Five Evolving Trends in Cyber Liability
May 1, 2022
By Gregory C. Knicley and Mark J. Battaglia, Tompkins Insurance Agencies, Inc.
Cyberattacks are becoming increasingly commonplace, particularly since the Covid-19 pandemic brought about remote work and insecure remote access to businesses became more prevalent. In fact, a recent global study from Check Point Research noted a staggering 50% increase in corporate network cyberattacks per week in 2021 compared to 2020.
While these threats may feel far removed, it’s important to remember that they can potentially affect businesses and organizations of all sizes, from a small 10-person firm in Rochester to a global corporation. Being knowledgeable and proactively protecting your company can help mitigate risks. Below are five trends we’re noticing in the cyber liability space and ways to help reduce the odds of a costly – and disruptive – attack on your business.
Consider the current climate
Last month’s attacks on Ukrainian government websites and its local banks are somber reminders of the devastation that can come about when a network is infiltrated. It put many governments, including the United States, on high alert. What we all realized is that threats can come from outside of our own business, and even outside of our own country.
The Russian cyberattacks on Ukraine aren’t the only ones that have made headlines this past year or two. The SolarWinds hack of late 2020 was one of the biggest cybersecurity breaches of the century. More than 30,0000 customers in the supply chain of the Tulsa, Okla.-based software company were affected and they included local, state and federal agencies and their customers and partners.
The Colonial Pipeline attack in May 2021 was another “wake-up call” about the perils of ransomware attacks. That incident led to gas shortages, pricing spikes and widespread panic.
Then there’s Log4Shell, also referred to as Log4j, an IT infrastructure vulnerability that came about late last year. It allows remote attackers to take control of devices on a network if the user was running certain versions of the software script. It was a security issue of the highest severity and, even though patches, or fixes, exist, will likely raise the bar in terms of what cyber insurance carriers will expect going forward.
Control your risk
Before obtaining cyber liability insurance – and yes, that’s something experts highly recommend you have – there are certain risk management controls to consider also putting in place. We recommend beginning with an up-front assessment of vulnerabilities and taking early steps to mitigate risks.
Ten-plus years ago, firewalls and passwords were the go-to for protecting an organization, but now there are several other technical controls that should be considered, including multi-factor authentication, when designing your network. This layered defense against would-be attacks includes something you have and something you know, such as a text message to your phone to confirm identity, along with a PIN or thumbprint unique to you.
Continually patching and updating your network and applications that your business uses, nightly, weekly or on another appropriate cadence, is key and not unlike the IOS updates on your iPhone. A well-rounded risk management plan should also include spam filtering, phishing and information security training for staff and regular data backups as first lines of defense before obtaining insurance.
Brace for the cost
It’s a challenging market right now and companies seeking to obtain cyber liability insurance should anticipate higher costs. Prices have been on the rise for the past two to three years, with increases of 50% to 200% due to the spike in claims in recent years. Multi-million-dollar claims, big issues like the aforementioned Colonial Pipeline, and the fact that claims are generally large and can reach policy limits, affect everyone and cause premiums to go up.
Cover your bases
Ensuring you have the right level of coverage is critical. Different types of businesses have different needs depending on things like their size, and types of data they work with. Companies with protected information can become bigger targets and are subject to regulators and state data security laws, which should be a factor in determining how much insurance you need. Additionally, the contracts that your business enters into may also have specific insurance requirements around cyber liability which can drive the decision for the limits you select.
That being said, getting the required amount of insurance isn’t always a simple matter. In our experience, if an organization requires $10 million in insurance, they may need to get $5 million from one company and another excess policy of $5 million from a different one. The gap would not fall under an umbrella policy.
We advise our clients to never assume their business owners’ policy alone would meet their needs. Some policies include a small level of coverage as part of the “package,” alongside property and liability, tacking on a $100,000 or $200,000 level of protection, which may be inadequate if the company’s needs are closer to $1 or $2 million.
Get your head out of the cloud(s)
A false assumption many businesses make is that they don’t need cyber liability insurance because they aren’t big enough or don’t have anything anybody wants. The truth of the matter is cyber criminals are regularly targeting smaller businesses because many have an IT infrastructure that’s easier to break into. Think about it: someone managing their business on a laptop and through the cloud or without a multi-factor authentication for access would be far easier to hack. Some of the biggest targets lately are school districts and municipalities. We can think of several in our circle that were victims of cyber attacks because they didn’t have the capacity or funding to defend themselves proactively – and these are just the ones we know of.
Last, but not least, if you’re not sure if you are protected, right now is the right time to review your policy. Ensure you are up on the current trends and latest risks. We recommend that you think of it not as a matter of if you need cyber liability insurance, but how much.
Gregory C. Knicley is a senior vice president, commercial lines marketing manager, CIC, AIC at Tompkins Insurance Agencies, Inc. and Mark J. Battaglia is a commercial lines account executive, CCIC at Tompkins Insurance Agencies, Inc.