Busting Cyber Myths Part 2: I Can’t Afford Cyber Protection
By David Myers, Data Privacy & Cybersecurity Partner
Buckingham, Doolittle & Burroughs, LLC
In the second of a three-part series, Buckingham Data Privacy and Cybersecurity Attorney David Myers talks with Andy Jones, CEO, Fortress Security Risk Management, and Bryan Schauer, Vice President at The Schauer Group’s Cleveland Office. They share valuable information about how to respond to a security breach, what insurance covers, trends in cost, and what typically happens following a cyber-attack.
Imagine the sudden realization that you have been hacked and the party on the other end wants millions of dollars to restore your data. What would you be thinking? What is your best next step?
I’ve seen two typical reactions. Companies with cybersecurity insurance think, “we have a policy that will cover this. It’s a claims game.” Others think they have the IT strength in place to get beyond it. “I’ve never seen either situation work out precisely as the parties thought it would,” says Jones. “Cyber insurance is only part of the solution and the great majority of in-house IT staffs simply don’t have the cyber expertise to properly contain, control and remediate an attack.”
The reality is that most policies will only cover a portion of the cost, which is typically far more than just the ransom to get back to business. And the return to normalcy doesn’t happen overnight.
“Having a ransomware event is a days to weeks-long process and that depends on your cyber posture pre-event. It becomes a painful exercise in business survival,” Jones explains. “Your company is essentially frozen – no sales, no billing, no accounts receivables, no product development, no productivity of any kind – nothing.”
“Being hacked causes a lot of anxiety. Often cybersecurity incidents occur at a time when other issues may be at play and there is higher anxiety. Hackers are looking for a time when your company is busier than usual or in the midst of a deal so they can catch you off guard,” explains Schauer.
“Once you realize you’ve had a cybersecurity incident, what’s the recommended first step?” asks Myers.
In the event of an incident, one of your first calls should be to your insurance company, advises Schauer. They may be able to help with ransom and business disruption costs depending on your coverage.
“The average cost of a claim in 2021 was $4.2 million. The ransom demand averaged $2.2 million. After negotiation, the average ransom paid was $541,000, based on reported and known cases,” explains Schauer, noting that many cases are not reported.
Along with helping with ransom, your insurance carrier should connect you with a breach coach – an attorney who can connect you with an incident response team from a cybersecurity firm. The security team works under attorney client privilege, which protects you. The cyber attorney will also walk you through the next steps and what to expect in the aftermath – costs, customer contract and deliverable issues, state reporting requirements, cash flow and credit disruption, potential credit monitoring for stolen data, and more.
“The process is often driven by the insurance carrier, but your cyber attorney plays a key role. We often see the victim negotiating with or trying to understand why some things aren’t covered by the policy. The reality is that the ransom accounts for only 15-20% of the cost of a breach,” says Jones.
“With the number of cybersecurity incidents increasing, what changes are taking place in the insurance industry?” questions Myers.
“For example, if you do not have multifactor authentication, you may not be able to get coverage at all. The good news is that’s a relatively simple and low-cost process to implement,” says Schauer.
“For those who do have insurance, chances are good that you need more coverage than you currently have. If you don’t already have it, you should seriously consider getting it. “Jones advises, “You also need to have your in-house cybersecurity in order. You should do everything possible on your end to prevent a breach – and it’s not that hard. We often think only of really big companies as the targets. The reality is there is no such thing as a typical target. More than 80% of victims are small-to mid-sized companies.”
As the number of incidents continues to rise, insurance costs are increasing, and carriers are being more selective about the companies they cover. In addition, they are putting more limits on the amount that will be paid for ransom.
The vast majority of victims do pay the ransom. Once they do, will they be a target again? Possibly, but both Jones and Schauer agree you can do a lot to prevent it by having cybersecurity systems and practices on your end to make it a lot harder for the bad guys to break through.
If you missed Part 1 of Busting Cyber Myths, “We’re Not A Target”, you can view it here: https://www.youtube.com/watch?app=desktop&v=waeT0Fmeh8c. To learn more, connect with David, Andy or Bryan:
David Myers Andy Jones Bryan Schauer
[email protected] [email protected] [email protected]