We are constantly hearing about Cyber and Ransomware attacks in the news. The Wall Street Journal’s headline on May 12, 2021, was “Ransomware Attacks Are Up, Spawning Widespread Harm”. Recent examples include the Chinese hack on Microsoft’s Exchange Servers in March and the DarkSide hack of Colonial Pipeline earlier this week.   It is important to note, although most of what we hear about are attacks on large corporations and government entities; these same attacks are occurring in small to mid-size businesses.   These attacks are not large enough or disruptive enough to society to make the front page of The Wall Street Journal, but they can be devastating for businesses.

 

So why are small to mid-size businesses good targets?

 

  • More and more small businesses are operating remotely. With little control on remote infrastructure, businesses need to invest more time and money in strengthening their online exposure to hackers. Most are lacking the back office support to do so, which creates vulnerabilities that can be exploited.
  • Smaller companies can provide access to larger entities. These larger entities have data that is more valuable to hackers.
  • The pandemic has caused businesses to reinvent the way they conduct business. For example, restaurants and fitness instructors had to increase their online presence through online advertising, marketing, and email campaigns.  To-go ordering, online payments, online appointment booking, and virtual meetings all increased.  In most cases, the rollout was quick and did not involve a full cybersecurity analysis.

 

2021 report by PunkPanda found that businesses lost at least $114 billion annually from data breaches, with approximately 25% of these breaches occurring due to negligence. With more SMBs (small midsize businesses) going online to connect with customers or manage remote workflows, these risks are only bound to grow. (Forbes Article 3/22/2021)

 

Along with the increased ransomware activity, cybercriminals continue their “profitable” business through phishing/social engineering campaigns.

This is a perfect example of “social engineering fraud”.

Business email compromises are a form of social engineering fraud whereby attackers impersonate a CEO or executive authorized to conduct wire transfers and induce employees to transfer money to a fake client account. The COVID-19 pandemic has led to an increase in cyber-related crime as fraudsters use social engineering techniques to exploit systems and procedures made more vulnerable by remote working, they say.  (Business Insurance February 16, 2021)

 

Even Social Engineering fraud has evolved in the past few years.  The next example highlights “Reverse Social Engineering”.

Company A (a seafood distributor) has secured a  Cyber Privacy Liability policy from their Insurance agent.  Securing the policy required an extensive review of A’s internal protocols surrounding employees’ internet usage, email and computer password updates, and checks and balances surrounding online bank account and credit card transactions.    Unfortunately, with all of these protocols in place, a hacker was still able to infiltrate Company A’s system (in this real-life example, they infiltrated Company A by hacking into an old printer seldom used but still hooked up to their network).  While inside Company A’s system, the hacker was able to find Company A’s accounts receivables and saw that a large sum of money was owed to them by Company B (Company B is a local food shop that does not have a Cyber Liability policy in place).  Still, inside Company A’s network, the Hacker emailed Company B advising of a new Bank Account to send the outstanding balance to.  Company B received the email, verified the email address, and forwarded payment to the new Bank Account.  By the time this has been discovered, the Hacker is long gone along with the stolen funds from Company B.  Until recently, this coverage was not readily available under Cyber Liability Policies.

 

 

With these types of claims on the rise, it’s important to take a step back and note your internal vulnerabilities then talk about them with your Insurance professional.  A good Cyber Liability program will include such coverages as:

 

Network Security and Privacy LiabilityFunds Transfer Fraud

Regulatory Coverage                                                       Payment Card Industry (PCI) Fines and Penalties

Data Recovery                                                                  Breach Costs

Media Liability coverage                                                Notification Costs

Computer Fraud                                                              Data Recovery Costs

Social/Reverse SocialEngineering Fraud

 

June 2, 2021

“Ransomware Attacks Are Up, Spawning Widespread Harm”

We are constantly hearing about Cyber and Ransomware attacks in the news. The Wall Street Journal’s headline on May 12, 2021, was “Ransomware Attacks Are Up, […]
March 25, 2021

Risk – What do I do with that?

Risk – What do I do with that? “Everyone has a plan until they get punched in the mouth” This famous quote by Mike Tyson seems […]
November 13, 2019

10 Considerations for Managing Risk with Professional Liability Insurance

Insights to help you protect your firm within the evolving risk environment. In brief: Understand: Be aware of your risks and the insurance solutions available to […]
October 3, 2018

Mitigating Cybersecurity Risk Via Insurance

Cyber insurance is now a ‘must-have.’ Make sure you and your insurance professional understand its many moving parts. Sooner or later, any business that handles customer […]
July 24, 2018

Association Health Plans: Things to Consider

The Department of Labor (DOL) has recently released the much anticipated Final Association Health Plan (AHP) rules. The rules are designed to make it easier for […]
May 18, 2018

Bid Bond Must Letter

What you may not know about bid bonds can cause severe damage and financial loss to your business. Interesting thought when bids bonds are provided free of charge at no cost to your company! Download White Paper...
June 6, 2017

Cyber Liability Insurance: Who’s on First?

By Andrew Fotopulos — Recently, insurance coverage for various types of cyber liability has begun to be offered in the insurance market. However, there is still quite a bit of confusion surrounding what types of exposures are covered under cyber insurance, leaving many asking ‘Who’s on first?’
June 6, 2017

Now that you’ve seen the problem, why haven’t you discovered the solution?

Once again, the federal government has held a chief compliance officer personally liable for failing to stop a company's misconduct. The CCO worked at Banamex USA in Los Angeles, a banking subsidiary of Citigroup Inc. that just signed a nonprosecution agreement on Monday, but agreed to pay a $97.4 million penalty for money laundering and other criminal violations.
April 26, 2017

Cyber Liability – Would you knowingly let the following drivers operate your car or truck?

You know it's bad when cyber experts describe the threat of a breach merely in terms of "WHEN" you've been breached. (What happened to "IF"?). Basically, if your business owns a computer, a tablet, a cell phone - you're exposed.
March 2, 2017

Product Recall Coverage versus Product Recall Expense Coverage

The recall of your products from the marketplace, whether voluntary or mandated, will undoubtedly cause tremendous impacts on your business both internally and externally.
February 22, 2017

Building a Commitment to Workplace Safety

Since the dawn of the industrial revolution—and particularly within the last 50 years— there has been marked, continuous improvement in workplace safety.
February 22, 2017

The Hot Potato of Indemnification – What’s being asked of you and why?

Every contractor has been in that position: You’re ready to start a job, everything has been approved, the project manager is scheduled to be onsite first thing in the morning, supplies are being delivered... just send over your insurance certificate.