Unlike traditional business risks such as fire and workers’ compensation, the cyber
risk landscape continues to evolve. As with any relationship, agents must first
establish trust and address risks honestly, educate and provide practical and usable
recommendations to insured’s to minimize risk. To do so, agents must expand
information security knowledge. Those who don’t, risk of losing business to
competing agents as well as being dis-intermediated by holistic solutions sold direct
by a growing number of savvy and well capitalized on-line insurance and security
To many SME’s and their agents, the terms “cybersecurity” and “cyber insurance”
trigger equal amounts of anxiety and confusion. Simply put, smaller insureds don’t
actually know what the names of the tools they need and don’t know the proper,
technical words that are going to lead them to an effective solution.
In our experience, most SME’s are not confident about the security of their
networks. They are not sure what their biggest cyber risk is and are confused by the
current information security landscape. Most know of other businesses that lost
money and data due to attacks targeted at employees resulting ransomware and
wire transfer fraud. These executives want to know what are the most cost effective
things they can do to mitigate risks to cyber attacks.
The Latest Scary Stuff
As many cyber security experts will admit, the cyber security industry is broken.
Despite astounding market growth for security software and services, the increased
frequency of attacks is equally astonishing.
- In 2017, the cyber security market was worth over $120 billion (up from
$77 billion in 2015) yet incidences of successful hacks continue to rise.
- Ransomware attacks saw a 350% increase in 20182.
- Only 10% of small businesses surveyed had a separate budget for cyber
- Cisco’s 2018 SMB Cybersecurity Report found that 53% of midmarket
companies in 26 countries experienced a breach.
- Over 40 percent of companies have sensitive files that are unprotected
and open to every employee.4
- Most research suggests that more than 90 percent of successful hacks and
data breaches stem from phishing scam emails crafted to lure their
recipients to click a link, open a document or forward information to an
- According to the results of a survey by Barkly (now AlertLogic) of 60
companies that were hit by successful ransomware attacks over the past
12 months, 77 of respondents said the attacks bypassed email-filtering
solutions, 95% bypassed firewalls and 52% bypassed antimalware
- Cryptojacking is the unauthorized use (via malware) of computer
resources used to mine cryptocurrency. This exploit can result in utility
fraud leaving insureds with higher utility and other computing costs.
Cryptojacking is one of the fastest growing cyber security threats in 2018,
with 25% of all businesses already falling victim cryptomining exploits2
- 68% of U.S. businesses have not purchased any form of cyber liability or
1 Cybersecurity Market Size Will Reach $300 Billion by 2024
2 Cyber Security Ventures 2019 Cyber Security Almanac
3 The National Center for The Middle Market, “Cybersecurity and the Middle Market, The Importance of Cybersecurity and
How Middle Market Companies Manage Cyber Risks,” 2016.
4 Varonis 2018 global data risk report
Multi-Factor Authentication (MFA)
In our experience, multi-factor authentication is
possibly the single most cost effective strategy for
SME’s to mitigate a litany of risks. An insured can
install antivirus, firewalls, deploy encryption and
perform vulnerability tests but without multifactor authentication, all these measures are
Multi-factor authentication strengthens access security by requiring two or more
factors to verify users identity. These factors can include something you know
(username and password) plus something you have (smartphone) to approve
authentication requests. Most of us are familiar with the process of getting a code
texted to your phone to login into banking and other applications. This tool is highly
affective against phishing and other forms of social engineering as well as password
brute-force attacks and secures your logins from attackers exploiting weak or stolen
credentials. Without the code, malicious actors are not able to gain access to your
Versions of MFA are available free with Office 365 & Google Suite (make sure your
insured’s turn it on!). Expect to pay up to $6 per user per month for advanced
DMARC (Domain-based Message Authentication, Reporting and Conformance)
Email spoofing is the use of an email message from a
forged address that hides the sender’s true identity.
The objective is to trick the recipient into taking an
action designed to perpetrate business email
compromise and email scams leading to growing
frequency of social engineering attacks that often
lead to successful wire transfer fraud.
DMARC acts to provide greater assurance on the identity of the sender of an email
message and gives email domain owners the ability to protect their domain from
unauthorized use often referred to as email spoofing. Once DMARC is turned on for
the insureds domain, only emails that pass the authentication will be trusted and
delivered. Emails that fail the check are quarantined or rejected.
DMARC is free but you may need the webhost or email administrator to assist
enabling since DMARC is not turned on by default.
Business Vendors: Get a Pre-Nuptial
Vendors are often the weakest links for in the
security defenses of most insureds. In the past few
months alone, we seen several claims resulting not
from actions (or inactions) of the insured but due to
breaches suffered by contracted vendors. One
involved a healthcare provider infected with
ransomware delivered via a record transcription
service with access to patient files. The claim resulted in over $100,000 of
remediation expense and business interruption loss.
Managing vendor cyber risk is not unlike risk management services that agents
provide to clients for other business contracts. In addition to typical requirements
such as favorable hold harmless and indemnity provisions, vendor risk management
contracts should include:
• Description of the PHI/PII and confirmation of authorized user access.
• Minimum required security controls including basics such as the use
of firewalls, anti-virus, patching and encryption. Vendors need also be
compliant with relevant regulatory and industry requirements such as
HIPAA and PCI-DSS when applicable
• Security audit clause so the organization has the right to audit
security controls periodically.
• Incident reporting requirements for the stating under what
circumstances and means a security event is reported to the
• Insurance requirement for a stand-alone cyber policy that includes
first and third party coverage parts. The contract should require
additional insured status (when possible) and provide a minimum
limit of $1M.
Knowledgeable agents can assist insured’s conduct effective vendor risk
management. Some agents use cyber insurance applications as guides to develop
templates. More complex risks need consider Vendor Risk Management
(VRM) products that provide vendors security scores, vendor on-boarding and
ongoing monitoring of third-party networks. VRM software products are easy
install and use with prices starting around $500 per vendor.
Beyond a fundamental understanding of how cyber insurance responds to a claim,
our most successful agents also possess a basic understanding of what security tools
offer the biggest bang for the buck for their insureds. These agents close at 2-3
times the rate of agents relying on the insurance policy to sell itself and are most
likey to retain business and keep new direct writing insurance platforms at bay.
About the Author
Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber
insurance and related products distributed to insurance agents, cyber
security providers and “InfoSec” investors.
Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success
providing complex P&C insurance and risk financing design, brokerage and
relationship management expertise for complex risks including technology,
healthcare, private equity, and real estate.
Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and
Huntington Beach California.
Cyber Risk Underwriters
Easy & Cost-Effective Security Solutions For Your
Most small to middle market business executives assume that if they spend $40 per employee for a firewall, patch, install the latest antivirus, and use the cloud, they
have a padlock on the doors that keeps the bad guys out. All are great foundational tools but they are not designed to stop evolving criminal attacks. Using email,
attackers easily bypass these technologies altogether when users are victimized by email fraud, credential theft and vendor risk. In our experience, the most costeffective cyber risk management tools that will prevent loss are easy, cheap (if not free) and readily available.
Limit User Legislative Privileges
Ransomware is a type malicious software designed to block access to a computer system until a sum of money is paid. The most common delivery method is phishing
spam or attachments that come to the user in an email that are disguised as trusted files. Once downloaded and opened, the criminals take control and block network access until a ransom is paid. The vast majority of ransomware exploits are prevented by making sure users are blocked from downloading and software onto the network. This is a simple risk control that restricts “administrative privileges on workstations and PC’s that so that software can only be installed by an IT administrator.
Ransomware claims are best prevented by limiting user privileges according to Nick Economidis Vice President of eRisk for Crum & Forster, “We frequently offer
insurance buyers the opportunity for a lower premium in exchange for implementing simple risk controls that, we believe, will significantly reduce the occurrence of the type of claims that we see most often. One of the things that we suggest is restricting administrative privileges on PC’s/computer workstations so that software can only be installed by an IT-administrator. We believe that this can significantly reduce the possibility of ransomware (or other malware) infecting the machine. If a user clicks on a rogue link or attachment, the machine will not install the malware because the user is unable to provide the administrator password (and even if they have the administrator password, we hope that the fact that the machine is asking for it will be enough of a warning).
.According to Verizon5, email fraud accounts for more than 93% of enterprise attacks which result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. Over 60 companies that were hit by successful ransomware attacks over the past 12 months, 77 of respondents said the attacks bypassed email-filtering solutions, 95% bypassed firewalls and 52% bypassed antimalware solutions. In our experience, the most effective form of training is the use of phishing simulations. Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. A well-designed phish-testing program trains employees how to spot a phony email and are proven successful in reducing risks of successful ransomware attack. When combined with typical user training, the results are stunning.
Leading training vendor KnowBe4 conducted a study6 of 6,000,000 users in 11,000
organizations encompassing almost 250,000 tests. Across several industry verticals,
initial baseline click rates ranged from 25%-35% for SME’s under 1000 employees.
At 90 days, rates ranged from 10%-17% and at 12 months rates dropped to 1.5% to
Phase one is establishing an initial baseline. A phishing test template is designed
based on the employer’s unique environment and a landing page (often a training
site) is created for users after they click. The users are provided a summary of what
was missed and the employer is provided charts indicating “phish-prone” rate. Most
vendors also provide a comparison to others in the subject industry vertical.
Additional tests are sent out randomly during the course of the following 12 months.
These programs are simple and easy to implement. Several vendors offer free
phishing simulation service for companies with up to 100 employees including online registration, monthly phishing exploits, and detailed analytics to isolate
opportunities for improvement. For advanced versions, pricing runs from $5 to $15
per seat per year