Does My Business Need Cyber Insurance?

Cyber insurance is becoming a big business. This is because the number and type of cyber threats that your business may be exposed, from hacking to malware, to is increasing daily.

More and more devices are connected to the Internet, and almost anything can be hacked, even the buildings we live and work in. A large scale cyber attack can spell doom for any company, however, small and medium sized businesses do not have the resources that larger companies have to recover… For a business without cyber insurance, this means that a hacking attack, or malware incident, may cause catastrophic financial damage for a business.

Cyber insurance has evolved over the years and is supposed to cover the costs of dealing with such a breach after it occurs. The cost of cyber insurance is always a factor… But do you really need cyber liability insurance for your small business? In my opinion, as an insurance broker, cyber insurance may be a “necessary” thing or simply a “nice to have” in the following situations:

Necessary:

1. If your business handles personally identifiable information (PII). As described below¹, if your business collects personally identifiable information you would be wise to work with a broker to find a cyber insurance policy that covers this 3rd party exposure.² Examples of businesses that collect this type of information are banks, financial institutions, franchisors, investment managers, lenders, mortgage brokers, accounting firms, healthcare providers, doctors and hospitals.
2. If you run a business that is web-based, such as an e-commerce company, that relies 100% on your website being up and running in order to generate revenue, you may want to have a policy that will cover business interruption in the event of hack, or a ransomware or malware attack. This is known as first party coverage. This type of cyber insurance policy may cover restoration costs, payment of a ransom demand in cash or cryptocurrency (such as Bitcoin, Ethereum or Litecoin), and forensic expenses to evaluate the condition of your site and/or data to be sure that the recovery process is clean.
3. If your business uses network access to monitor and/or control industrial systems. According to an MIT Technology Review article, a recent analysis of databases of Internet traffic by Marcin Nawrocki at the Free University of Berlin in Germany was alarming. Nawrocki used a standard packet analyzer called Wireshark to examine data collected from an Internet exchange point (IXP), and raw internet traffic between ISPs in the U.S. and Japan. He found that a high rate (96%) of industrial control systems traffic was sent unprotected. One company was a solar energy consultancy that he said was at significant risk of a malicious attack.

Nice to Have:

Most small businesses do not handle PII or generate revenue through e-commerce. If this is the case with your business, you may not need a cyber insurance policy. While a cyber insurance policy may help you cover the costs you could incur after an attack, what you may do is take proactive measures to reduce the risks to your business of cyber attacks. The following are strategies you may consider for reducing your business’ exposure to a cyber attack:

• Think: Before you click that pop up ad, or download that application or file, think about it for a few seconds and ask yourself some questions. How did you arrive at the site you’re on? How did this link or application present itself to you? Did this link arrive in an unsolicited email or did you click on an ad? Human error is a major factor in all cyber attacks. Most security breaches are the result of some level of bad behavior by the people who are affected.
• Back Up Your Data: Important data and websites should be backed up in at least three places. Many web developers and web security experts believe you should operate under the assumption that if your data is not backed up in three places, it is not backed up anywhere. Types of backups include 1) 1st party consumer cloud storage backups, such as Dropbox, Box, Google Drive, etc. 2) Local backups to a physical external hard drive 3) 3rd party managed backups to the cloud, such as by a hosting commercial grade provider or Amazon Web Services (AWS) or Microsoft Azure, 4) Local backups to your computer (internal drive).
• Stay Up to Date: Keep your computer systems up to date. If you run anti-virus software or Windows Defender on a PC, make sure it is up to date and scanning your computer regularly for any infections.
• Consider Apple Products: Because of Apple’s relative small market share, when compared to Windows and Android, devices running iOS and Mac OS may be less exposed to cyber attacks and malware, such as ransomware. Apple products are targeted less often by hackers because they represent a small portion of the device market. Windows runs on 90% of the desktop OS market, which saves time for both malware developers and hackers alike. Apple’s products are not invulnerable to attack, nor are they less exposed to malware, when compared to Windows and Android. However, updates to Apple’s iOS and OSX seem to be adopted more quickly, and Apple seems to put privacy first, protecting personal information within its environment, even to its own detriment. PCs running Windows are often out of date³. Similarly, Android’s ecosystem grew in an original equipment manufacturer (OEM) and value added reseller (VAR) fashion like Windows. This OEM/VAR business model creates additional links in the security chain that could be weak or be exposed to flaws that may be exploited. A recent example is a security software solution for PCs, that was marketed from a reputable provider, except that the software itself had been hacked. It then was installed on potentially millions of PCs. In a VAR/OEM model, support for Windows problems may not come from Microsoft, but from the manufacturer. Similarly, Android security is not controlled solely by Google. Since most Android phones are not up to date it could mean that Android is more exposed to security flaws. As such, top Internet security experts often use Apple products (or Linux). If you already use Apple products, here are some things you can do to improve your security situation even further:
  • Use Mac’s Gatekeeper: Gatekeeper is a built-in program that allows you to control the types of applications that can be installed on your Mac. The more strict you are with applications you allow, the safer your computer is likely to be. ***Note that Gatekeeper has many flaws that may be remedied with some of the free security tools mentioned below.***
  • Install a System Password: Turn on the password feature for your Mac or iOS device. Use a password of at least 8 characters and the longer the password the better. Recent NIST guidance on passwords indicates that passwords should be comprised of random words that are easy to remember, and that length is more important than variability, such as capitalization and special characters.
  • Turn on Mac Firewall: If you use Mac OS, turn on your firewall. For some inexplicable reason, new Macs have the internal firewall feature turned OFF out of the box. So you must manually turn it on within security settings in your Mac OS. To turn your Mac firewall on:
    1. Click the Mac “Apple” logo in the top left-hand corner of your desktop.
    2. Choose “System Preferences” from the dropdown menu.
    3. In the top row of icons, click the “Security & Privacy” icon which looks like a house with a combination lock on it.
    4. Choose Firewall
    5. Click “Turn Firewall On” on the right-hand side of the box and make sure there is a green icon to the left
  • Encrypt Your Mac Hard Drive with Built-in FileVault: Mac OS FileVault secures the data on your disk by encrypting its contents automatically and protecting the data with a login password or recovery key. WARNING: If you forget both your password and recovery key, your data will be lost. To turn FileVault on:
    • Click the Mac “Apple” logo in the top left-hand corner of your desktop.
    • Choose “System Preferences” from the dropdown menu.
    • In the top row of icons, click the “Security & Privacy” icon which looks like a house with a combination lock on it.
    • Choose FileVault
    • Click “Turn on FileVault”
  • Use a Reputable Antivirus Software for Mac: If you use Mac OS, you may not think you need antivirus software because of the tightly controlled nature of the operating system. However, trojans and other malware are everywhere on the web and you may not even know you have been exposed without antivirus software. Free antivirus software for Mac is available from Avast and others.
  • Consider Other Free Apple/Mac Security Tools: Patrick Wardle, currently Chief Security Researcher at Synack, a security company that offers penetration testing to enterprises from the perspective of hackers, offers a suite of free Mac OS X security tools on his Objective-See website that he uses to protect his own Mac.
• Get a Cyber Liability Insurance Policy: The right cyber liability policy can provide compensation to your business to help recover your assets in the event of certain attacks. Some cyber liability coverage may be packaged together with other standard business coverages, such as property and general liability, that you would find in a business owner’s policy (BOP). BOPs are inexpensive by nature because they are designed to cover businesses that have common exposures, and/or because they offer low limits of coverage, and exclude most common risks.