With one click from an unsuspecting user, an entire data system can crumble at the hands of hacker.
Increasingly common, ransomware, a type of malicious software, is designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by a user unknowingly visiting an infected website.
In recent years, mega names like FedEx, Target, Anthem and others fell victim to security breaches. But while the overall frequency of cyberattacks remains consistent, the attacks are becoming more targeted, sophisticated and costly, according to an FBI public service announcement.
As broad, indiscriminate ransomware campaigns have sharply declined, the losses from ransomware attacks have increased significantly, as found by complaints made to the FBI and Internet Crime Complaint Center.
While various sectors of society feel the effects of cyber hacking, including health care industries and state and local municipalities, Indianapolis attorney Adam Ira of Kightlinger & Gray said there is one direction to head toward if data is compromised in a cyberattack.
“In the realm of data security – and I say this like a broken record – an ounce of prevention is worth a pound of cure,” Ira said. “The easiest, most effective thing a business can do is obtain cybersecurity insurance.”
As more insurers get in the pool, the more affordable cyber insurance is becoming, Ira said. At the same time, insurers “have several years of claims history so that they can better evaluate their risk and tailor the policies in a way that is going to be affordable for their clients,” he noted.
However, there is no standard cyber insurance policy, and the policies currently in place are constantly being revised and rewritten in real time, said Ice Miller partner Nick Reuhs. That can prove both good and bad.
“It can mean there is language that can be exploited by the insured, but also pitfalls,” Reuhs said. “It’s very difficult to write cyber policy that’s going to properly address the risks that we know about and then try to wrap its language around the next still-unknown risk.”
Purchasing cyber insurance
Rather than being a niche product, cyber insurance is moving in a mainstream direction that is drawing in businesses big and small, said Scott Shackleford, Indiana University Cybersecurity Program chair.
“Not only local governments, but clinical providers, state government agencies – it runs the gamut, and it shows there is an appetite for this type of coverage,” Shackleford said.
Ira, Reuhs and Stephen Reynolds, co-chair of Ice Miller’s Data Security and Privacy Practice Group, agree that individuals looking to purchase cyber insurance should speak with an experienced broker instead of jumping in headfirst. Purchasing cyber insurance and treating it like other insurance coverage is a mistake Reynolds says he sees often with companies.
“This is something so specialized and you need to talk to someone, either an insurance broker or lawyer, who lives and breathes these policies and sees them on a day-to-day basis,” Reynolds said. “Unfortunately, I feel a lot of times we are coming in after it’s already been purchased, and then they try to fix it when they do their renewal. Companies really need to talk to someone knowledgeable before they buy this product.”
When it comes to purchasing cyber insurance now, Reuhs said if a company does not have cyber insurance, it was a conscious decision not to have it.
“But for others there is no choice,” he added. “Increasingly, we are seeing cyber added to the insurance requirements in vendor agreements, customer agreements and service agreements. If it is continuously demanded by business partners, it’s going to become part of the suite of insurance that everyone has to have.”
As 2019 closes its doors and the new year begins, the attorneys consider the trends they have seen and might expect to see in the coming year.
One trend Reuhs has noticed is an increasing amount of flexibility in the cyber insurance realm.
“There are both standard and custom endorsements that are readily available. If you know what to ask for, those endorsements can give tons of flexibility to build the right policy for you,” he said.
Something Ira said should be considered in the coming years is what might happen to the price of demanded ransom as more people and businesses are covered under cyber insurance. Another concern is the use of technology in the home environment.
“It’s not simply businesses that need to consider the need for cyber insurance. Homeowners are now exposed to ransomware attacks that threaten their smart home devices,” Ira said. “Imagine a hacker locking your thermostat in the bitter cold, which could cause pipes to burst. By virtue of targeting smart home appliances, these attacks target wealthier people that have the money to pay a ransom.”
For his part, Reynolds has seen an increasing amount of ransomware attacks and increasing costs of ransoms.
“This year we have had clients involved in ransomware attacks where the ransom has been in the millions of dollars and that, when we first started this, was unheard of,” he said. “So, it’s just really escalating.”
Lewis Wagner partner Meghan Ruesch said she expects in 2020 to see the insurance industry attempt to stand at the forefront of cyber risk management to prevent attacks before they happen.
“It has only been in the past five to 10 years that the insurance industry has started seeing an upswing in companies and small businesses actually purchasing cybersecurity insurance, a lot of which has to do with the huge proliferation of major security breaches that have happened over the past five or so years,” Ruesch said.
“That has really kind of put cyber insurance at the forefront of the risk management for not just major companies, but any industry that handles private information.”
But at the end of the day, predicting what’s to come for cybersecurity is more speculation than not, Ruesch said.
“It’s something that’s evolving and every year,” she said. “Three months from now, something could happen and it’s going to shift the focus of the insurance industry in relation to how they need to respond to a cyber security trend in and of itself.”•