On October 16, 2019, Onepath CTO Patrick Kinsella joined a panel of experts to discuss the status of the law and insurance in cybersecurity with members of the business community in the Boston, Massachusetts area. The panel took place in Boston’s Harvard Club, and it included Michelle Lopilato of Hub International, John C. La Liberte of Sherin and Lodgen, LLP, and Alert Logic’s Marija Strazdas. The panelists described the different types of cybersecurity threats small to medium business owners (SMBs) now face, their legal obligations and possible exposures, and why cyberinsurance has become a necessity.
“First party-ransomware loss is one of the highest trends we’re seeing right now,” said Lopilato. “It’s not just your confidential data that is affected, it’s all the data you need on a daily basis— your email, scheduling, logistics, accounts receivable and payable. With an insurance policy, the insurance companies will pay the ransom to get that data back, and they’ll provide a consultant to negotiate with that hacker to make sure the data coming back is useable. Ransomware events can cause a business income loss or costs to restore, recollect or recreate your data. With a policy you would have the first party expenses available for that as well.”
“There have been some very high-profile cases,” added Strazdas. “Ransomware is now available as a service. Propagating it is beyond easy, it spreads like wildfire. Hackers have switched targets from Fortune 500 companies to ‘I bet I can get 500 dollars from Joe’s Flowers.’”
Conversation then moved on to ways in which SMBs were particularly affected by cyberattacks. The panelists agreed that SMBs have become a big target, and it’s important for SMBs to understand the threats to their business, as well as ways to mitigate those threats.
La Liberte noted that recent news reports have stated that “43% of cyberattacks are SMBs, and only 14% of those businesses have some sort of infrastructure in effect. Those same reports have stated that 40-60% of small businesses will fail within a year of a cyberattack. That is largely due to the costs that SMBs likely will incur in the event of a cybersecurity breach, which sometimes can mushroom into hundreds of thousands of dollars. SMBs also face liability exposure if they fail to abide by state reporting requirements or fail to take adequate measures to protect sensitive information. Most states have some form of consumer protection statute, which usually allows private individuals to seek punitive damages. SMBs face exposure to such claims and increase that risk if they are unaware of and fail to follow state laws mandating protection of personal and sensitive information.”
The panelists also covered reasons why an SMB could be denied a claim. They focused on the importance of reading and understanding their cyber insurance policies, specifically mentioning that cyber insurance forms and coverages are not uniform and may vary from carrier to carrier. Additionally, they highlighted the importance of general cybersecurity knowledge and the need to stay informed.
“The laws are constantly changing and expanding in their definition,” said Lopilato. “For instance, there are some states that also include biometric data in their definition of personally identifiable information. If that type of information is exposed, that’s also a breach of data which will trigger privacy compliance in those states.”
With regard to preventative measures, La Liberte advised that “in addition to implementing security measures, SMBs should establish cybersecurity policies and educate your employees periodically with different training programs. As most businesses experience when upgrading computer operating systems and the like, there is a learning curve and some employees may be resistant to change. There’s a definite resistance to getting that education, but ultimately, the consequences of not learning it can be catastrophic.”
In closing, each panelist summarized what they believed was key in understanding cyberinsurance. They stressed the ways in which a breach could affect a company’s revenue and productivity long-term, as well as the importance of having a plan.
As Kinsella himself put it, “This is a really complex topic. Talk to your insurance broker, talk to your security/IT advisor. Talk to everyone you can who will help you understand.”
“Know what’s in your network, know what’s in your environment, and know what your business can take,” said Strazdas. “If I walk into tomorrow and nothing’s available technically, what’s that going to cost? We need to go from a reactive place to being more proactive. This is no longer optional. You have to do this. This is the actual existence of your business.”