Courtesy of TechFirst Insurance Agency
By Susan Elise Campbell
Cyber crime is on the rise so rapidly that more U.S. businesses have been victims of attack than not. Here in the North Country, companies with 10 to 50 employees are frequent targets said Kevin O’Brien, president of TechFirst Insurance Agency in Queensbury.
“Most mid-sized companies do not have a computer techie on staff guarding the entryways,” said O’Brien, who is co-partner with Mark Shaw, founder of StoredTech, a local IT services firm. “The discussion right now is not if you’re going to get attacked, but when.”
O’Brien said that “when a bad actor enters into their computer network, the business must report to the state.” One benefit of cyber insurance is the needed legal counsel to navigate those requirements.
But as cyber criminals “get smarter” at what they do, O’Brien said companies need a policy to cover notifying everyone whose personal data has been stolen, lost revenue, data reparation, and much more.
“Cyber crime is so regular that all businesses need to put money up for insurance, because it impacts not only your business, but your clients, vendors, advertisers, and anyone whose payment information and personal data you may be storing,” he said.
With so many levels of risk, O’Brien said it is not enough to have cyber coverage as an add-on to a general liability policy. There needs to be a stand-alone policy specific to that business.
“Proper protection is like a smoke alarm, he said. “When there’s a fire in the business, everyone hears it and gets out safe.”
Social engineering is particularly widespread today. These are scams to lure employees into exposing data or giving access to restricted information, often by clicking on a link from a fake email posing as a legitimate business. Sometimes the message seems to come from a user the recipient knows.
The resulting losses may not be great as in an AT&T-level ransomeware attack, but there is potential damage to the company’s reputation.
“An important piece of a cyber policy is crisis management, or reputational risk,” he said. “Your company’s reputation is in jeopardy because you did not lock down the gates to your data systems.”
“Now the public knows about the lapse as it is splashed over social media or newspapers,” he said. “It’s tough to put a dollar amount on this.”
But O’Brien said a crisis management team of specialists provided by the insurance company takes over the public relations to let the media know the situation is now under control.
“This is what I call first-party benefits of a cyber policy,” he said.
The first party is the company taking care of their network and their data, paying any ransom, notifying the state, having the insurance carrier reach out to those whose data was hacked and may have paid a ransom to get it back, and free credit reporting for two years, he said.
Another policy feature is third-party coverage, which O’Brien said “is just as important.”
Third parties are the customers, advertisers or vendors for which the business keeps credit card and other private data that may have been compromised in a cyber event.
“The policy pays for the client company to get their systems back up and running,” he said. “Then TechFirst goes to that third party’s insurance carriers to make sure their clients are covered for the expenses they lost.”
Not all cyber insurance carriers have third party coverage.
“Most businesses have first party insurance just to clean up their own database,” said O’Brien. “They don’t realize that customers who got hacked may come back and sue them directly or their insurance companies are looking to be reimbursed.”
O’Brien said it is in the best interest of policyholders, insurers, and business insurance agents to be aware of cyber crime and take a role in preventing it.
“TechFirst makes proactive efforts, which is where StoredTech comes in,” he said. “They do a ‘score card’ to see where gaps may be in the client’s network.”
“Are they susceptible to hackers, or do they have defensive measures in place?” he noted. “Every business wants to back-up their data and secure it nightly, so if you lost data it is only one day’s worth.”
“Another measurement on the score card is MFA, multi-factor authentication, which New York requires for professions such as health care,” said O’Brien. “This involves typing in a secondary code sent to a cell phone before the employee can access the programs storing PII, or personally identifiable information.”Only certain employees should be given access to programs like QuickBooks(R), such as the accounting staff but not the salespeople, O’Brien said, because the fewer people with access the more secure the company.
Insurance premiums are based on factors such as whether the company has MFA, how many employees work remotely, other cyber claims in the past three years, and more.
He said after an event, a “forensic detective” such as StoredTech will go through the compromised network and look not only for what was stolen but also what may have been left behind; a “Trojan horse” waiting to cause a future event.
“TechFirst and StoredTech working together helps clients get a well-rounded program to make sure the network is protected and there is a coverage proposal for cyber insurance, because mistakes do happen,” said O’Brien.
“The days of clicking on a link for a free lottery ticket are long gone,” he said. “Never click on anything without first having your security officer determine if that email is legit.”
Learn more at www.techfirstinsurance.com.