Data breaches remain a serious threat for businesses across all sizes and industries. To learn more about how Cyber & Privacy Liability Insurance can help companies address this risk, Crain’s Content Studio spoke with Ryan Ascenzo, Senior Broker, Professional Liability, Burns & Wilcox Brokerage, New York, New York.
What are some of the greatest cybersecurity risks companies face today?
R.A.: Insider threats, whether intentional or unintentional, are a risk with all of us at work. Supply chain attacks have also been relevant. An attack can compromise data but also bring manufacturing and transportation to a halt with severe lost business income consequences.
What should business owners be aware of relative to these risks?
R.A.: They should consider their incident response capabilities, which is how fast companies can get back up and running. The evolution of cyber attacks is that they are getting more advanced. And, while we are getting better at protecting ourselves, there are an increasing number of resources a business would need to have at their disposal for systems to be unlocked, including getting forensics teams involved, notifying clients, and finding cyber attorneys. We may not have as many breaches happening, but the severity of a loss continues to escalate.
Which insurance policies can help them respond to these threats, and what are the limits and examples of covered expenses?
R.A.: Cyber & Privacy Liability Insurance would be the first and foremost policy to help them respond to the immediate security threat and its ramifications. The first-party coverages can include costs incurred by a company such as ransomware extortion, phishing, forensic costs, call center monitoring, notification, and business interruption expenses. Third-party costs can include any class-action lawsuits or regulatory fines and penalties that might stem from the breach. A company’s Directors & Officers (D&O) Insurance may also respond in cases where a lawsuit is filed alleging inadequate cyber management by directors, officers, or executives.
How has COVID-19 affected the Cyber & Privacy Liability Insurance market?
R.A.: Most companies were not prepared to have a fully functioning remote workforce, so that really added another avenue of exposures that companies had to protect from threats.
Are there steps that businesses should take or services they should invest in that complement their insurance coverage from a prevention standpoint?
R.A.: They should have some type of multi-factor authentication across remote and email access, data encryption and endpoint detection response or 24-hour monitoring. They should also look at additional steps as far as backup plans, and employee training from the risk management perspective. The more we know as employees, the better we can protect ourselves. The regulatory environment is also going to continue to change, as the government is trying to consolidate how we regulate cybersecurity. There is an evolution of making sure your companies are up to snuff as far as how your company is holding data. That is huge heading into the future.
Can you give me an example of a scenario you have dealt with that would be illustrative of the types of risks that we have been discussing?
R.A.: The leading claim is malware or ransomware. That can happen in any industry, and it is, essentially, when a hacker locks down your system and requests a monetary amount in some form of currency, whether that is the dollar or bitcoin. Once you pay these folks, it is usually tough to get your money back. Cyber & Privacy Liability Insurance can cover that.
What are the greatest opportunities for brokers to get into Cyber & Privacy Liability Insurance?
R.A.: Every business owner and individual has potential exposure to cyber liability. Everybody needs the coverage. This space is going to continue to evolve and change, so it is a good opportunity to help business owners protect themselves.
What advice would you give brokers to increase their success rates with these products?
R.A.: There is actuarial data that can give us the opportunity to present areas where companies may already be exposed on the dark web and may be susceptible. With the hardening market, you really have to put the cost perspective into the insured’s hands as far as what the overall cost of a breach could be in comparison to the insurance premium.
What questions should brokers be asking clients relative to these products?
R.A.: The main question is whether they feel they are susceptible to a cyber breach. There are so many breaches in the news and more companies are aware of the topic, but do they think they are vulnerable? Do they understand their security systems and backups? What do they think is more likely to happen – a property loss or a hack? If they understand the risk landscape and how their data is controlled, that can better help them understand what insurance product would be best suited for them. Not every company needs to be controlled like a bank, but they do need to have the minimum safeguards to qualify for insurance and to protect themselves, their clients, and their employees.
CYBER & PRIVACY LIABILITY INSURANCE
WHY YOUR CLIENTS MIGHT NEED IT: Attacks and data breaches can happen in any industry, and cyber attacks are getting more advanced. While not as many breaches are happening, losses are getting more severe and costs of recovery are steeper.
PROTECTS AGAINST: Ransomware extortion, phishing, forensic costs, call-center monitoring, notification, and business interruption expenses. Third-party costs can include class-action lawsuits.
EXPERT OPINION: “With the hardening market, you really have to put the cost perspective into the insured’s hands as far as what the overall cost of a breach could be in comparison to the insurance premium.