Blake Brown of the Baker Group, Mike Weiss and Ross Ingersoll of the employee-owned insurance company Holmes Murphy, and Evan Rice of Guide Star provided a useful roadmap of how to stay protected.
According to Weiss and Ingersoll, one insurance carrier said the average ransom payment made in 2023 was $537,036, nine times what it was five years before. A second carrier said its loss ratio was 150%, while a third said breach response costs have increased 220% since 2016.
The speakers identified the top underwriting concerns, including:
When selecting an insurance policy, setting the right limit for your business is a difficult decision. The potential costs can vary widely, not only with the kind of work you do, but also the kind of attack you experience. Engaging an expert from
outside your insurance carrier can help you navigate this. Threats to cover include ransomware, cyber extortion, business interruption, and “social engineering fraud” (using psychological or other ruses to convince people to provide information and/or access they should not have). There are often sub-limits on social engineering fraud. You may also want to be insured for widespread events, such as a denial of service for an entire network, but your carrier might exclude these potentially catastrophic events. Oftentimes, there are also exclusions for a failure to maintain the appropriate systems.
While getting good insurance is essential, this is one product where you would be happier never to actually get what you pay for. Create a checklist you can regularly review. Using a third-party framework can help provide the needed expertise if it does not exist in house. Key elements include:
The outside advisor or an in-house expert (or both) should run periodic audits, tabletop exercises, and supply chain reviews. Make sure you have playbooks for various scenarios. Invite your carrier to send a representative to review your exercises and procedures. Consider joining organizations that focus on cybersecurity (such as the Information Systems Audit and Control Association, the Internet Security Alliance, or the International Information Systems Certification Consortium). Getting your IT staff cybersecurity certified may be worth the investment. There are also a variety of tools you can invest in that detect or prevent incidents. You may want to obtain a managed security service provider or virtual security service provider.
Determining how the breach/incident occurred is vitally important. Forensics can take a long time, and during that period, what is being evaluated cannot be used for business functions. You may need to quickly acquire additional resources to take the place of those that can’t be used. Forensics costs can add up quickly.
If there is a breach, aside from reputational damage, there could be lawsuits from affected clients, employees, vendors, etc. whose data has been breached. Credit monitoring for any lost private information will be needed. You may even lose customers or suppliers.
Your ransomware playbooks must include an option to pay the ransom. Threat actors will do research on your organization and will typically request a ransom that is hard to accept but not out of reach.
Businesses that store private personal information should take note of the FTC Consent Order and take the following lessons to heart:
With the rise of artificial intelligence, cyberattacks can only become more widespread and persuasive. Taking the threat seriously is vital for any business.
In 2021, the Employee Benefits Security Administration announced its own cybersecurity guidelines for ERISA
plans. The guidance is broken down into three areas: