2222222222

Sponsored: Great American Insurance Group

Main Street America: A Vulnerable Target for Cyber Attack

Stop your small business from being the next victim by working with an insurer who can offer tailored solutions to fit your needs.
By: | May 23, 2018 • 6 min read

Cyber risk affects everyone. There’s not a business small or simple enough to escape its reach. If you handle personally identifiable information on behalf of employees or customers, use a computer to conduct business, or work with a vendor that does, your company is exposed.

Small businesses that make up Main Street America, however, continually underestimate their risk. These are the local food markets, ice cream shops and hardware stores; independent legal and consulting firms; preschools and small nonprofits that underpin community economies.

Sixty-one percent of businesses in this sector suffered a cyber attack in 2017, yet only 25 percent had sufficient cyber insurance coverage, according to Ponemon Institute’s “2017 State of Cyber Security in Small & Medium-Sized Businesses.” Even fewer – 22 percent – were taking steps to protect themselves by encrypting private employee and customer data.

Addressing the coverage gap requires two steps. First, small business owners need to better understand the type and extent of their cyber exposure. Second, their insurer and broker partners need to proactively educate this sector about the risk transfer solutions available to them.

The Many Forms of Cyber Risk

Betty Shepherd, Divisional Senior Vice President

“Cyber risk refers to the financial consequences a business has in the face of a network security breach or a breach of private information in their care, custody or control,” said Betty Shepherd, Divisional Senior Vice President, Great American Insurance Group.

“This risk can manifest itself in several forms, but the majority comes down to data. It’s important to analyze how data flows through your organization to determine your exposure.”

A network security breach can include anyone gaining unauthorized access to a company’s systems and/or data. A network breach may or may not result in a privacy beach, in which an unauthorized person gains access to personal identifiable information (PII) like credit card numbers, Social Security numbers, addresses or other sensitive data. A network breach can cause business interruption, data loss or even an extortion event.

Possible theft of PII triggers a host of extra expenses. All 50 states now require businesses to report cyber breaches involving PII to affected individuals as well as regulators. An organization may need to conduct forensic investigation to determine what — if anything— was accessed or stolen. Affected companies may also offer ongoing credit monitoring services to affected customers if financial information was divulged.

“In states with notification requirements, data owners are legally obligated to notify an individual if their private information has been breached or thought to be accessed in an unauthorized manner,” Shepherd said.

“Many small businesses believe this obligation falls to their third-party data processors, such as payment processors handling credit card data, or outsourced accounting functions administering payroll, for example. But that is not the case. Care of that data remains the responsibility of the business that collected it.”

Cyber extortion in the form of ransomware has grown increasingly common as a way for thieves to make off with small sums. Many companies would rather pay an affordable ransom and regain system access quickly than battle with an unknown assailant.

Denial of service attacks can cause financial harm via business interruption and lost income.

Third-party liability also enters the picture if the data belonging to a vendor or other business associate is unlawfully accessed, stolen or corrupted.

“An affected third party could file a claim against you if your network is determined to be the source of malware or the entry point for a cyber thief, thus enabling the compromise of the third party’s network,” Shepherd said.

Business owners should also keep in mind that paper trails are as important to safeguard as digital ones.

“People also tend to forget that cyber risk extends to paper files as well as electronic. Data is data,” Shepherd said. “Physical documents that contain sensitive information are still an exposure. Failing to properly store and/or dispose of that paper may open a company up to the same liability as if a computer system gets hacked.”

More often than not, carelessness on the part of employees — rather than a malicious hacker — is the cause of network security failure. Unwittingly clicking on a link or attachment within a phishing email, for example, can plant malware without any overt indication. Mobile devices used for work can be stolen or lost. Papers casually tossed in the trash are easy targets for theft.

“Understanding where cyber risk comes from is the first step of risk mitigation,” Shepherd said.

Developing a Risk Management Strategy

Once a business pinpoints where its exposure lies, it can take specific steps to strengthen vulnerabilities. Encrypting data renders it useless to a cyber thief. Storing sensitive documents in a locked cabinet and enforcing proper disposal protocols reduces the risk that they’ll fall into the wrong hands. Installing firewalls and dual-authentication processes can enhance network security.

But advancing technology and increasingly sophisticated hackers make it nearly impossible to build ironclad defenses against cyber risk. This is why adequate cyber insurance is critical in helping small companies stay up and running in the aftermath of a breach.

Parsing through the insurance options available, though, can be difficult even for large corporations with more cyber expertise. Lots of overlap exists among current products on the market. General liability, E&O and fidelity products may have some cyber component built in but may not offer all the coverages a company needs. Still, some small businesses can find it costly to purchase a standalone cyber policy.

“There are many policy variations, and there’s no single form on the market that will cover every cyber peril,” Shepherd said. “The appropriate solution depends on the nature of your exposure.”

A pizzeria, for example, can still make pies and accept cash payments if their point-of-sale system goes down, so its management team is less concerned about business interruption expenses. A manufacturer, on the other hand, may suffer a total lapse in operations if their industrial network is compromised. A consulting firm is likely to have staff working remotely and may need specific coverage for mobile devices more so than a clothing boutique. But the boutique will transact a larger volume of credit card data and may be more concerned with breach notification and remediation costs.

Expertise to Craft Custom Solutions

Insurers with expertise in cyber risk can offer the tailored solutions that small businesses need.

Great American offers a modular policy format with a menu of insuring agreements, including security breach liability and expenses, cyber extortion threats, funds transfer fraud, replacement or restoration of electronic data, and public relations expenses, among others.

“A Great American policy includes the third-party liability exposure inherent in many network security and privacy breaches as well as the first-party exposure like breach notification, investigation and credit monitoring expenses,” Shepherd said. “We also have separate coverage available for public relations services to help an organization mitigate reputational damage in the event they experience negative publicity following a breach.”

Great American policyholders also have access to a web portal offering informational resources like whitepapers, as well as breach calculators and referrals for security, forensic investigation and legal firms.

Great American has focused its cyber expertise on the needs of small- to medium-sized companies, underwriting businesses with up to $250 million in annual revenue.

“Every organization has a cyber risk exposure, but we’re not looking to underwrite everyone. We’re dedicated to the unique needs of small- and mid-size organizations,” Shepherd said. “We will continue to educate and serve this sector as the risk and exposures evolves.”

To learn more, visit https://www.greatamericaninsurancegroup.com/for-businesses/product-details/alternative-markets/cyber-risk.

Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Policies are underwritten by Great American Insurance Company, Great American Assurance Company, Great American Alliance Insurance Company, Great American Insurance Company of New York, Great American Security Insurance Company, and Great American Spirit Insurance Company, authorized insurers in all 50 states and the DC.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Great American Insurance Group. The editorial staff of Risk & Insurance had no role in its preparation.




Great American’s innovative insurance solutions and specialization serves niche marketplaces that we know well, giving us a successful foundation that spans generations.

Risk Management

The Profession: Curt Gross

This director of risk management sees cyber, IP and reputation risks as evolving threats, but more formal education may make emerging risk professionals better prepared.
By: | June 1, 2018 • 4 min read

R&I: What was your first job?

My first non-professional job was working at Burger King in high school. I learned some valuable life lessons there.

R&I: How did you come to work in risk management?

After taking some accounting classes in high school, I originally thought I wanted to be an accountant. After working on a few Widgets Inc. projects in college, I figured out that wasn’t what I really wanted to do. Risk management found me. The rest is history. Looking back, I am pleased with how things worked out.

R&I: What is the risk management community doing right?

Advertisement




I think we do a nice job on post graduate education. I think the ARM and CPCU designations give credibility to the profession. Plus, formal college risk management degrees are becoming more popular these days. I know The University of Akron just launched a new risk management bachelor’s program in the fall of 2017 within the business school.

R&I: What could the risk management community be doing a better job of?

I think we could do a better job with streamlining certificates of insurance or, better yet, evaluating if they are even necessary. It just seems to me that there is a significant amount of time and expense around generating certificates. There has to be a more efficient way.

R&I: What was the best location and year for the RIMS conference and why?

Selfishly, I prefer a destination with a direct flight when possible. RIMS does a nice job of selecting various locations throughout the country. It is a big job to successfully pull off a conference of that size.

Curt Gross, Director of Risk Management, Parker Hannifin Corp.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

Definitely the change in nontraditional property & casualty exposures such as intellectual property and reputational risk. Those exposures existed way back when but in different ways. As computer networks become more and more connected and news travels at a more rapid pace, it just amplifies these types of exposures. Sometimes we have to think like the perpetrator, which can be difficult to do.

R&I: What emerging commercial risk most concerns you?

I hate to sound cliché — it’s quite the buzz these days — but I would have to say cyber. It’s such a complex risk involving nontraditional players and motives. Definitely a challenging exposure to get your arms around. Unfortunately, I don’t think we’ll really know the true exposure until there is more claim development.

R&I: What insurance carrier do you have the highest opinion of?

Advertisement




Our captive insurance company. I’ve been fortunate to work for several companies with a captive, each one with a different operating objective. I view a captive as an essential tool for a successful risk management program.

R&I: Who is your mentor and why?

I can’t point to just one. I have and continue to be lucky to work for really good managers throughout my career. Each one has taken the time and interest to develop me as a professional. I certainly haven’t arrived yet and welcome feedback to continue to try to be the best I can be every day.

R&I: What have you accomplished that you are proudest of?

I would like to think I have and continue to bring meaningful value to my company. However, I would have to say my family is my proudest accomplishment.

R&I: What is your favorite book or movie?

Favorite movie is definitely “Good Will Hunting.”

R&I: What’s the best restaurant you’ve ever eaten at?

Tough question to narrow down. If my wife ran a restaurant, it would be hers. We try to have dinner as a family as much as possible. If I had to pick one restaurant though, I would say Fire Food & Drink in Cleveland, Ohio. Chef Katz is a culinary genius.

R&I: What is the most unusual/interesting place you have ever visited?

The Grand Canyon. It is just so vast. A close second is Stonehenge.

R&I: What is the riskiest activity you ever engaged in?

Advertisement




A few, actually. Up until a few years ago, I owned a sport bike (motorcycle). Of course, I wore the proper gear, took a safety course and read a motorcycle safety book. Also, I have taken a few laps in a NASCAR [race car] around Daytona International Speedway at 180 mph. Most recently, trying to ride my daughter’s skateboard.

R&I: If the world has a modern hero, who is it and why?

The Dalai Lama. A world full of compassion, tolerance and patience and free of discrimination, racism and violence, while perhaps idealistic, sounds like a wonderful place to me.

R&I: What about this work do you find the most fulfilling or rewarding?

I really enjoy the company I work for and my role, because I get the opportunity to work with various functions. For example, while mostly finance, I get to interact with legal, human resources, employee health and safety, to name a few.

R&I: What do your friends and family think you do?

I asked my son. He said, “Risk management and insurance.” (He’s had the benefit of bring-your-kid-to-work day.)

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]