A recent new story from A.M. Best & Co., the insurance ratings agency, indicated that cyber insurance premiums grew over 32% in 2017, with most of that growth in the large account market – the Fortune 500 world. The SME (Small and Medium Enterprise) market was barely buying cyber coverage. Penetration in the SME market was in the low teens.
This is shocking to me.
The large corporate buyers are buying as much cyber protection as they can get, yet the lower end of the middle market isn’t seeking this protection. Do decision makers of firms in the SME market don’t think it will happen to them? Do they forget that large firms have teams of experts defending their networks, yet still get hacked?
The hesitancy to purchase cyber insurance may be a desire to not spend more on their insurance budget this year. It may be a lack of understanding of how vast the risk is, or it may be that decision makers don’t realize the costs of a cyber event. Whatever the reasoning, I thought it would be helpful to reiterate and paraphrase some claim scenarios that The Travelers Insurance Company has provided in their cyber sales literature. Here we go:
- Ransomware -In this first example a server at a manufacturing plant with $100M in revenues was infected with an undetectable malware. Through that malware, hackers gained access to the plant’s production system and caused a shut-down that lasted several days. A computer forensic expert was hired to investigate the cause of the claim and to assist the I.T. team to repair the problem and restore the systems. The outside experts and internal support overtime was substantial, but nothing compared to several days of lost production. The total estimated costs for this claim exceeded $2,000,000. Now you may be thinking that the lost income is covered by the firm’s business interruption insurance – unfortunately the shutdown was not caused by a covered peril, therefore there is no coverage under the property policy. Without cyber protection this claim would have been paid out of pocket.
- Spear Phishing Attack – In this example, which could happen at any sized firm in any industry, an employee opens a phishing email that looks legit yet within a split second infiltrates the company’s network. Anti-virus software had not been updated and failed to keep out the malicious code which provide hackers access to names, addresses, social security numbers and other financial data for 5,000 of the firm’s customers. Once discovered, a forensics investigator was hired to determine the scope of information compromised and then promptly notified the affected customers, providing them one year of credit monitoring services. The estimated costs of experts and notifications ran upwards of $300,000. On top of that several states where the company did business launched investigations and levied fines and penalties on the company for failure to protect personally identifiable information (PII).
- Innocent Negligence – An employee of a home healthcare service provider sent an excel spreadsheet from work to his home email account so he could complete the spreadsheet later that evening. That file contained the names, insurance company data, and private medical records for 750 patients. By sending the information from the company’s secure environment to an unsecured email (his home computer) the employee breached the company’s privacy policy as well as HIPAA Privacy Rule. Not only did this result in the employee’s termination, but under the law, the employer was forced to notify these 750 patients of the HIPAA breach. This created a public relations nightmare which damaged the company’s reputation and cost them about $440,000 in notification expenses and defense expenses related to federal investigations.
These are only a few examples of how a cyber event can deal a crushing blow to any sized company. Without cyber risk insurance, none of these events would be covered by any other insurance policy these companies bought.
Want to know what cyber insurance would have cost these firms?
For the manufacturer cited in example #1, a $2M policy would have probably cost them less than $15,000 a year. I would bet that their total insurance spend is upwards of $800,000 a year, so adding cyber would have cost less than 2 percent to their total insurance budget. Without coverage they paid $2M out of pocket.
In example #2, assume that the company was under $10M in annual revenues. A cyber policy would have been about $3,000 a year. Let’s see, pay $3,000 in premiums or $300,000 out of pocket in claim costs? You tell me which the better deal is.
In example #3, the home healthcare company let’s say they were doing $40M a year in revenue, their premiums would have been around $7,000 a year. Again, not a bad trade off to be protected versus paying these costs out of pocket.
The Cyber Insurance Breach Coach
The other point to understand is that if a cyber event were to hit your firm, who would call? Your attorney? Your outsourced I.T. firm? Your CPA? As the panic starts to set in that your network is compromised, or that you can’t access your data due to a ransomware attack, who is the first person you call?
If you’ve purchased cyber insurance, you likely will have a 1-800# emergency number to call. On the other end of the line (24/7) is a breach coach who understands what you’re experiencing and what steps to take immediately to limit the damages and consequential damages. This breach coach, in my opinion, is worth every penny you could spend on cyber insurance.
Recently I had a client call me early one morning in a panic to tell me that their network was compromised and he didn’t know the extent of the intrusion. Fortunately this firm purchased cyber insurance so I was able to give him the 1-800 number. After hanging up with me he called it and a half hour later called me back to give me an update. The breach coach had given him specific instructions and people to reach out to for assistance. By mid-day the situation was under control and in the hands of experts. That is the real value of cyber insurance!
Want to learn more? Give me a call or drop me an email so we can start a conversation.
