More Cyberattacks, More Need for Cyber Insurance

YOUNGSTOWN, Ohio — Data breaches at high-profile companies set off surges of interest in cyber protection among local companies, insurance agents observe. That’s good, they say, but every business also needs some form of cyber insurance.

Among the first data breaches to put cyberattacks in the public eye was the breach at Target during the 2013 holiday season. It began Thanksgiving Day and lasted through Dec. 15 as the national chain worked to get its house in order. In that cyberattack, the credit and debit card information of 40 million customers was stolen along with 70 million pieces of customer information.

In January 2015, health insurance company Anthem discovered a year-long breach that exposed the personal information of nearly 79 million consumers. Seven months later, Home Depot announced that its payment security system had been breached as hackers stole at least 56 million credit card numbers. That breach affected nearly every one of its stores in the United States.

And there are costs to being the victim of a cyber attack. Target settled a class-action lawsuit for $10 million, paid $6.75 million in attorney fees, provided a year of free credit monitoring and identify-theft protection for all its customers who shopped at a Target store during the two-week disruption. Moreover, a court ruled that it had to improve its data security and hire a chief information security officer.

“It happens to the big ones and they make the news, but the small ones are the ones it happens to, too,” says Dan Landers, principal of Landers-Lewis Insurance & Consulting, Boardman. “They tell us 60% of the companies that don’t have insurance for a breach aren’t going to recover.”

The highest cost of a breach Landers has seen is $217 per customer.

In 2015, the FBI reported eight million property losses that totaled $14 billion in damages. That same year, the losses from cyber attacks ran to $30 billion.

Stephenie Maroni, vice president of operations at James & Sons Insurance, Boardman, reports the number of cyber attacks has risen 125% in the past five years.

Cyber liability insurance has taken off in those five years, agents say, and is a necessity for any business that stores any type of personal information, whether about customers or employees.

“Some of the smaller businesses think they don’t have that much information, that they’re not Home Depot or Target,” Maro says. “But if hackers were able to get into those types of network systems, how much easier is it to get into 10 small companies?”

The premiums for cyber liability protection, as with any insurance, vary from business to business. A premium is based on what information they store, how they protect themselves and the opportunities for exposure. Many times, clients have to fill out a questionnaire on the records stored on their network, who can access that information, their use of mobile phones and tablets, access to third-party services such as the cloud or a contracted information technology company. And more.

At L. Calvin Jones, Canfield, agent Mercy Komar says the least expensive policy her agency offers runs about $750 per year for $1 million in coverage. Landers, meanwhile, says that in some cases, the coverage can be as much as 10% of a total business insurance premium. At James & Sons, most case studies Maroni has seen place claims at between $600,000 and $700,000 per business.

Most valuable is medical information, which includes names and dates of birth as well as specific data such as policy numbers, billing information and diagnosis codes.

Stolen medical information can sell on the black market for up to $10 per person, according to cybercrime protection company PhishLabs, making it 10 to 20 times as valuable as a credit card number.

With that information, identity thieves can buy and resell medical equipment and drugs, file false claims to receive payments or commit Medicare fraud.

“The more vulnerable types of businesses [are] in health care where HIPAA is involved or retail where a lot of people are involved with credit cards,” Komar says. “If it’s a smaller business, it depends on the number of employees you have and what sales are.”

Cyber liability insurance covers several post-breach expenses for businesses, such as notification, forensic investigations, shoring up security systems, paying fines and paying for attorneys should the business be sued.

Should a breach occur, state laws in 47 states – including Ohio and Pennsylvania – require that customers who might have had their personal information stolen must be notified in writing. In Ohio, personal information covers names, Social Security numbers, driver’s license numbers, credit or debit card numbers and access codes such as the PINs that go with them.

“The notification law is broad about what you have to notify for,” says Shelley Taylor Odille, owner and agent at Paige & Byrnes Insurance, Warren. She’s seen a per-customer cost placed around $175. “You might think that if you have 10 people’s information, times $175, you can pay that. But what about 20? Thirty? How many people aren’t you comfortable with [paying for]?”

Increasingly, insurance companies are helping clients deal with ransomware, a cyberattack where hackers infiltrate a system and encrypt the data within, locking out users. They then demand payment to unlock it.

More often of late, these hackers want to be paid in bitcoin, a digital currency often used online to buy and sell illegal goods. In a high profile case last year, a hospital in Los Angeles paid hackers $17,000 after they installed ransomware. Fortune magazine reported that in 60% of ransomware cases, hackers demanded more than $1,000.

“[Travelers Insurance] has already established markets in bitcoin so they can handle that transaction to get [businesses] back up and running before having forensic folks come in and figure out how they got in,” says Tom Costello, president of James & Sons.

While most commonly known as cyber liability insurance, what the policies really protect against are data breaches in all forms, including the loss of physical copies of information. That can be a rogue employee who takes information, a lost company phone directory or even papers falling off a truck en route to be shredded.

“You get breaches beyond computers. Computers are the cyber part of it but data coverage is what we’re providing,” Landers says. “If I walk out of here and you grab this file, that’s a data breach. That’s protected too.”

With the increase in cyberattacks and data breaches, insurance agents have found themselves serving as educators. All of the agents interviewed for this story shared stories of talking to companies about what they can do to better protect sensitive information.

“For companies that provide Wi-Fi internally, someone can sit in the parking lot and get in. … You can get into the James & Sons system through this phone,” Costello says, holding up his smartphone. “It’s wonderful. It’s great. But it’s also a tremendous exposure.”

Adds Taylor Odille, “People are better about viruses and getting more sophisticated with keeping their networks clean. But it’s hard. One person clicks on the wrong thing and you can have a problem.”

Landers estimates that 15% of his clients have it as a stand-alone policy, separate from their business coverage, a practice Komar recommends because it goes beyond “having it to say you have it.”

Paige & Byrnes is tying it to renewals of business insurance policies where businesses have to “very deliberately delete it,” Taylor Odille says.

“This is one of the coverages where we don’t see the frequency of claims, but when we do, it is devastating,” says James & Sons’ Maroni. “These kinds of claims can bankrupt companies.”

Copyright 2024 The Business Journal, Youngstown, Ohio.