4 minute read
CYBER SECURITY THREATS: HOW TO PROTECT YOUR AGENCY
By Paul Kapadia
Cyberattack. Phishing. Ransomware. Dark web. Cybersecurity and related compliance. These words were not part of general business vocabulary until recent years. Previously, the terms all sounded very techy, and business owners typically avoided dwelling on them unless they were forced to. At best, cybersecurity was considered an issue for corporations with global footprints, never for small businesses. Yet here we are – surely and steadily this vocabulary has made its way into the small-business dictionary as well.
THE REALITY OF CYBER RISKS
A recent Travelers survey revealed that more than half (54%) of businesses believe a cyber-attack or data breach is inevitable. The survey also revealed that, while cyber-attacks on medium and large business increased significantly, cyber-attacks on small businesses tripled during the same timeframe. Today, cyber risks are a reality that no one can ignore and a greater risk than ever before. In fact, COVID-19 has added fuel to the fire. The pandemic forced changes to normal business processes that were in place for decades and in some cases even longer. And these changes have provided cyber thieves with the perfect opportunity to attack unprotected and under-protected businesses.
NEW TRENDS IN CYBER-ATTACKS
A newer trend is cyber-attacks on managed service providers. One successful attack can compromise the security of many businesses and individuals in one shot, making it easy for hackers to access business emails and plant ransomware. Interestingly, these thieves devised a strategy to demand an amount of funds just small enough for businesses to decide not to pursue legal recourse and to settle the ransom to continue doing business. Oftentimes, these crimes are never reported,
and victimized businesses adopt a false sense of security, assuming they are safe since they paid the ransom. In reality, many end up being hacked multiple times. Basically, each business has to create their own cyber security fence – depending on their business, business processes, and regulatory-compliance guidelines – to protect the trust of their customers.
CYBER INSURANCE EFFICACY
While an increasing number of businesses have a cyber insurance policy to safeguard against losses from these attacks, many executives do not really understand the coverage and compliance requirements. Effectiveness of a cyber policy depends on how an application and regulatory questions are answered. Cyber insurance is not a preventive measure. It is only a recourse to cover losses – presumably all losses, but in reality, it is not that simple (like auto insurance). It has many caveats that one needs to understand and fulfill.
The default expectation for any insurance coverage is that the policyholder has taken adequate precautions to prevent the peril. And proof of those precautions is required for any claim and smooth assessment process. Cyber insurance is no different. Policyholders are expected to have all necessary cyber-attack preventative measures in place to secure the cyber insurance coverage. Unless these are effectively established, cyber insurance policies may not be effective in covering losses.
CYBER SECURITY SAFETY NET
How secure is your business? The most efficient and cost-effective way to deal with cyber threats is to create security measures based on your business processes. (These measures would also support your case in the event of a cyber insurance claim.) So how can you build this safety net?
SO WHAT DO YOU NEED TO DO?
First, know your current state of cyber vulnerability and security. Are you unprotected or under-protected? Your IT service provider – whether in-house or outsourced – has implemented the measures they deem necessary. However, it is a good idea for these to be validated by an independent third party with industry-recognized credentials. (Again, this would also be useful in the event of a claim.) Secondly, understand the latest security guidelines for your businesses that deal with customer data. For example, California implemented very stringent data security and accountability rules for businesses based on European data security measures (General Data Protection Regulation, or GDPR). Other states have taken note. New York implemented compliance requirements for insurance agencies, and Pennsylvania and New Jersey are following suit. It’s vital to stay up to date on regulatory requirements where you conduct business.
Third, get to know all of the nuances of your cyber insurance policy to ensure that your business processes and preventive measures are compliant to your policy guidelines.
Finally, consider a customized solution for cyber vulnerability mitigation that addresses your needs. Ideally, engage a firm that specializes in the insurance sector’s particular vulnerabilities, risks, and compliance requirements. They should be able to assess your agency’s security vulnerabilities and provide customized remediation strategies that are best for the business. You can choose any service provider, including your existing IT firm if they can implement remediation steps and protect your business.
In case you don’t know where to start and who can help, reach out to IA&B. Your association worked on creating a cost-effective option for cyber vulnerability assessment that all can leverage.
Stay vigilant. Stay safe!
Paul Kapadia is an IT professional with over 25 years experience with software products for insurance, fintech, insurtech, cyber security, technology startups, and Fortune 100 clients globally. Currently Paul is guiding IA&B through its digital transformation journey by leveraging best practices and the latest platforms to derive operational and cost efficiencies. He is also working closely with IA&B to offer products and services that make independent insurance agencies safer, smarter and more profitable. Paul is available to consult with IA&B members today. Contact him at PaulK@IABforME.com.
