Sponsored: Great American Insurance Group

Main Street America: A Vulnerable Target for Cyber Attack

Stop your small business from being the next victim by working with an insurer who can offer tailored solutions to fit your needs.
By: | May 23, 2018 • 6 min read

Cyber risk affects everyone. There’s not a business small or simple enough to escape its reach. If you handle personally identifiable information on behalf of employees or customers, use a computer to conduct business, or work with a vendor that does, your company is exposed.

Small businesses that make up Main Street America, however, continually underestimate their risk. These are the local food markets, ice cream shops and hardware stores; independent legal and consulting firms; preschools and small nonprofits that underpin community economies.

Sixty-one percent of businesses in this sector suffered a cyber attack in 2017, yet only 25 percent had sufficient cyber insurance coverage, according to Ponemon Institute’s “2017 State of Cyber Security in Small & Medium-Sized Businesses.” Even fewer – 22 percent – were taking steps to protect themselves by encrypting private employee and customer data.

Addressing the coverage gap requires two steps. First, small business owners need to better understand the type and extent of their cyber exposure. Second, their insurer and broker partners need to proactively educate this sector about the risk transfer solutions available to them.

The Many Forms of Cyber Risk

Betty Shepherd, Divisional Senior Vice President

“Cyber risk refers to the financial consequences a business has in the face of a network security breach or a breach of private information in their care, custody or control,” said Betty Shepherd, Divisional Senior Vice President, Great American Insurance Group.

“This risk can manifest itself in several forms, but the majority comes down to data. It’s important to analyze how data flows through your organization to determine your exposure.”

A network security breach can include anyone gaining unauthorized access to a company’s systems and/or data. A network breach may or may not result in a privacy beach, in which an unauthorized person gains access to personal identifiable information (PII) like credit card numbers, Social Security numbers, addresses or other sensitive data. A network breach can cause business interruption, data loss or even an extortion event.

Possible theft of PII triggers a host of extra expenses. All 50 states now require businesses to report cyber breaches involving PII to affected individuals as well as regulators. An organization may need to conduct forensic investigation to determine what — if anything— was accessed or stolen. Affected companies may also offer ongoing credit monitoring services to affected customers if financial information was divulged.

“In states with notification requirements, data owners are legally obligated to notify an individual if their private information has been breached or thought to be accessed in an unauthorized manner,” Shepherd said.

“Many small businesses believe this obligation falls to their third-party data processors, such as payment processors handling credit card data, or outsourced accounting functions administering payroll, for example. But that is not the case. Care of that data remains the responsibility of the business that collected it.”

Cyber extortion in the form of ransomware has grown increasingly common as a way for thieves to make off with small sums. Many companies would rather pay an affordable ransom and regain system access quickly than battle with an unknown assailant.

Denial of service attacks can cause financial harm via business interruption and lost income.

Third-party liability also enters the picture if the data belonging to a vendor or other business associate is unlawfully accessed, stolen or corrupted.

“An affected third party could file a claim against you if your network is determined to be the source of malware or the entry point for a cyber thief, thus enabling the compromise of the third party’s network,” Shepherd said.

Business owners should also keep in mind that paper trails are as important to safeguard as digital ones.

“People also tend to forget that cyber risk extends to paper files as well as electronic. Data is data,” Shepherd said. “Physical documents that contain sensitive information are still an exposure. Failing to properly store and/or dispose of that paper may open a company up to the same liability as if a computer system gets hacked.”

More often than not, carelessness on the part of employees — rather than a malicious hacker — is the cause of network security failure. Unwittingly clicking on a link or attachment within a phishing email, for example, can plant malware without any overt indication. Mobile devices used for work can be stolen or lost. Papers casually tossed in the trash are easy targets for theft.

“Understanding where cyber risk comes from is the first step of risk mitigation,” Shepherd said.

Developing a Risk Management Strategy

Once a business pinpoints where its exposure lies, it can take specific steps to strengthen vulnerabilities. Encrypting data renders it useless to a cyber thief. Storing sensitive documents in a locked cabinet and enforcing proper disposal protocols reduces the risk that they’ll fall into the wrong hands. Installing firewalls and dual-authentication processes can enhance network security.

But advancing technology and increasingly sophisticated hackers make it nearly impossible to build ironclad defenses against cyber risk. This is why adequate cyber insurance is critical in helping small companies stay up and running in the aftermath of a breach.

Parsing through the insurance options available, though, can be difficult even for large corporations with more cyber expertise. Lots of overlap exists among current products on the market. General liability, E&O and fidelity products may have some cyber component built in but may not offer all the coverages a company needs. Still, some small businesses can find it costly to purchase a standalone cyber policy.

“There are many policy variations, and there’s no single form on the market that will cover every cyber peril,” Shepherd said. “The appropriate solution depends on the nature of your exposure.”

