PSA Insurance & Financial Services Prepares Clients for Cyberattacks
In September, Equifax made headlines around the world as the latest victim of a massive security breach. Birthdates, addresses, social security numbers and credit card information for roughly 143 million Americans were compromised.
Of course, not every company is an Equifax, and it’s easy for smaller businesses to fall into the trap of thinking they’re unlikely to suffer a cyber attack due to their size. After all, what would a hacker want with “the little guy?”
The truth is, anyone relying on any type of technology to run a business is a potential target, whether it’s a one-person company or a Fortune 500 one. Small- and medium-sized businesses are especially vulnerable as they often lack the budget or expertise necessary to defend against potential threats.
That said, with the constant changes in technology and the host of factors at play, it’s impossible to obtain absolute security. So it’s important for companies to not only put defenses in place to protect themselves, but also have a plan should an attack or breach occur.
That’s where PSA Insurance & Financial Services comes in. “Traditional insurance for businesses had included coverage for some aspects of what we now consider to be cyber exposures,” says PSA cyber specialist Mike Volk. “[But] as businesses became more reliant on technology and cyber risk grew exponentially, traditional insurance started eroding coverage by excluding elements related to technology and cyber.”
So, while damage to a piece of equipment in your building would be covered by property insurance, recovery of data destroyed by hackers or your liability for Personally Identifiable Information stolen by a cyber criminal would not be fully covered. To fill that gap, insurance companies began offering a standalone cyber insurance policies.
PSA has been active in the cyber insurance market for many years. “And as cyber insurance continued to evolve, PSA saw a need to create a specialized practice that has an eye on what’s going on in the cyber insurance marketplace and helps our clients understand what cyber risk is,” Volk says.
Volk has been leading that practice since 2016. Before that, he worked in cyber and technology training at Anne Arundel Community College and as a cybersecurity navigator at the Baltimore Mayor’s Office of Employment Development.
It was his cybersecurity background that led PSA to recruit him. “Most insurance [brokers] get insurance people and teach them about some topic, like cyber liability,” Craig English, a senior vice president at PSA, told the “Baltimore Business Journal” earlier this year. “What we did is we went out and hired someone that was in cybersecurity, and [taught] him insurance.”
Cybersecurity is an immensely intricate concept, and most companies are not aware of all their points of vulnerability or potential liability and the associated costs. So the practice’s main priorities are education and raising awareness. The first step is to identify potential cyber risks.
Large-scale breaches, like the ones at Yahoo!, Target and Equifax, tend to get the most media coverage. But that kind of sophisticated, targeted attack on a major enterprise accounts for just a small portion of cyber incidents.
“The other side of it is something like cyber crime, which is much less targeted, far more distributed,” Volk says. Phishing scams attached to some type of malware or ransomware account for the majority of these attacks.
“[Cyber criminals] want to get that phishing email out to as many people and businesses as possible,” Volk explains. “They don’t care who you are, what size business you are, or what you do, because they can reap quick profits from even a small fraction of the people falling for their scams.”
That’s not to say that hackers won’t target your business for specific information. Those in the accounting, banking, financial services or health care industries are most vulnerable to these attacks because of the value of the information they possess.
While most attacks come from the outside, companies also need to take insider threat into account. This could take the form of a disgruntled employee who leaks sensitive information or knowingly exposes the business to a cyber attack. Or someone smuggling out valuable information to pass on to a third party.
The biggest insider threat, however, is a simple mistake – not following the company’s procedures for handling sensitive data, accidentally typing the wrong email address when sending out information, lost or stolen devices. Sometimes “an attacker will impersonate an executive in an organization and trick somebody into making a wire funds transfer,” Volk adds.
After helping clients identify their risk, PSA works with them to monetize it. In the case of the Equifax breach, for example, “they’re going to have to notify all the individuals who were affected, they’re going to have to be in the press defending themselves, they’re going to have to work with legal experts, and they have to bring in a forensics firm,” says Volk “And that doesn’t include all of the other type of issues that could arise.”
If your systems are down and you can’t run certain aspects of your business, how much is that going to cost per day, for a week or even longer? Cyber forensic, public relations and crisis management costs add up quickly. There may be legal and government-imposed fees depending on who is affected. What about lost customers and employees? And that’s not taking into account the toll on the company’s reputation.
What’s more, the damage may extend to other companies you do business with. “With our traditional building example, if you had a fire, that fire might spread to buildings next to you, but it’s not going to spread to every business that you connect with,” Volk says. With cyber, that’s unfortunately not the case.
The 2014 Target breach, for instance, was traced back to the company’s HVAC vendor. Passwords were stolen from the heating and air conditioning contractor and used to break into Target’s secure systems.
Then there’s the cost of the compromised data itself. In the United States, the average cost for a piece of lost or stolen data is $225, according to Ponemon Institute’s 2017 Cost of Data Breach study.
That’s a lot of balls to juggle. So PSA worked closely with PivotPoint Risk Analytics to help shape CyVaR, an evaluation tool to help clients monetize their risk. “What it builds for them is a cyber risk value,” Volk explains. “So when we talk dollars and cents, you can quantify the total monetary impact of the breach and related fallout.’”
The final step is to match each business with a cyber security policy that best fits their needs. Coming soon, clients will also have access to what PSA is calling its Enterprise Risk Resiliency Panel. The panel is a highly vetted group of cyber security businesses and organizations offering products and services like cyber risk assessment, strategy and advisory, cyber governance risk and compliance, device protection, cyber and data privacy, crisis communications, and more.
“That way we can have both resources for our clients to help do things upfront to minimize risks, and then the backstop behind it, which is the insurance if something goes wrong,” Volk says. “[We want] to support a holistic approach to cyber risk management.” I95