Small businesses—which can include PIA members—are tempting targets for cyber crooks. They are just as vulnerable to data breaches as big companies, but they have fewer defenses. Members who have walked clients through the cyber claim process or who have been hacked themselves will tell you that the best defense is never getting hacked in the first place. Cybercrooks are constantly changing their tactics, making it more important than ever for members to stay two steps ahead. That means understanding an agency’s cyber weaknesses in detail and deploying the most effective cyber security tools and practices.
“Being hacked is an experience I wouldn’t wish on anyone,” says Vonda Copeland of Kansas-based Copeland Insurance Agency. “Having gone through it, however, we learned invaluable lessons even though we always placed a high priority on protecting our data and maintained good insurance coverage.”
Copeland said her agency was hit several years ago when it was changing to a new email platform.
“We had already installed multifactor authentication, updated our firewalls and developed a cyber handbook so we would know what to do if and when a breach occurred,” she said. “Nevertheless, we had a breach when our old website was still up and our MFA had been shut down briefly. Then, a client received a nonrenewal notice, ostensibly from us, of course, and paid the premium. When we saw it after the fact, we immediately recognized it as bogus, but the damage was already done.”
Copeland said the breach compromised 10 years of an email inbox of one agent, most likely through a phishing email.
“The client ended up paying for the policy twice and our carrier negotiated the payment toward part of the wire fraud under the third-party coverage of our policy,” Copeland added.
“Even with our careful preparations, we lost weeks of productivity and endured a lot of headaches and sleepless nights,” Copeland said. “What we learned, though, was that the time we had spent building up our defenses and educating our staff proved to be a great investment that paid for itself. We had acted quickly because we knew what we needed to do, but just as importantly, we understood that the damage would have been far more severe, both to us and the client had we not taken those steps first.”
Karen Murphy, a cyberspecialist and commercial- and personal-lines producer at Indiana-based Ritman and Associates had a different run-in with cybercrooks.
“While conducting online research, a customer of one the agency’s clients clicked on an old website that had not been disabled, which triggered an immediate ransomware demand,” she said. “The crook was able to access customer files, extracted many, and the company lost a full seven days of productivity in which they could not use their system at all.”
Murphy said the experience exposed several common cyber vulnerabilities among both agencies and clients.
“Vendors, no matter how small, should have a working knowledge of cyber security best practices,” Murphy said. “That goes for agencies, as well as clients. Asking for a certificate of insurance should also be standard practice and a vendor who won’t provide one should be a huge red flag.”
Fortunately, the agency’s client had a cyberpolicy in place, which provided a data breach coach to immediately guide them through the investigation. The IT expenses incurred to restore data the data also were covered by the policy.
Murphy said that cybersecurity must be considered a core business function, regardless of whether an agency relies on in-house staff or uses an outside service. Forty-three percent of all cyberattacks are aimed at small businesses, yet only 14% of these businesses are prepared to defend themselves, according to Accenture.
“It is well-documented that cybercriminals are sharpening their attack strategies, techniques and tools every day, which is why agents must stay two steps ahead,” Murphy concluded.
“In today’s tight market, carriers want to see proof that a policyholder has specific cyber security tools and practices in place before issuing a quote or binding coverage,” says Copeland. “But even the best coverages will likely not cover every everything, not the least of which will be a huge hit on productivity and reputational harm.”
Protect your agency from cyberthreats
PIA members and every one of their small-business clients must understand and then tackle their cybersecurity weaknesses before they are crippled by them. To protect their sensitive data—and their insureds’ sensitive data—insurance agents should have cyber liability coverage.
To determine their unique cyber risks, PIA-member agents can use PIA’s Cyber Risk Assessment. PIA members also can access Ransomware is a real menace in the PIA QuickSource library.