Cyber Attacks Are Killing Small Businesses: Here’s What They Can Do to Survive

The biggest cyber weakness, as these authors so adroitly illuminate, is "between the monitor and the chair," i.e., the human susceptibility to falling for a cyber scam.

By: Les Williams and Tim Foley | September 5, 2019

It happened again.

According to the Texas Department of Information Resources, on August 16, 2019 twenty-two Texas towns were simultaneously targeted by a coordinated ransomware attack.

While the vast majority of the towns hit were small local governments, this incident sheds light on a popular misconception in today’s society: Cyber thieves only target large enterprises.

This unprecedented attack also begs the question, will we see a new trend where smaller firms are extorted in a “bundled packaged?”

Cyber Incidents by the Numbers

Aviation disasters and cyber breaches share one common thread — large catastrophic events tend to dominate headlines.

According to the National Transportation Safety Board, out of the 350 U.S. aviation fatalities in 2017, none were attributed to any of the major domestic carriers.

General aviation (i.e. private aircraft) accounted for 94% of these fatalities, but when a large domestic airliner carrier is involved, the news cycle amplifies the fallout and stories can last for weeks.

Tim Foley, director of information security, Dataprise

According to a 2017 study by The Ponemon Institute, 43% of cyber attacks targeted small business.

Given the intense coverage of breaches affecting behemoths such as Equifax and Capital One, it is easy to believe that large entities are victims of breaches by a wide margin.

This idea can lull small business into a sense of complacency, adopting a mindset that breaches are only a large enterprise problem.

Not only are small businesses more susceptible to breaches due to factors such as lack of capable IT resources, but they also suffer the greatest in the aftermath of an attack.

The same Ponemon Study found that 60% of small companies shutter their doors within 6 months of a cyber attack, a fact buried in the headlines.

The majority of these attacks are phishing/social engineering in nature, something that can be limited in scope with proper cyber hygiene training for the staff at these smaller firms.

Combating Coordinated Attacks

Don’t expect these attackers to change their tactics, techniques, or procedures (TTPs) anytime soon, for one simple reason — it’s working.

Until U.S.-based businesses, both large and small, become more resilient against these types of attacks, we will to continue to see large volumes of ‘multiple reuse’ phishing-based email compromise/ransomware attacks.

This scenario is a goldmine for bad actors, a literal extortion economy of scale, multiplying the effect of attacking just one small entity.

This attack vector requires very little overhead, as they can be developed once by an attacker and reused many times, ensuring a low level of effort, high volume and devastating consequences when successful.

Threats never disappear completely, they simply shift their target, strategy or method of delivery and reemerge in new ways.

Whether it’s internet pop-ups, credit card fraud or phishing email sophistication, we continue to witness a threat climate evolving in real time. The 2017 Google Docs phishing email marked the first coordinated phishing attack on a massive scale.

As the threats continue to evolve, the bar to achieve cyber resiliency continues to rise.

Les Williams, partner and chief revenue officer, Risk Cooperative

Ten years ago, a strong network perimeter, managed operating system patching and endpoint protection defined a strong cyber hygiene posture for many organizations.

Today, the same posture would be, quite literally, the bare minimum requirement in place and hope to show ‘due diligence’ within your corporate environment.

As the dust settles on yet another ransomware attack, there are always tangible takeaways for businesses of all sizes to consider and adopt.

We must align our security programs toward a “Layered Security” approach: having multiple layers of security so that a single attack cannot bypass all in-place security controls.

When it comes to the threat of ransomware and many complex threats, some best practices include:

Implement a cyber hygiene program to strengthen the “human firewall.”
Assess your risks and security gaps and plan for their remediation.
Store offline backups of critical assets.
Plan your response well in advance. According to Vanson Borne, an independent UK-based research firm, more than two-thirds of 3,100 organizations interviewed said they were hit by a cyber attack in the last year. What does this mean? A cyber breach is definitely a “when,” not an “if” scenario. Response plans should be created and tested prior to an actual event occurring.

There is no panacea when it comes to these cyber threats, but there are well-founded best practices that, when used properly along with a security metrics program, can help to ensure a minimal attack surface and a reduced scope and impact of any cyber event.

Aftermath of the Texas Cyber Event

The Texas cyber breach will most likely lead to smaller entities scrutinizing their outsourced IT service providers in greater detail.

Evidence of this can be found today by simply reviewing ‘due diligence’ questionnaires entities are requiring these service providers to complete. Expect to see these same entities require independent audits/certifications for outsourced providers as well.

Given the effectiveness of coordinated attacks an inevitable domino effect will ensue; municipalities can expect to pay higher insurance premia for cyber extortion coverage, more cities and towns will add cyber extortion coverage to their policies with increased limits, and outsourced IT service providers may charge higher fees for increased service level agreements to fulfill stricter security requirements.

Although Atlanta and Baltimore refused to pay a ransom in the aftermath of their breaches, smaller municipalities with smaller budgets may not have the same luxury.

This scenario for smaller towns is exacerbated by the length of time it took these larger cities to recover, and the additional expenses incurred by not paying the ransom demanded.

Watch: Here’s a one-on-one interview with Les Williams on cyber risk and covers.

Besides reviewing cyber policies in greater detail, scrutinizing outsourced IT service providers more closely and following the best practices mentioned earlier, the most often-overlooked factor municipalities must consider is the implementation of a robust cyber hygiene program.

The biggest threat lies between the keyboard and the chair — by adding resiliency to this human element in our governments, we add resiliency to our nation. &

Les Williams, CRM, is Cofounder and Chief Revenue Officer of Risk Cooperative. He holds a B.S. in mechanical engineering from the University of Virginia and an MBA from Harvard Business School. Tim Foley joined Dataprise in 2011 and currently serves as Director of Information Security for the Dataprise CYBER division. A former advisor to the Department of Defense, he is a proven leader who brings over 15 years of cross-sector industry experience in information security.

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.