As more attention is directed towards addressing cyber risk, more scrutiny is being given to how organizations are exposed to this risk and how can they deal with it.
One particular area that needs attention is the cybersecurity of small and medium businesses, as they are likely not to have the financial capacity to deal with a cyber breach head-on. Despite this, a lot of them also have weak or even non-existent cyber security measures in place.
Shawn Ram (pictured), head of insurance at San Francisco-based cybersecurity firm Coalition, said that small lapses in cyber security can lead to larger breaches in the future.
“Over 75% of the cyber insurance claims we receive from small- and mid-size business customers involve email,” Ram told Corporate Risk and Insurance. “Businesses as a whole encounter human error, especially related to email, as a leading cause of cyber breaches. Cyber criminals use a number of techniques including phishing, social engineering, and credential stuffing to compromise email accounts and, in many instances, to dupe recipients into fraudulent wire transfers or payroll changes.”
Ram also pointed out that poor password management is one of the leading causes of cybersecurity breaches.
“Many people use the same password for dozens of services, from their local newspaper subscription to their bank account,” he said. “Hackers know this, and actively go after easy targets, just to get passwords they can use for higher-value targets. Chances are good that some of your passwords are already floating around the seedy parts of the internet. Businesses need to work with their employees to address these gaps and ensure better password management.”
According to Ram, it is critical for businesses to understand that it is their company that needs defending, and not just their network.
“In this day and age, it is a rare business whose core operations are not dependent on technology,” he said. “A cyber incident can easily trigger many forms of loss from fines and penalties, to stolen funds, to ransomware extortions.
“Our recommendation is to focus on the basics: routinely patch software, use strong passwords and password managers, enable multi-factor authentication (especially for email!), and eliminate remote network access available on the internet. By our estimates, enabling multi-factor authentication in front of email would have eliminated over 50% of the cyber insurance claims submitted by our policyholders.”
Of course, these practices must be accompanied by a coherent incident response plan, and a comprehensive insurance policy to help the business remain resilient, he added.
Coalition’s approach to cyber risk management
Ram elaborated on Coalition’s approach to managing cyber risk, which involves working with clients clients throughout the entire lifecycle of their risk exposure — before, during, and after an incident.
“We offer all of our customers, included with our insurance policy, a wide range of cybersecurity tools to prevent risk before an incident arises, a dedicated security and incident response team to help mitigate damage during an incident, and a comprehensive insurance policy to help businesses recover after,” he said, adding that the company’s in-house security and incident response team includes veterans of the FBI, NSA, CIA, and private security companies.
Additionally, Ram said that Coalition is employing a new paradigm in cybersecurity by aligning economic incentives for the first time.
“Unlike a traditional cybersecurity company, Coalition shares customers’ incentives to prevent and mitigate losses,” he said.
“We recognize that there are a myriad of hidden cyber risks, and we’ve reacted by introducing new coverages, including coverage for property damage, bodily harm, and pollution resulting from a cybersecurity failure. These are no longer hidden risks as we affirmatively offer coverage for them.”
One of its incentives is a multi-factor authentication incentive. With this incentive, if a policyholder has mandatory two-factor or multi-factor authentication enabled on business email and a funds transfer fraud, security failure, or data breach incident occurs due to a business email compromise, the policyholder will be eligible for a 50% reduction in the largest applicable deductible, up to US$10,000.
Ram also shared that Coalition recently expanded its coverage to include middle market companies.
“With expanded coverage to the middle market, our cyber and tech errors and omissions coverage — historically only available to companies with up to US$250 million in revenue — will now include midmarket companies with up to US$1 billion in revenue, backed by Swiss Re and Lloyd’s of London.”