By Susan Elise Campbell
Cyber crime is rising so rapidly that businesses without specific cyber insurance are at risk for tens to hundreds of thousands of dollars of loss and even more, according to Ken Grey, a senior vice president with Marshall+Sterling in Saratoga.
“It’s not a matter of if, but when, your business will need to make a cyber claim,” he said.
Grey said that in an ideal world, 100 percent of his clients would have not just standard cyber coverage under their general business insurance, but a specific and separate policy to cover the growing number of claims. He believes this coverage is so important that if a client refuses to get coverage, he asks them to sign a document.
“The reason for this is not to say ‘I told you so’ if they are later a victim of cyber crime, but to get them to think about the decision they are making,” he said.
Some sources like statista.com say that nearly 75 percent of all U.S. companies were at risk of being cyber-attacked last year. In 2022 there were 480,000 such attacks.
“Everyone has heard about the data breaches at AT&T and Ticketmaster,” said Lorraine Emerick, a senior vice president at Marshall+Sterling. “With a smaller business, the owner often thinks, ‘it won’t happen to me.’”
But it does. In the Capital Region predominant targets are middle market, medium sized companies, often because the attackers assume they do not have the staff or the time to “keep all the guards and fortresses in place” to protect themselves, noted Grey.
“Cyber criminals may not be seeking a $25 million ransom, but they’re looking for something,” Emerick said.
“These people are very patient and will wait for months or years for someone to make that mistake and release the information,” said Grey.
“They are counting on employees to not look closely at the emails they are getting,” he said. “It looks real, so when they click on something, it’s like opening the doors and windows in your home for thieves.”
Emerick said this kind of attack is called social engineering, in which a cyber criminal lures targets into doing something they normally do, like verifying information on an email or responding to a business communication. But in actuality the individual has been tricked into giving up personal information or purchasing something from a fake account.
Marshall+Sterling began offering cyber insurance in 2007. Back then coverage was for identity theft. Today’s claims can include investigations arising from a data breach, loss arising from stolen credit card transitions, media liability such as copyright infringement, bodily injury, employment of IT forensics experts to investigate the scope of a computer breach, extortion restoration, certain hardware upgrades, cost to restore data, business interruption, and many other related proceedings and penalties, said Emerick.
In 2015 the company had a big claim with an educational institution, in which someone’s laptop had been stolen from their home and thousands of names were removed unbeknownst to the client, Grey said.
“The legal team had to track down these people in 26 states,” he said.
An insurance company can refuse to pay out if the information on the laptop was not encrypted, Emerick said. It is now an industry requirement that all PII, or personal identifiable information, be protected through encryption.
Many companies mistakenly think they are protected for losses and lawsuits under their crime policy or the standard cyber coverage that may come with their business policy. However, since the individual has voluntarily given up the information to an unrelated party in a social engineering event, the company is either not covered enough or not covered at all.
Cyber attackers have gotten more skillful at accessing the digital records of a company’s employees, clients and vendors. Grey said there are 30 to 50 reputable carriers who offer cyber policies, and Marshall+Sterling narrows the field to a select three to five because “not all insurance companies are the same.”
“This coverage is for when things happen you didn’t anticipate because you think you were doing everything right,” said Emerick.
“We try to address the risks for all our clients,” said Grey. “You can’t control everything, but that’s what insurance is for.”
Grey and Emerick help educate clients about cyber crime and prevention.
Learn more at marshallsterling.com