Regardless of size, every business that is connected to the internet or has an online presence is at risk of cybercrime. Therefore, every business should be prepared with an effective cyber security plan to protect against risks associated with cybercrime, which includes having cyber insurance coverage.
While one might think that large companies are far more likely than small businesses to be targets of cybercrime, with far more devastating consequences, in actuality the ratio is only 2:1, with a third of all documented data breaches occurring in businesses with fewer than 100 employees. And, of small businesses that do fall victim to cybercrime, nearly two thirds close their doors within 6 months of a cyberattack.
Despite this vulnerability, fewer than half of small-business owners consider cyber threats to be a concern, with the majority of small-business owners surveyed by CNBC saying they are not worried about being the victim of a cyberattack, and expressing confidence that they could quickly resolve a cyberattack on their business if needed.
This apathy and overconfidence toward the threat of cyberattacks quickly vanishes the moment one of these businesses falls victim to an attack and feels the associated pain and sense of helplessness. And, while pain can be an excellent motivator and teacher, it would be far better if companies would learn from the pain of others and decide to protect themselves prior to becoming victims.
The two most prevalent types of cyber claims we see reported at Cottingham & Butler involve Ransomware and Social Engineering attacks.
Ransomware
According to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”
Ransomware attacks are increasing both in number and in the dollar amounts being demanded, with an increase in ransomware attacks globally last year of 105%, and with what is believed to be the largest ransomware payment ever made, in the amount of $40 million, which was paid by an insurance company last year to regain control of its systems.
In addition to ransomware attackers becoming particularly greedy, with ransom demands often in the millions or even tens of millions of dollars, they are now becoming more vicious as well, sometimes returning for a second bite of the apple and refusing to make data accessible until additional ransom is paid. Sometimes the attacker never re-enables access to encrypted data, despite payment of the demanded ransom.
This is only one reason why CISA recommends that cyber victims DO NOT PAY the ransom. According to CISA’s website, other reasons include the fact that some victims who paid the ransom have reported being targeted again by cyber criminals, and the fact that paying a ransom could inadvertently encourage and perpetuate this type of crime.
Ransomware attacks have hit some large high-profile companies recently, including companies in critical infrastructure such as the fuel and food industries. In May of 2021, both Colonial Pipeline (one of the largest fuel pipelines in the US) and JBS Foods (one of the largest meat processing companies in the world) were the victims of ransomware attacks. The attack on Colonial Pipeline prompted the company to shut down its fuel distribution operations, leading to widespread fuel shortages at gas stations all along the east coast. Colonial paid $4.4 million in ransom to regain access to their data and systems and restart its fuel distribution operations. JBS Foods paid $11 million in ransom to regain access to its data and systems and avoid major food shortages.
Is your company ready for a ransomware attack? Do you have sufficient cyber coverage to enable your company to survive a ransomware attack and remain financially solvent?
Social Engineering
Social Engineering is defined as: The art of manipulating people in an online environment, encouraging them to divulge—in good faith—sensitive, personal information, such as account numbers, passwords, or banking information. Social engineering can also take the form of the “engineer” requesting the wire transfer of monies to what the victim believes is a financial institution or person, with whom the victim has a business relationship, only to later learn that such monies have landed in the account of the “engineer.”
The most common example of a Social Engineering claim that we see at Cottingham & Butler involves an employee of a client being tricked into re-directing payment of invoices or payroll to a cyber criminal, usually in response to an email seemingly from the proper payee. Situations have occurred where these cyber criminals are even willing to fill out paperwork necessary to effectuate the change of account, including providing a letter from a bank. This is why it is so important to pick up the phone and call the proper payee at the phone number already on file to verify their intention to change deposit accounts.
A perfect example of this made the local news recently. Cottingham & Butler is headquartered in Dubuque, Iowa. Just a few weeks ago, Iowa State Auditor, Rob Sand, was the target of an attempted email scam in which someone pretended to be him and unsuccessfully tried to move his paycheck deposit to a different bank account. He credited a state human resources worker with contacting him directly to alert him of the email to divert his paycheck direct deposit to a different bank.
If your company falls victim to a Social Engineering scam, do you have coverage for the ensuing economic impact?
Coverages
Coverage for losses associated with ransomware is available within cyber insurance policies under an insuring agreement most often termed “cyber-extortion coverage.” The items it covers include the ransom payment, breach response, and restoration of data and systems. Business Interruption coverage is also important to cover costs associated with any downtime following a ransomware attack. At Cottingham & Butler, it is our standard to quote a $1M cyber policy aggregate, and we prefer to bind quotes with a “cyber extortion” aggregate that matches the policy aggregate. If we cannot provide a client with a program that offers a ransomware limit outside of the coverages that fall under the carrier’s “cyber extortion” insuring agreement, then we make sure that the coverages that fall under “cyber extortion” (including ransomware) match the policy aggregate so we aren’t limiting coverage for the insured.
Social Engineering and Cybercrime coverages can cover: financial fraud loss (funds transfer), telecommunications fraud, phishing attacks, and personal funds theft. Our team consistently ensures that coverage is included for funds transfer fraud, either within or in addition to Social Engineering coverage, and we seek out carriers that can provide a $250K sublimit for Social Engineering coverage. To better protect our clients, we quote $1 Million for the various coverage parts (except for Social Engineering coverage, which is only available up to $250K), and at least $1 Million aggregate. We have the ability to get higher limits.
Cottingham & Butler, with its dedicated team of Producers and Claims Advocates, is ready and able to help with insuring against and responding to a Ransomware or Social Engineering attack directed against you. Contact a representative today to learn more.