In 2018 alone, Internet-enabled theft, fraud and exploitation caused $2.7 billion in financial losses in the U.S. and more than 900 complaints sent to the FBI’s Internet Crime Complaint Center each day, on average. To learn more about cybersecurity risks and how to defend against them, we spoke with David Derigiotis, Corporate Senior Vice President, National Professional Liability Practice Leader, Burns & Wilcox.
What are the greatest cyber threats organizations face?
D.D.: In light of the COVID-19 pandemic, which forced companies and entire industry sectors to pivot rapidly to accommodate lockdowns, securing systems for remote workers is very important. Ransomware attacks and social engineering have increased since the start of the pandemic; these are major cyber threats that perpetually cause serious problems and financial harm. These kinds of attacks can and do cripple organizations of all sizes; those without the financial means to weather that kind of storm can easily go bankrupt.
What should companies be aware of relative to these risks?
D.D.: Companies can spend millions of dollars on cybersecurity and yet, if just one employee falls victim to social engineering tactics, many of the company’s technical safeguards could be bypassed. It is incumbent upon every organization to prepare and empower its employees to make smart decisions. Employees can be the strongest link in the cybersecurity chain, provided they have the right security and privacy awareness training. Companies should also invest in the right technology and operate in compliance with ever-changing privacy laws. Cyber and Privacy Liability Insurance serves as a financial backstop when cybersecurity measures fail; however, all of the front-end security and regulatory compliance resources that can strengthen an organization’s security posture can be equally important.
How does Cyber and Privacy Liability Insurance help respond to these threats?
D.D.: Cyber and Privacy Liability Insurance is an investment that provides returns on many fronts because it includes numerous resources, including cybersecurity awareness training, risk assessment and legal professionals to advise throughout the compliance process. Enhanced policy features can include business interruption coverage extending to a clients service providers, cryptojacking, bricking of devices, definition of computer system to include cloud computing resources, and cyber terrorism to name a few. Organizations in highly regulated industries like health care or that operate in states with more stringent privacy laws should take care to include adequate coverage for regulatory fines and penalties within their policy. Some notable state security and privacy laws include the California Consumer Privacy Act, Illinois Biometric Information Privacy Act, New York State Department of Financial Services Cybersecurity Regulation, and the Texas Medical Privacy Act, which is actually more stringent than HIPAA. As it relates to the insurance industry specifically, the NAIC Insurance Data Security Model Law is incredibly relevant.
How has COVID-19 affected organizations from a cyber risk management perspective?
D.D.: It has forced organizations of all sizes to fast-track changes they may not have been fully prepared to make. Rushing to get employees into a remote work setting, incorporating technology without a full vetting process, suddenly moving previously brick and mortar operations online—all of these actions expose organizations to new risks. Many organizations have dramatically expanded their digital attack surface in order to adapt and survive this health and financial crisis, and business operations and exposures have been reevaluated. This is why Cyber and Privacy Liability Insurance take-up rates have continued to grow by double-digits month over month, despite economic slowdowns.
What are the biggest opportunities for brokers in Cyber and Privacy Liability Insurance?
D.D.: Cyber and Privacy Liability Insurance is relevant to any business that operates in the twenty-first century economy. Any business that communicates electronically, uses third-party applications, or collects, processes or stores data, is vulnerable to cyberattacks and needs to have its cyber and privacy risks assessed and assets protected. The regulatory and privacy side of this coverage is often overlooked and undervalued. In 2019, multiple tech companies received some of the largest privacy fines ever issued and the U.S. regulatory environment is heating up. Top concerns for consumers and legislators include individuals’ privacy rights, consumer access to modify or delete data, data minimization efforts to prevent collection of personally identifiable information (PII), stronger FTC enforcement powers, algorithmic bias studies, facial recognition technology and surveillance, and transparency around how businesses collect and use personal data. Brokers need to understand this environment and advise clients accordingly.
What advice would you give brokers to increase their success in this market?
D.D.: As we become a more internet enabled and connected society, the threat to businesses from some more traditional risks have been replaced to a large extent by threats from operating in a digital world. Understand how your clients’ operations have changed and what new exposures they might be facing as a result. Identify what customer data clients are collecting and be aware of the regulatory and legal environment in which they operate. Provide benchmarking statistics to compare what limit profiles peers in their space are purchasing along with relevant claims data, threat intelligence and overall costs the client can expect to incur should an incident take place.
What features of Cyber and Privacy Liability Insurance are specific to Burns & Wilcox?
D.D.: Through our exclusive partnership with Node International, clients have access to a panel of security vendors and services that can improve the posture of their organization. These are all available at a special price point, whether or not a client elects to purchase Cyber and Privacy Liability Insurance. This is not something that is readily available within the insurance marketplace—it is a unique offering Node International provides to clients. Another product exclusive to Burns & Wilcox through Node International is Cyberman365, a personal insurance product that addresses the digital risks of individuals and families. This product provides proactive monitoring and restoration services for identity theft and social media exposures surrounding cyber bullying and online predators, as well as addressing the internet of things (IoT) by helping protect home networks.
Cyber and Privacy Liability Insurance
WHY YOUR CLIENTS MIGHT NEED IT: All businesses are vulnerable to cyberattacks. Verizon’s 2020 Data Breach Investigations Report shows 45 percent of all U.S. company breaches involved hacking and 28 percent were perpetrated against small businesses. Statistics Canada reported in 2017 more than one-fifth of Canadian businesses experienced breaches that impacted their operations. Any organization that collects “personally identifiable” information is subject to state and federal privacy laws.
PROTECTS AGAINST: Costs associated with cyber threats and privacy violations such as data breaches, business interruptions and regulatory penalties. Can also help address exposures related to social engineering, ransomware and other data security perils of doing business in an interconnected, digital world.
EXPERT OPINION: “Any business that communicates electronically, uses third-party applications, or collects, processes or stores data is vulnerable to cyberattacks and needs to have its cyber and privacy risks assessed and assets protected,” said David Derigiotis, Corporate Senior Vice President, National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Michigan.