By Darren T. Kimura, Spin Technology
The threat of ransomware is rising rapidly. Each day, we see more stories about companies overtaken by this type of cyberattack. Garmin and Canon, two well-known consumer brands, are the most recent examples of organizations that paid large sums of money to criminal organizations to regain access to their company data. In Garmin’s case, the demanded ransom was over $10 million, which doesn’t include wasted company time and resources, customer loss, legal fees, fines, or the amount paid to an organization to negotiate with the hackers on their behalf. Even organizations with tight security protocols can be affected – cybercriminals are becoming increasingly sophisticated in their methods as the payout for ransomware creeps higher.
While an attack on a large organization is costly, ransomware for a small or medium-sized business can be disastrous as well. The majority of all cyber-attacks aren’t directed at multi-million-dollar companies; they’re leveraged against smaller businesses that may not have the resources to dedicate to creating a fully secure environment for their data. In fact, a recent study showed that 60 percent of SMBs will suffer a data breach at some point, and 70 percent are targets for ransomware. Even more shocking – 86 percent of ransomware victims had antivirus protection. Unfortunately, in some cases, prevention is not enough.
What is cyber liability insurance?
Cyber liability insurance is a specialty insurance line intended to protect businesses (and the individuals providing services from those businesses) from Internet-based risks (like ransomware attacks) and risks related to information technology infrastructure, information privacy, information governance liability, and other related activities. These types of threats are generally excluded from traditional commercial liability policies or are poorly defined. It’s often a logical step in protecting data once an organization has already put in place the necessary and recommended security and privacy protocols to protect against data theft.
Does my organization need cyber liability insurance?
Despite being the primary target for most ransomware attacks, 80 percent of SMBs do not have cyber insurance protection. Many SMBs falsely assume they don’t need the coverage if they don’t do payment transactions. But the reality is that cybercriminals are using social engineering and phishing scams to steal personally identifiable information (PII) and to gain access to networks and accounts. This type of loss can create liability for the company and require expensive forensics and remedial actions – including alerting thousands of customers by mail and purchasing identity theft protection for them after-the-fact. And if hit by a ransomware attack for example, it can mean total lockout of data sets, systems, accounts and more (if proper backup protocols are not in place) – that cost can be catastrophic.
What coverages does my business need (and what does it cost)?
The amount of insurance needed truly depends on your business size. In many SMBs, $100,000 is often enough. However, when evaluating the amount of coverage, it’s wise to remember that the cost of a ransomware attack is often more than just the ransom itself. For example, one 50-employee company was hit by a ransomware attack, which cost them $6,000 in ransom. However, it also cost $15,000 for forensics, $20,000 in legal fees, $12,000 in fines, and $20,000 in data recovery. While the initial sum demanded was manageable, the total expense was more than $73,000. The cost of the policy itself can range from a few hundred dollars up to several thousand dollars a year, depending on requested coverage.
What exactly does it protect the company from?
Most policies protect from e-theft, ransomware, telecommunications theft, and social engineering fraud. Social engineering fraud refers to the transfer of money or securities to a person or account beyond the insured entity’s control by an employee. This can help protect the organization from cybercrime generated within the infrastructure of the business (insider threats). Having insurance that protects the organization from both internal and external threats is the best way to ensure an unforeseen incident will be covered.
Is there coverage beyond the base policy?
For many organizations, having a cyber liability policy is a safeguard above and beyond their current insurance policies. It’s an explicit certificate dedicated to aiding the recovery process should a cyberattack occur. This approach is forward-thinking, as cyberattacks of all kinds continue to rise across the board. Relying on a blanket corporate policy to cover cybercrime is a risky venture. These types of policies often include language and loopholes that may exclude payment for certain types of a disaster like acts of war as an example. The first step in securing company data should be the protection of that data and the engagement of policies and technology to prevent an attack in the first place. However, cyber liability insurance is an additional precaution that’s recommended in case the unthinkable occurs.
About the Author
Darren is the Executive Chairman and Chief Revenue Officer at Spin.ai. He holds 13 patents and his expertise covers Cybersecurity, IT, Software, Big Data, and Networking. Darren is based in Palo Alto, CA.