Cyberattacks—what every agency and small business owner should know

May 21, 2021

The insurance industry continues to beat the drum on this topic because the cost and frequency of cyberattacks is increasing. The potential harm to an independent insurance agency from a cyberattack or data breach could easily be catastrophic.

As small business had to shift to a virtual work environment, digitizing to connect with their customers and hold meetings with their employees during Covid-19, cybercrime has continued to grow. In 2021, as some workplaces begin to reopen their physical offices, many insurance carriers and agencies have made remote work, or a hybrid model with in-office and remote workers, a permanent fixture.

According to CyberCrime Magazine, “Global cybercrime costs are expected to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.” The article continued, “Data is the building block of the digitized economy, and the opportunities for innovation and malice around it are incalculable.”

Although many who read about high-profile incidents think they are somehow immune from an attack—they aren’t. In fact, their chances of falling victim to cyberattacks are growing, according to a 2020 report from the Ponemon Institute LLC, sponsored by IBM. The root causes of a data breach are: 1) Malicious attack (52%), 2) System glitch (25%) and 3) Human error (23%).

Now, consider the costs. Ponemon found that:

  • The average total cost of a data breach for a business with less than 500 employees is $2.35 million.
  • The average cost per record breached in the U.S. was $146, which is amplified by a remote workforce.
  • 80% of breaches included records containing a customer’s personal identifiable information (PII).
  • Lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study.

The cost of a cyberattack
While you still may be thinking, “that only happens to big businesses,” think again. Insurance agencies and their small-business clients are susceptible to cyberattacks. CyberCrime Magazine reported that, “More than half of all cyberattacks are committed against small-to-mid-sized businesses and 60% of them go out of business within six months of an attack.

The 2020 Data Breach Investigations Report, published by Verizon, found that more than a quarter (28%) of cyberbreaches impacted small businesses. The financial and insurance industry accounted for 1,509 incidents in 2020 alone, 448 with confirmed data disclosure.

Cybercriminals use multiple tactics to commit wrongdoing. While the Verizon report estimates that nearly half of all 2020 attacks occurred through hacking (use of stolen credit), other common tactics include social attacks (22% were phishing scams), malware (27% ransomware); errors such as casual events; privilege misuse; or physical actions.

The average amount of time it took in 2020 to identify and contain a cyberattack globally was 280 days, with the U.S. averaging 237 days and a financial attack averaging 233 days. The longer it takes to contain the cyberattack, the higher the costs.

Reduce your cyber risk
Verizon found that external actors caused 63% of cyberattacks within the finance & insurance sectors in 2020. Independent insurance agents are business owners themselves, and as such, should know how to reduce their own cyber risk. Here are some suggestions:

Insure against cyberattacks. Look for a policy that provides coverage against ransomware/cyberextortion and offers proper limits to cover the list of post-breach response expenses, including legal fees, notification costs and reputational repair.

Train employees to be proactive. Internal actors account for more than one-third (35%) of last year’s cyberattacks, according to the Verizon report. That is why independent insurance agents and their employees must know how to prevent cyberattacks and how to identify them.

Start by implementing some cybersecurity best practices, including updating your software; using a password manager with data encryption or implementing complex passwords; and securing your Wi-Fi network. (Get additional tips from the U.S. Department of Homeland Security’s website.)

Next, fortify the frontlines of cybersecurity: your email inbox. When an employee opens an attachment containing malware, it can compromise your system. Today’s cybercriminals are increasingly clever when it comes to disguising malicious emails. That’s why email tricks, such as phishing and pretexting account for nearly all social cyberattacks, according to the Verizon report. Teach your employees to separate the phony from the authentic.

With the expansion of automation, denial of distribution or denial of services is common.

It’s about employee awareness, training, making others aware of what is out there and what is occurring. This is a changing task, and security measures of today may not prevent a business from a cyberattack in the future.

Appoint a cyber incident lead and test your response plan. All businesses should appoint an incident lead who can identify a cyberattack among the staff. With human resources, the incident lead can train staff and distribute communications to educate everyone on how to identify a cyberattack and the critical importance of reporting anything suspicious immediately.

Once an attack occurs, the incident lead must identify the type of attack; determine its severity; learn what information was accessed; compile an insurance report; and notify law enforcement as needed. The incident lead should disable compromised accounts; compile all IP addresses involved; insist that all users change their passwords; and notify people who must access the compromised accounts. To start this process, contact your insurance company’s breach response coach immediately.

Your incident lead should have a cyberbreach response plan in place and test it. If there is a breach, the person will know what takes priority and to whom to reach out to immediately. If a small business buys a cyber insurance policy, but never tests the process on reporting a compromised event, it won’t understand the critical steps to take. This may be detrimental to the business or the ability of the insurer to contain the breach quickly.

Understand how and what data is being protected. According to an article by the technology company, Ciena, there are three pillars to protect your data: confidentiality; integrity; and availability.

  • Confidentiality requires that customer data remains confidential at all times. This requires an end-to-end security solution protecting network traffic from the end point to the data center.
  • Data integrity combats cyberattacks by ensuring that information and flows are not altered through unauthorized methods.
  • Availability can be maximized using advanced network analytics. Analytics and reporting identify anomalous network behavior and empower your team to respond to cyberattacks faster.

While protection is important, don’t make it so difficult to get through your computer that employees can’t get to the documents they need. For example, a client record is much more important than a business brochure. Your agency and its small business clients can save money by being aware of what needs encryption and what doesn’t. Segregating just the important data and keeping other files accessible will drive down IT costs, which will enable small businesses to afford cyber insurance.

Some cyber insurers offer data breach cost calculators to help small businesses estimate costs to recover from a cyberbreach. As data breach estimates are based on claim history, the independent agent’s prospects or existing clients can learn the levels of exposure that go into having a breach, the costs associated with each step of the process and how many steps are involved in recovering from a data breach.

Cyber criminals are casting a wider net with cyberattacks than ever before, so make sure your agency is insured; the full staff is trained; and you are prepared for the very worst. Then make sure your small-business clients are doing the same.

Written by Matt Masiello, CEO of SIAA. Reprinted with the permission from PIA Management Services Inc.