Despite our best hopes and intentions, it’s an inevitability in life that bad things can and will happen. We buy insurance for our vehicles, homes, health care and even our lives, all to protect against the potential financial hardships that could come from the events life throws at us.
As our society becomes increasingly reliant on technology, a new type of insurance has emerged in terms of significance and necessity: cyber insurance. Prior to 2004, if people’s information was breached or a company stored their information and it was hacked, they personally had to file a class-action lawsuit and go after the company. In 2004 a law was enacted that transferred the liability from individuals to companies. This change caused a need for businesses to transfer that risk to insurance. Cyber insurance started as protection from class-action lawsuits but has evolved to encompass everything from ransomware to identity recovery, covering expenses involved with cyber-related security breaches or similar incidents.
Most are familiar with the data breaches of large-scale entities such as Target, Home Depot and most recently Marriott International, which is said to have impacted up to 500 million people. Local entities such as the Lansing Board of Water & Light and Michigan State University have also fallen victim to cyberattacks in recent years, exposing thousands of personal records.
Cyber insurance coverage provides companies with assistance in the aftermath of a cyberattack, from alleviating the financial burden of notifying employees and customers and monitoring their credit to crisis management and communications. But local insurance experts agree that when it comes to those most at risk, it isn’t always the big fish that become the targets for hackers.
“A lot of times people think, ‘We won’t get hacked, we’re so small,’ ’’ said Ben Rathbun, an insurance agent with the Rathbun Agency in Lansing. “I’ve seen companies get hacked that have two employees. The smaller companies are the ones who don’t have enough capital to fight it on their own.”
While hackers continue to seek the vulnerabilities of larger companies’ systems, Rathbun said they have realized how easy it is to get into smaller businesses because they don’t have strong security.
“Big organizations have full-time IT people who spend their day monitoring the security. Smaller businesses just don’t have that,” he said. “A company our size, we have 15 employees. If we had to pay $800,000 to notify our customers about a breach, that would put us out of business.”
David Drayton, vice president at Lyman & Sheets Insurance Agency in Lansing, said anyone with any type of information stored or that handles financials – from a school to a hospital to a restaurant – has a cyber risk.
“If you’re a company that handles personal information, and you have a lot of employees or clients, you could have a serious liability exposure,” Drayton said.
Drayton agreed that highly publicized breaches of larger companies give small businesses a false sense of security.
“When it happens to the big guys, the small guys think they won’t be a target because they don’t have the money,” said Drayton. “But hackers will take smaller amounts of money, $3,000 or $5,000.”
This money is acquired through ransomware, a malicious software designed to deny a person or business access to their computer systems unless a ransom is paid.
“Companies with systems that are hacked through ransomware not only lose the money needed to get back control of their systems, but their systems are no longer reliable,” Drayton said.
This means additional costs to the businesses for new software and updated internal systems. Drayton said it’s crucial to have protections in place so the insurance isn’t even necessary, such as changing passwords and being careful about not clicking on links in emails or downloading files from unknown websites.
Kirk Byrens, a State Farm insurance agent in Okemos, said many small businesses that aren’t covered by cyber insurance policies have difficulty staying intact following a breach.
“There are so many small businesses that go under the next day if something bad happens,” Byrens said. “There isn’t the room for error, for the credit cards not being available immediately. You might have to buy all new software, and you might have anxiety that it would happen again.”
Even beyond notifying customers after a breach, companies still have to deal with the costs of closing their business after being hacked, updating their internal systems and purchasing new software. And beyond the monetary costs, there is also a reputational cost, as establishments lose the trust of their customers and employees.
Beyond businesses, Byrens said the everyday person is also a potential victim of cyber-related or identity-related scams, with the elderly being a prime target.
“The scams on the elderly have gone through the roof,” he said. “That’s why I like that we have the addition of cyber extortion coverage through State Farm.”
Byrens explained that a common scam is someone calling an elderly person pretending to be a grandchild who has been arrested and needs to be wired bail money. But even as the awareness of cyber scams grows, agents warn that hackers are often several steps ahead of the game.
“The moment you hear about a certain identity scam, they’ve already moved onto a new one,” Byrens said. “That’s what is crazy about this stuff. We have to build a coverage for this that is updated every year.”
Rathbun agreed: “As businesses get smarter, hackers get smarter.”
As we continue to rely on technology and introduce new technologies into our lives, our exposure will only continue to increase.
“How do you get to the point where you’re starting to comprehend things like Alexa being able to hear you reading off a credit card number?” Byrens asked. “Every layer that we introduce into our lives with technology, think of that like another door (hackers) have the option to go through.”
That means not only having cyber insurance coverage but reviewing the policies with frequency to make sure all of the bases are covered.
“Because the technology and the internet evolve so quickly, it’s important not just to have cyber, but to review it all of the time because your needs change,” said Rathbun. “How people get hacked changes all of the time. Cyber policies are wildly different depending on what company you’re with, so it’s important to make sure your agent knows what he’s talking about.”
With millions of people impacted by data breaches – whether they are business owners, employees or customers – cyber insurance and its protections are certain to become the norm. Both personally and professionally, insurance agents agree that awareness and preparedness are the keys to staying upright when hackers try to bring them down.
“Any company that’s not purchasing a policy, they’re not doing so because they don’t have the risk,” said Rathbun. “They’re doing so because they’ve neglected to realize they have the risk in the first place.”