the most costly exposure and brings the highest value on the dark web. In addition to the costs noted in the table, you’ll have to add federal fines of $100 to $50,000 per record, up to $1.5 million. States also regulate this activity; California can demand up to $1,000 in fines payable to the consumer for each record lost.

Finally, recovery from a general hacking attack can require these additional expenses:

  • Business interruption costs
  • Data restoration costs
  • Cyber extortion demands
  • Personal funds stolen

You can protect yourself

In addition to seeking insurance coverage for cyber liability, you can take immediate steps to protect your organization:

  1. Educate employees about identifying suspicious emails. You can even hire a phishing company to test employees’ diligence.
  2. Disable all macros on Microsoft Office. They offer easy ways into your system.
  3. Automatically update your anti-virus software.
  4. Back up all critical data on your main network at least weekly.
  5. Update all operating systems, passwords and applications. (Costello suggested using the LastPass app to store all your passwords with encryption.)
  6. Create an incident response plan. Know what you’ll do when a data breach happens and practice it regularly.

Best insurers partner with you

Rather than traditional one-way protection, the better cyber liability insurers will partner with you to analyze your system for vulnerabilities, help you create a risk-mitigation plan and assist you with an incident response plan. Evolve MGA will even pay 25% of the cost for services to improve your security.

Chances are good that you’ve taken some steps to tighten your network security. Given recent events, now’s the time to take it up a notch.

See also:
Ben Franklin Advice Holds True for Cybersecurity

Is Your Nonprofit Cyber Safe?

Cyber Risk: Is Your Head in the Cloud?

The Four Do’s of Safeguarding Protected Health Information

ransomwareBy Chris Miller, ARM, CAWC, Commercial Insurance, The Miller Group

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *