Cyber vulnerabilities have increased with the dramatic shift to work from home, and criminals are taking advantage (prior post). Organizations should continue to be aggressive in protecting themselves from all cyber exposures, and protection should include purchasing comprehensive Cyber Risk Insurance. Experts segment cyber exposures in a variety of ways, but we take a simple approach that helps SMBs (small and medium-sized businesses) understand the risks. For simplification, we will define the key cyber exposures as follows: data breach, ransomware and theft of money. There are additional exposures, but these three make up the bulk of all Cyber Risk Insurance claims.
A data breach is the criminal or accidental release of confidential or valuable information (here, here). The financial and operational impact of a data breach varies widely, depending on the size of the breach and the information released, but can be expensive and damaging. In addition, there are state and federal laws that regulate what an organization must do in the event of a breach (see prior post).
Criminals can sell data on the dark web for significant sums, and both criminals and state actors can use the data for nefarious reasons such as identity fraud. Equifax suffered a significant data breach in 2017, affecting approximately 147 million consumers (here). Senior managers lost their jobs, the stock price declined and the company reached a settlement with the FTC (here), but the breach was not crippling. Typically, ransomware and theft of money have significantly greater impacts on SMBs than data breaches
A ransomware attack begins with a criminal locking access to a system or data, or threatening to release data. Then the criminal attempts to extort a ransom from the target in return for unlocking access or not releasing the data (here). Healthcare (here, here) and municipal organizations are well known targets, but all organizations (here, here), and even individuals, are potential lucrative targets.
While ransomware attacks can be expensive and crippling, they can also put an organization out of business. Two examples include Travelex, which recently suffered this fate (here), and a telemarketing firm (here).
Theft of Money
Some criminals would rather directly steal money rather than steal data or extort a victim. In a theft of money attack, a criminal will use various means to get access to a target’s funds. There are many ways to accomplish this, but the most direct is by using deception – called social engineering fraud. A criminal will convince a victim to send money to the criminal, rather than to the intended recipient, often through phishing emails.
If you think that this cannot happen to you, think again – any SMB holding or moving cash is a prime targets. Examples include real estate firms, investment firms and any organization raising capital or investing in early stage companies (here). But any SMB with cash is a target as shown by this theft of money attack on a family owned recreational facility.
Expert resources on Cyber Risk exposures, along with risk management steps, are widely available on the interesting. Some examples include:
Specialty Insurance Blog – News & Commentary on Specialty Insurance – with an Emphasis on Professional Liability Insurance
Also, see the related Innovate Insurance Blog – Innovation & Entrepreneurship in Insurance