The attack on main street

In the past year, two of Michael Loeters’ small business clients received an offer they couldn’t ignore—or refuse. The email looked benign, but once opened, it encrypted company data and demanded payment for the key to restore it. Both clients paid, as most do, Loeters says. Facing lost productivity and data restoration costs, “[they think], ‘If it’s going to cost me more than $1,000 to deal with this, I’ll just send the $1,000.’ ”

Cyber risks have taken a turn for small and mid-size companies, according to Loeters, vice-president and risk management practice leader at BFL CANADA. Though the extortion cases weren’t personal— simply automated bots looking for opportunity—they represent just one aspect of rising exposures in this sector, he says. “It’s happening more and more, and it’s happening to the small guys.” While size can matter when it comes to cyber protection, it doesn’t mean smaller businesses are defenceless. Or alone. Brokers can offer critical support, helping to craft cyber plans capable of taking on any online Goliath.

The Weakest Link

New cyber-risk realities stem from a shift in hackers’ sights, says Loeters, who notes that early threats seemed fixed on large companies, leaving small and mid-sized enterprise (SME) players feeling safe. “The ones we hear about in the news are the Walmarts or Targets,” he points out. “Smaller businesses think, ‘Of course, they’re Walmart or Target. I’m ABC Manufacturing—who cares about me?’”

A company like Target might be a bigger fish, but the 2013 data breach that affected 40 million customers actually occurred through a smaller partner: a heating, ventilation and air conditioning company’s network. With such threats on the rise, “[SMEs] are starting to realize they’re not being targeted because of who they are; they’re being targeted because they can be,” says Loeters.

And they can: 55% of small businesses surveyed by the Ponemon Institute this year experienced a cyber attack in the past 12 months, and 50% had a data breach during the same period. Overall, security incidents increased 38% in 2015, according to PwC’s 2016 Global State of Information Security Survey.

Today’s threats capitalize on two market realities. One, companies are more interconnected than ever, notes Saj Nair, a partner, and cybersecurity and privacy specialist, at PwC Canada in Toronto. “Think about who you interact with—your customer base, your suppliers. It’s the collection of all that interaction that dictates the overall risk exposure.” And, as larger firms batten down the hatches, “[hackers] are going after the entire supply chain and looking for the weakest link.”

Two, though education, finance or healthcare firms are popular targets because of their wealth of client data, customer information isn’t the only thing at stake. Though cyber-extortion schemes uphold their end of the bargain—sending an encryption key once paid—the damage can extend well beyond file access, warns Serge Solski, a principal at AdviseAware Risk Consulting in Kitchener, Ont. “What would happen to a factory if someone shut off their power, turned off the air systems? What’s that worth to them to pay?”

A Foothold on Coverage

If awareness of the new cyber risks is growing, so are the costs: Ponemon puts the average cost of a data breach at C$6million. That’s a sobering number, but both brokers and insurers have an opportunity to fine-tune existing approaches to coverage and mitigation, Nair says. Given the range of exposures— including human error—“there’s a level of further customization they can provide, and help their clients better understand the risks,” he says.

Insurers have already responded with scaled-down cyber coverage in the form of attachments to property, general liability or professional liability policies for as little as $300 a year, compared to the $5,000 price tag for broader standalone policies. As an example, an add-on could include $500,000 in third-party liability and $10,000 to $25,000 in breach expense coverage, notes Loeters. “Once we have them on the program, we can introduce them to broader, more expansive coverage over time.”

“Privacy is just one aspect of the consequences of a cyber attack.” Instead, he suggests training should focus on vigilance: strong passwords, security habits and showing employees how to spot a suspect email or a phishing attempt”

—Serge Solski, AdviseAware Risk Consulting

Loeters says brokers should ensure companies in higher-risk sectors—healthcare, finance or retail—have broader coverage off the bat.

The new offerings give smaller players a security foothold, says Chris Bevan, a partner at Kennedy Insurance Brokers Inc. in North Bay, Ont. However, he warns that brokers should be very careful to lay out crucial differences between the ad-dons and stand-alone cyber coverage, and explain wordings. For instance, the attachments may not respond to a third-party lawsuit. “The danger is that they’ll see cyber as a package and make assumptions about the coverage,” he says. “It’s an exposure for us, too.”

Scaled-up Security

Brokers in particular can reshape their role with small business clients, says Solski. “If you’re a company of 50 people, you probably don’t have a full-time risk manager,” he says. “Every single broker has clients who are waiting for someone to talk to them about a cyber-risk solution that’s more than a policy.”

The challenge for those businesses— and their brokers? “How do we right-size their cyber-security framework?” says Nair. “Unlike larger organizations, they don’t have that much spend capacity.” Once they’ve assessed broader risk exposures— their data, their industry and their partnerships— Nair says companies can opt for a risk-based template, such as a National Institute of Standards and Technology, ISO cyber plan that sets out guidelines and helps identify risk gaps. Or, they can use a cloud-based cyber-security system to protect data or network security. In choosing one, they should ask, ‘How does this matter in the context of our business?’ he says.

Even a limited-risk budget should zero in on key mitigation practices, says Loeters. “If they only have a dollar, it should go into training,” he says. What should that include? Solski’s chief recommendation? “Stop talking about privacy,” he says. “Privacy is just one aspect of the consequences of a cyber attack.” Instead, he suggests training should focus on vigilance: strong passwords, security habits and showing employees how to spot a suspect email or a phishing attempt.

Human error is a huge part of cyber risk, agrees Loeters. “The email looks legit; [they] expect it to come from the bank or the phone company and they click, not realizing it’s a hoax,” he says. Solski points to another case, where hackers spoofed a CEO’s email and requested a $1-million wire transfer. “Instead of saying, ‘We have a budget to respond to ransomware,’ put the money into looking for ransomware.”

Small businesses should also understand the role of oversight in mitigation— having cyber-risk processes or training assessed for soundness or gaps, he says. “We’re seeing companies beefing up IT efforts to manage this risk, but there’s no independent oversight to ensure the risk is managed effectively,” he points out, adding that CEOs often look no further than their IT teams. “The perception is that cyber risk is an IT risk; it’s not, it’s an enterprise risk.”

Whatever risk route a company might take, the stakes couldn’t be higher: 60% of small businesses hit with a data breach go out of business within six months, warns Solski, pointing to the financial damages and duress that accompany a breach or hack. “Those are the facts. Are they willing to take that business risk?”

And for those clients that still insist they’re too small or have no information worth taking? Loeters has advice for them. “If you have 100 employees, you have 100 records,” he says. “If [those] get breached, you still have the same obligations—you still have to put notification and credit monitoring in place and hire a forensic firm to see how the heck this happened.” Whether they have the resources or the expertise in place, or not, “when it happens, they’re going to have to deal with it.”

__________________________________________________________________________
Copyright © 2016 Transcontinental Media G.P. This article first appeared in the October 2016 edition of Canadian Insurance Top Broker magazine

This story was originally published by Canadian Insurance Top Broker.