From Your CEO Cyber and E&O - A Growing Concern What keeps you up at night? Recently I have been concerned with the next big area of liability for agents. With the significant increase in cyberattacks, it is just a matter of time before your insured gets exposed. When they do, will they be covered? If the answer is “No,” will they look to you and ask “Why not?” Failure to cover continues to be one of the largest areas of E&O claims in Tennessee and the Nation. Make sure you are protected. Why don’t businesses purchase cyber insurance? My guess is that it is becasue only the large attacks are being reported by the media. We have all heard about Target, Home Depot and Marriott – a loss that was estimated at $600 million in 2018. In 2019 Facebook reported that 540 million records were exposed, Capital One reported more than 100 million customer accounts and credit card applications were accessed and Quest Diagnostics reported more than 12 million patient records were exposed, to name a few. The bill for the recent cyber attack on the city of New Orleans is already over $7 million – and it has been reported that their policy is only covering $3 million of that cost. With all that talk of big business and big money, it makes sense that your insured, a small or medium sized business in Tennessee has nothing to worry about, right? Wrong.
A Risk on the Rise Malware and ransomware attacks are growing exponentially. While historically hacking was the concern – where one person targeted sensitive information – giving rise to notification obligations, today and moving into 2020, malware and ransomware attacks are aimed at disrupting business. Chubb regularly publishes reports on cyber claim scenarios handled and paid, and here are three such examples1: •
An assisted living facility had ransomware encrypt its files. Instead of paying the ransom they decided to rely on backups to restore the systems. The company incurred
The Tennessee Insuror
losses of more than $250,000 to get the affected systems back online. •
An insured was the victim of a denial of service attack causing a 22-hour outage to the company’s website. This event resulted in $750,000 in business interruption losses and an additional $40,000 was spent on forensic accounting services.
•
A hospital’s computer system was the subject of a ransomware attack. As a result of the attack, more than $700,000 was paid for forensics, data recovery, business interruption and crisis management costs.
Don't Let Clients Assume They're Safe What are the three big assumptions your insureds are making that you must work to overcome? 1) I’m not a High-Risk Candidate. The first assumption is believing that only businesses that store credit card or healthcare data that may be financially valuable to a cybercriminal are at risk. Ransomware is indiscriminate. It can attack any company, any system or any computer and shut a business down for days or weeks. 2) I’m Too Small to Be a Target. The second assumption is that cyber criminals only attack large companies. In fact, it is much harder to hack a large company than it is to attack a small or medium sized business. These businesses typically have lower security protocols and their employees are less vigilant. However, the ransoms being demanded from smaller companies may in fact be the ones fueling the cyber economy. A few hundred dollars per attack can add up to big business for cyber criminals. 3) My Business has More Pressing Demands. Finally, smaller businesses may be deciding where to spend their cash and deciding that there are other more pressing needs. However, a small business cannot afford to be out of business due to a cyber-attack. Even a brief busi-
“ Failure to cover continues to be one of the largest areas of E&O claims in Tennessee...”
Ashley Gold, J.D. 25