A pizzeria, for example, can still make pies and accept cash payments if their point-of-sale system goes down, so its management team is less concerned about business interruption expenses. A manufacturer, on the other hand, may suffer a total lapse in operations if their industrial network is compromised. A consulting firm is likely to have staff working remotely and may need specific coverage for mobile devices more so than a clothing boutique. But the boutique will transact a larger volume of credit card data and may be more concerned with breach notification and remediation costs.

Expertise to Craft Custom Solutions

Insurers with expertise in cyber risk can offer the tailored solutions that small businesses need.

Great American offers a modular policy format with a menu of insuring agreements, including security breach liability and expenses, cyber extortion threats, funds transfer fraud, replacement or restoration of electronic data, and public relations expenses, among others.

“A Great American policy includes the third-party liability exposure inherent in many network security and privacy breaches as well as the first-party exposure like breach notification, investigation and credit monitoring expenses,” Shepherd said. “We also have separate coverage available for public relations services to help an organization mitigate reputational damage in the event they experience negative publicity following a breach.”

Great American policyholders also have access to a web portal offering informational resources like whitepapers, as well as breach calculators and referrals for security, forensic investigation and legal firms.

Great American has focused its cyber expertise on the needs of small- to medium-sized companies, underwriting businesses with up to $250 million in annual revenue.

“Every organization has a cyber risk exposure, but we’re not looking to underwrite everyone. We’re dedicated to the unique needs of small- and mid-size organizations,” Shepherd said. “We will continue to educate and serve this sector as the risk and exposures evolves.”

To learn more, visit https://www.greatamericaninsurancegroup.com/for-businesses/product-details/alternative-markets/cyber-risk.

Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Policies are underwritten by Great American Insurance Company, Great American Assurance Company, Great American Alliance Insurance Company, Great American Insurance Company of New York, Great American Security Insurance Company, and Great American Spirit Insurance Company, authorized insurers in all 50 states and the DC.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Great American Insurance Group. The editorial staff of Risk & Insurance had no role in its preparation.




Great American’s innovative insurance solutions and specialization serves niche marketplaces that we know well, giving us a successful foundation that spans generations.

2018 Risk All Stars

Stop Mitigating Risk. Start Conquering It Like These 2018 Risk All Stars

The concept of risk mastery and ownership, as displayed by the 2018 Risk All Stars, includes not simply seeking to control outcomes but taking full responsibility for them.
By: | September 14, 2018 • 3 min read

People talk a lot about how risk managers can get a seat at the table. The discussion implies that the risk manager is an outsider, striving to get the ear or the attention of an insider, the CEO or CFO.

Advertisement




But there are risk managers who go about things in a different way. And the 2018 Risk All Stars are prime examples of that.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Goodyear’s Craig Melnick had only been with the global tire maker a few months when Hurricane Harvey dumped a record amount of rainfall on Houston.

Brilliant communication between Melnick and his new teammates gave him timely and valuable updates on the condition of manufacturing locations. Melnick remained in Akron, mastering the situation by moving inventory out of the storm’s path and making sure remediation crews were lined up ahead of time to give Goodyear its best leg up once the storm passed and the flood waters receded.

Goodyear’s resiliency in the face of the storm gave it credibility when it went to the insurance markets later that year for renewals. And here is where we hear a key phrase, produced by Kevin Garvey, one of Goodyear’s brokers at Aon.

“The markets always appreciate a risk manager who demonstrates ownership,” Garvey said, in what may be something of an understatement.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Dianne Howard, a 2018 Risk All Star and the director of benefits and risk management for the Palm Beach County School District, achieved ownership of $50 million in property storm exposures for the district.

With FEMA saying it wouldn’t pay again for district storm losses it had already paid for, Howard went to the London markets and was successful in getting coverage. She also hammered out a deal in London that would partially reimburse the district if it suffered a mass shooting and needed to demolish a building, like what happened at Sandy Hook in Connecticut.

2018 Risk All Star Jim Cunningham was well-versed enough to know what traditional risk management theories would say when hospitality workers were suffering too many kitchen cuts. “Put a cut-prevention plan in place,” is the traditional wisdom.

But Cunningham, the vice president of risk management for the gaming company Pinnacle Entertainment, wasn’t satisfied with what looked to him like a Band-Aid approach.

Advertisement




Instead, he used predictive analytics, depending on his own team to assemble company-specific data, to determine which safety measures should be used company wide. The result? Claims frequency at the company dropped 60 percent in the first year of his program.

Alumine Bellone, a 2018 Risk All Star and the vice president of risk management for Ardent Health Services, faced an overwhelming task: Create a uniform risk management program when her hospital group grew from 14 hospitals in three states to 31 hospitals in seven.

Bellone owned the situation by visiting each facility right before the acquisition and again right after, to make sure each caregiving population was ready to integrate into a standardized risk management system.

After consolidating insurance policies, Bellone achieved $893,000 in synergies.

In each of these cases, and in more on the following pages, we see examples of risk managers who weren’t just knocking on the door; they were owning the room. &

____________________

Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, clarity of vision and passion.

See the complete list of 2018 Risk All Stars.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]