‘Concrete Incidents’ Validate Cyber Insurance

YOUNGSTOWN, Ohio — Over the summer, cyberattacks on two local medical offices drew the attention of businesses in the area and insurance agencies offering cyber liability coverage.

In June, NEO Urology in Boardman was hit by a ransomware attack that locked down its entire system. The company was held ransom for $75,000 in Bitcoin and reopened after three days. In a police report, NEO Urology said it lost between $30,000 and $50,000 in revenue each day it was closed.

And in August, a similar attack was carried out on Eye Care Associates, although the practice’s leadership didn’t consider paying the ransom demand.

“There’s still a bit of pushback, but they’re more receptive than when I couldn’t cite something like [what happened at] Eye Care Associates or NEO Urology,” says Dan Landers, principal at Landers-Lewis Insurance & Consulting, Boardman. “You have to explain that these are concrete incidents that could happen to them.”

Last year, according to a report from Beazly Breach Response Services, 71% of all cyberattacks were on small businesses. 

But not all cyberattacks are at that scale, demanding tens of thousands of dollars. 

At L. Calvin Jones & Co., Canfield, agent Mercy Komar reports two relatively small attacks: a fence dealer whose computer system was held ransom for $750 in Bitcoin and a client in the restaurant business, with hackers demanding $5,000 in Bitcoin to unlock the system. 

“It took him almost a week to purchase the Bitcoin. He was reimbursed by the insurance company, though they don’t purchase it for you,” Komar says. “In the meantime, he had to shut down his existing registers and bring in new ones to work from.”

While the cost of ransomware attacks like those affecting the restaurant, Eye Care Associates and NEO Urology is most often communicated in terms of what’s paid to unlock computer systems, the cost for businesses extends well beyond the ransom. 

In the case of the restaurant, Komar explains, the owner had to rent a new point of sale system while the hacked machines were unlocked and cleared. 

For Eye Care Associates, Landers says, the office was closed for nearly two weeks and, as a result, likely lost patients to other practices. 

It’s those kinds of factors that play into the decision to pay hackers, Komar explains. 

“The cybersecurity guys say don’t pay it because you’re just encouraging it. The insurance companies say, ‘We’re going to sell it to you and if you choose not to use it, that’s OK.’ The insured is in the middle and has to look at it from both directions,” she says. “Which is going to cost less? The insurance company may say it will cost less to just pay, instead of fighting back and battling for three months.”

That’s where cyber insurance enters the picture. Like policies covering physical damage to a business, cyber insurance covers most costs related to falling victim to a cyberattack, whether a data breach or being held ransom.

“If it’s a comprehensive cyber policy, you have to think of it two ways: like a fire or a slip and fall,” says Shelly Taylor Odille, owner of Paige & Byrnes Insurance, Howland. 

“If it’s a fire, something happens to your building and you get payment; that’s the hacker getting into your system and you recreate the data,” she says. “The slip and fall is if an email comes from you and I open it and now my network is infected because you didn’t protect yourself.”

Odille says there have been no reports yet of successful hacks or breaches among Paige & Byrnes clients, but adds there have been close calls with spoofed emails, where cybercriminals create fake emails almost identical to those from legitimate companies, requesting personnel or clients to wire money over.

“I’ve had some pretty sophisticated businesses call us and say, ‘I almost sent that payment out. Thankfully I made a third call to verify the information before I sent the payment,’ ” she says.

In the event of a successful cyberattack, those with insurance can often call hotlines set up by the carriers to work through the process. 

In many cases, calling in first before making any moves to deal with ransomware is a requirement for coverage.

“[In one case, hackers] tried to do a fraudulent wire transfer, which was discovered prior to going through,” Landers says of one of his clients. “It was reported to the insurance company and they stopped it, figured out where it came from and introduced some patches.” 

Even with concrete examples of what can happen in the event of a cyberattack, Landers says some businesses still push back some when the topic of adding cyber coverage is broached.

He points to one client, a dental office, that added coverage after the attacks on NEO Urology and Eye Care Associates.

“It was $600, but that was $600 he never had to spend before,” he says. “For a small business, if they have cyber coverage and have an incident, they may spend their deductible but they get their system checked and all their stuff back. The premium is well spent money.”

Adds Odille: “For years, people called and asked about malware and viruses and the answer was always that it’s not covered. Now, you have to get people on board with the new way of doing things and with it being more expensive.” 

When companies do resist, Komar offers a few words as a final pitch.

“Be aware that it’s happening constantly around you. Don’t bury your head in the sand and pretend it doesn’t exist,” she says. 

“[Companies] should be working with security people to train employees not to open phishing emails. That’s how most of this ransomware and malware gets into systems.”

Copyright 2021 The Business Journal, Youngstown, Ohio.