Protect Company Assets by Mitigating Cyber Risks

By Sean P. McGee, JD, CPCU, Vice President, USI Insurance Services LLC

Cyber threats and insurance have become a ubiquitous business issue. Insurance is intended as a vehicle to transfer catastrophic risk to carriers contractually in consideration for premium dollars. There is no coverage area where the risks evolve more rapidly than cyber, and so the insurance must evolve with it. 

State of the Cyber Marketplace

COVID-19 and the increased work from home environment has exacerbated cyber issues. Human error continues to drive ransomware and cyber-crime events. Ransomware attacks and network intrusions were up 715% in the first half of 2020 when compared to the year prior. The most robust cyber protocols cannot prevent an individual from clicking an email they should not. For small- and medium-sized enterprises, the average cost of downtime related to ransomware is roughly $141,000, a more than 200% increase over 2019. Four years ago, the average ransomware demand was under $50,000. Today, insurers have received ransomware demands in excess of $25,000,000. 

Cyber-attacks can result in negative consequences beyond a company’s financial position. In September 2020, a patient death was directly linked to a ransomware attack against a hospital in Germany. Moreover, a business’s reputation can be nearly impossible to regain. The potential loss of customers, investors, and other stakeholders following a cyber event is an ancillary cyber risk that must be considered. 

As these large claim trends continue to impact carriers, the cyber marketplace is firming.  Companies with IT vulnerabilities have seen coverage withdrawn. Those with better internal protocols still have seen large premium increases. Carriers are offering smaller limits, increased retentions, and increased waiting periods. Beyond ransomware, carriers have expressed growing concerns around third-party privacy claims as new legislation looms. As the marketplace has changed so dramatically, it is incumbent upon businesses and their insurance brokers to start their renewal and application process much earlier than previously required.

Cyber Application and Risk Management Best Practices 

The application process has evolved with the marketplace. The questions and scrutiny undertaken in the application process is more intensive than before. Carriers now want to ensure best practices exist to mitigate future claims. Those best practices include pre-screening emails for potentially malicious attachments/links, enforcement of multifactor authentication (MFA), remote access controls, next generation antivirus use, endpoint detection and response use, use of MFA on privileged user accounts, and backup and recovery policies. Deficiencies in these areas will result in severely limited coverage or the inability for a business to obtain cyber insurance at all. It is critical to engage the correct team members or outside vendors to help in this application process to achieve expansive coverage offerings. When even the most lucid company protocols fail, insurance exists to make a business whole in the event of a covered claim.  

Key Coverage and Non-Cyber Considerations 

It is critical for businesses to ensure that their cyber policy will respond to most of the potential events occurring in the marketplace. Standard cyber policies often have several inherent coverage gaps and weaknesses that can lead to uninsured losses and expenses. Some of those key coverage areas include business interruption coverage, cyber extortion and ransomware coverage, social engineering/phishing attacks, and data breach event response costs including fines and penalties. 

Cyber-attacks are not just an IT issue, but are an enterprise-wide issue. They can impact other areas of a business as well. Examples include: mergers and acquisition implications in uncovering previously unknown cyber risks during due diligence; directors and officers coverage implications can arise in lack of oversight allegations and failure to formulate a plan of action for cyber risks; lastly, business owners and CFOs must also make sure cyber coverage dovetails with crime, employment practices, and general liability coverages as well.

Seek Professional Advice When Necessary 

If a business doesn’t currently have cyber coverage in place, engage professionals to understand which cyber threats pose the largest financial and operational impacts to the organization and work on a cyber preparedness and response plan. Even if a business does have coverage in place, work with professionals to review the language to ensure it responds to the many risk issues previously discussed.

For more information, contact Sean P. McGee at 513-852-6459 or Sean.McGee@usi.com.

USI is a Goering Center Sponsor, and the Goering Center is sharing this content as part of its monthly newsletter, which features member and sponsor articles.

About the Goering Center for Family & Private Business
Established in 1989, the Goering Center serves more than 400 member companies, making it North America’s largest university-based educational non-profit center for family and private businesses. The Center’s mission is to nurture and educate family and private businesses to drive a vibrant economy. Affiliation with the Carl H. Lindner College of Business at the University of Cincinnati provides access to a vast resource of business programing and expertise. Goering Center members receive real-world insights that enlighten, strengthen and prolong family and private business success. For more information on the Center, participation and membership visit goering.uc.edu.