As cyberattacks continue to cause significant financial losses for businesses of all sizes, Cyber & Privacy Liability Insurance is increasingly vital. To learn more, we spoke with Kenneth Labelle, Senior Broker, Professional Liability, Burns & Wilcox Brokerage, Chicago, Illinois.
What are some of the greatest cybersecurity risks faced by companies today?
K.L.: Extortion events have been the most devastating events from a cost and business interruption standpoint. They bring many different expenses such as forensics investigation, data restoration, ransomware payment, reputational harm and class action claims, among other things. If a class-action claim is filed, the financial burden of an event can grow tremendously.
All businesses have overlapping exposure for things like ransomware, but each business has its own heightened exposures as well. For example, retailers have higher exposure to payment card breaches, manufacturers have higher exposure to business disruption and healthcare has higher regulatory exposures. So, while they all share exposures, each business may face higher potential loss in one area as opposed to another.
What should companies be aware of relative to these risks?
K.L.: Protections do exist in the form of insurance, security and response, and proactive planning.
Many different types of security software and standards can help prevent a cyberattack, but when one inevitably does occur, the response is crucial to avoid further income loss due to the inability to operate. In the event of an attack, things like keeping a catalog of data assets, having a tested recovery and response plan, and using offline backups can help to quickly and efficiently bring systems back to full operation.
Which insurance policies can help them respond to these threats?
K.L.: Cyber & Privacy Liability Insurance provides everything needed to respond to, mitigate and indemnify a business in the event of a Cyber & Privacy event.
Carriers have response teams on hand 24/7 to immediately respond to an event as the insureds breach coach. These teams have pre-vetted experts in all fields, including digital forensics, systems restoration, legal counsel, crisis management and notification vendors. In addition to the vendor response, the policies provide indemnity for class action claims, regulatory investigation including fines and penalties, payment card loss, ransomware payments and many other things.
What are some examples of the types of businesses that need this coverage?
K.L.: All businesses should purchase Cyber & Privacy Insurance, but certain classes really stand out as high-exposure classes. Healthcare, for example, has a more extreme exposure to increased costs. Any business that deals with healthcare data has a particularly high exposure because of strictly enforced regulations and an attractive class-action space. We have seen class-action claims become the norm in the medical space, and limits purchased reflect the risk.
What steps should companies take to help complement their insurance coverage from a prevention standpoint?
K.L.: There are numerous ways to secure a network, including multi-factor authentication, endpoint detection and response, offline back-ups etc. The human element is hard to overcome, however, so an emphasis should be put on training employees to spot attacks. Individuals are easily tricked, and nothing is changing there.
Can you offer one exposure scenario related to this topic and a coverage that addresses it?
K.L.: Social engineering makes up more than half of the losses that we see. These are always human-element-targeted events. For example, someone emails an employee pretending to be a client, vendor, or someone else internally, and they ask them to wire funds.
It is extremely important to include Social Engineering on a Cyber & Privacy policy without the requirement for an authentication in order to trigger coverage. Businesses should absolutely have protocols for authentication, but the lack of proper use generally leads to the cyberattack event’s success. Therefore, having a policy requirement can lead to a denied claim.
Is there anything else that you think is important for business owners to know about mitigating cybersecurity exposures?
K.L.: Software often has vulnerabilities that can be exploited. You could purchase the best software in the market, but if the software itself has a vulnerability, you are never really safe. Hackers have now even figured out how to use RAM to send data between disconnected computers — they can be very creative. Relying entirely on security controls is not a safe bet. Having a Cyber & Privacy policy as a backstop is extremely important.
What are the greatest opportunities for brokers within Cyber & Privacy Liability Insurance?
K.L.: Cybersecurity exposures are high; it is one of the loss leaders in insurance coverages. Opportunities for brokers are really about getting in the door, knowing the product and knowing how to walk clients through it. Since this is such a large risk for companies, you can gain a lot of trust by being an expert in that space. Most companies are buying or very interested in buying Cyber & Privacy Liability Insurance, so the door is wide open for being an expert in this coverage.
What advice would you give brokers to increase their success rates with these products?
K.L.: Success with Cyber & Privacy Liability Insurance comes with knowledge of the product and the different exposures and class types. You have to spend the time to become an expert in this space. Knowledge is what helps you succeed.
Why should someone consider Burns & Wilcox for their Cyber & Privacy Liability Insurance needs?
K.L.: At Burns & Wilcox, we have professionals who specialize in Cyber & Privacy Liability Insurance. It is important to work with a specialist, because they know the exposures and when to buy higher limits, and they will make sure there are no coinsurances or missing coverages.
CYBER & PRIVACY LIABILITY INSURANCE
WHY YOUR CLIENTS MIGHT NEED IT: Attacks and data breaches can happen in any industry, and cyber-attacks are getting more advanced. While not as many breaches are happening, losses are getting more severe, and costs of recovery are steeper.
PROTECTS AGAINST: Ransomware extortion, phishing, forensic costs, call-center monitoring, notification, and business interruption expenses. Third-party costs can include class-action lawsuits.
EXPERT OPINION: “Businesses should absolutely have protocols for authentication, but the lack of proper use generally leads to the cyberattack event’s success. Therefore, having a policy requirement can lead to a denied claim.”
