In this three part series, Ben Grosser (Head of Carrier Partnerships, Pathpoint) interviews cyber insurance expert Michelle Chia (Head of Professional Liability and Cyber, Zurich North America) to learn more about the cyber risks most affecting small businesses today, the role cyber insurance plays as a risk management tool, and how to approach matching your small business client with right policy.
To put cyber insurance in perspective means understanding the underlying risk itself, which is the foundation to any successful risk management conversation.
BG: What kind of trends do you see in common attack vectors? And how do they impact small businesses?
MC: Ransomware is a threat vector that is increasing in frequency and severity more so than the others.
There is a lot of talk about ransomware because it’s been popular with malicious actors. It’s effective because it has evolved to a point where they can set a time limit and say, “I’ve locked down your entire computer system, and you won’t be able to conduct business until you pay the ransom demand and I provide the key.” Small businesses are especially vulnerable because they may not have the cash flow or breach response resources to rectify the event.
There are a few additional challenges that small business may face. Here are a few questions small businesses should consider in response to ransomware preparedness: Do you have resources to consider whether the ransom payment would be in violation of OFAC sanctions? Do you have access to cryptocurrency in large amounts to pay the ransom demand if OFAC sanctions are not in violation? Do you have resources to test whether the encryption key will unlock the network in advance of paying the ransom? However, these are questions that are considered after the company has been impacted. There are proactive measures small businesses can take to avoid being the lowest hanging fruit.
BG: What does that actually mean?
MC: The car that doesn’t have antitheft protection, like loud alarms for instance, is more susceptible to theft. Malicious actors are more likely to steal the car that is easier to take possession of and attracts the least amount of attention. Borrowing that analogy, some bad actors look to manipulate companies with the least number of barriers to entry, i.e., proactive measures to protect, detect, respond, recover. What we preach at Zurich is risk mitigation: how can companies protect themselves from cyber events? How can they put as many barriers up as possible so they don’t look like “low hanging fruit” to these bad actors? There are accessible, straightforward things a company can do.
BG: What are some of the ways that small businesses can protect themselves?
MC: There are a few measures small businesses can implement to proactively mitigate cyber risk. Phishing training is a solid way to decrease the human element. How well can you and your employees identify malicious emails? Spam emails are annoying, but phishing emails are fairly sophisticated. It may look as if someone is sending you an invoice that you want to open so you can pay the bill on time, but the email address looks slightly off after more detailed review. Many times, XXXToys123 is mistaken for the actual vendor XXXToyz123. The bad actor tricks you into clicking a link or an attachment that downloads malware onto your laptop. You and your employees can reduce the risk of these traps through simple and effective training that creates awareness of these types of threats and enables differentiation between a phishing email and a real email.
A Managed Security Service Provider (MSSP) is another simple measure that organizations can implement. These organization provide 24x7 monitoring and mitigation of threat vectors, which helps keep an eye on activity entering and occurring within your network. This can have a higher price point than anti-phishing training, but costs as low as $70/month or is included with the purchase of a Zurich Cyber Insurance Policy.
There are other threat vectors out there, of course. Data breaches are sometimes seen in combination with ransomware these days, but by itself it’s the loss of protected information or the unauthorized access of protected information. Small businesses have employee information (tax and other identification data) and protected customer data (payment card or home address information) in their care, custody, and control. Accidental sharing of that information can be considered a data breach under many state and federal regulations. Implementing something called a DLP (data leakage prevention) filter so you know what information is leaving the network can minimize the likelihood of data breaches. This is an effective method to know whether information has been lost or shared with unauthorized individuals.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Please consult with qualified legal counsel to address your particular circumstances and needs. Zurich is not providing legal advice and assumes no liability concerning the information set forth above. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, the sponsors remind you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
This article is not intended to provide specific legal or regulatory advice or suggest the adequacy or appropriateness of any particular insurance product. Insureds are always advised to seek the advice of their own legal and risk management advisers with respect to potential liabilities or the adequacy of any insurance product.