John: The direction of the cyber insurance market is a mixed bag right now. In the short term, I see tremendous growth opportunities. Many companies, especially small businesses, are woefully unprepared in terms of cybersecurity. When you combine that with the increase of data privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act of 2018 (CCPA), Stop Hacks and Improve Electronic Data Security (SHIELD) Act in New York, as well as the myriad of privacy laws being implemented in all 50 states, businesses have liabilities of which they might not be aware. Some of these laws have stiff financial penalties if customer data is compromised.

Because of these additional liabilities, it is in the best interest of all businesses to acquire some level of insurance.

That being said, cybercrime has morphed into cyber warfare. As nation-states such as Russia, China, and Iran militarize the cyberattacks, they will—and are—becoming more sophisticated. With that, the damage to our economy will become greater, which means insurance companies will be paying out more in claims. That may lead to the cyber insurance market becoming unsustainable. At some point very soon, there will need to be a national policy implemented and that will affect the cyber insurance industry.

Nick: The main insurability challenge is to estimate both the amount of risk of any given network/company, as well as the level of necessary insurance. Estimating the replacement cost of a car or a house is significantly easier than estimating the cost of an intrusion that compromised the data of a few millions of users.

Michael: I see the cyber insurance market hardening, meaning becoming more expensive for policyholders. Cyber insurance is difficult to price for insurers, so they protect themselves by putting sublimits on the amount of coverage available for types of cyberattacks that have recently caused major losses. In short, it might be more difficult to buy high insurance limits for ransomware attacks, ransomware coverage may be excluded from cyber insurance packages, and, if available, the coverage for ransomware could become more expensive.

Anne: What we’ve seen from the time cyber insurance was first offered is that demand keeps increasing, and insurers have been trying to, over time, develop the right analysis tools and insurance policy wordings to make things work. Demand will continue to increase, and the tricky part for insurers is understanding what part of the risk is actually insurable.

One of the characteristics of risk that is important for insurability is you have to be able to determine when a loss occurs, and you have to be able to measure the loss. With cyberattacks, sometimes companies don’t know for months that they’ve even been breached. This lag time creates problems in determining when a loss has occurred. Additionally, measuring the loss and determining the economic value of stealing people’s private information, in some instances, is very difficult to actually put a dollar figure on. Both of these issues are problematic.

When you think about insurance—insuring cars or homes—we have lots of data, and we can calculate what an appropriate premium is. With cyber insurance, this is very difficult to do because of the nature of the attacks.

Bill: Cyber insurance is a growing industry. Businesses already purchase liability insurance to protect themselves when a customer is injured onsite. Cyber insurance is becoming a common way to protect the business when a customer’s sensitive information is compromised.

Businesses can manage risk in several different ways: avoid the risk, mitigate the risk, accept the risk, or assign the risk. A business can avoid the risk of cyberattack by not having an online presence. The business can mitigate, or lower, the risk by taking actions to lessen the impact of a cyberattack. The business can accept the risk and pay all of the expenses associated with a cyberattack. With these first three ways to manage risk, the business may have a large financial outlay to recover from a cyber attack. With the last way to manage risk, a business can assign the risk by purchasing insurance.

Cyber insurance will cover the business’ liability due to a cyberattack, including the costs associated with helping their customers recover from the leak of sensitive customer information. These expenses may include credit monitoring services and identity theft recovery services for the affected customers.

In the case of a ransomware attack, the business’ data, and possibly all of its customers’ information, is being held hostage until a ransom is paid. The cyber insurance would pay the ransom to once again give the business access to its own data! Without the insurance, the business would either need to pay the ransom itself or use a system backup to restore the data. In some cases, an older backup will need to be used because the more recent backup copies have also been compromised by the ransomware’s malicious software.

Cyber insurance does not cover all losses. For example, a breach of the system can hurt the reputation of the business resulting in lost customers, and lost potential income, due to poor public perception.

Even with insurance, businesses need a layered approach to protect access to the networks, protect customer information, and a plan for recovering from future cyber attacks.

Nick: The vast majority of cyberattacks are opportunistic and driven by profit. In the same way that individuals can get their accounts hacked even though these individuals may not be particularly popular or wealthy, a small company can also get hacked, not necessarily because attackers want to go after that specific company, but because they were one of the many hundreds of thousands of possible targets.

In many ways, if we assume that smaller companies have less secure systems and networks, a reasonable (from an attacker’s point of view) strategy would be to attack thousands of small companies asking for relatively modest sums (e.g. in the case of ransomware) from each one vs. going after a really large company, needing to bypass multiple security systems, to ask a single large ransom.

John: All businesses should be not only concerned about cyber risk, but it should be the number one focus of all businesses. I think it is common for small businesses to think they are too small to be targeted, but that is erroneous and dangerous thinking. The cyberattacks cast a wide net. There are targeted attacks for purposes of cyber terrorism that focus on large companies, but small companies are just as much at risk as larger companies.

While there are many different forms of cyberattacks, the big game is the collection of personally identifiable information (PII) of the employees and customers of a business. That means login IDs, passwords, addresses, phone numbers, Social Security numbers, and anything that can identify an individual. That information is then sold on the dark web and paid for in hard-to-trace cryptocurrency.

I recently read that passwords are going for $12-$39 each on the dark web. So, if I am a hacker, and I see that you have even a small number of contacts and employees, I can still profit from that data.

Small companies are easy targets because the security is often lax because of budgets, lack of knowledge, or both. Good hackers can penetrate thousands of small, under-protected companies faster than they could get into one large, well-protected company. The end result is the same: They have stolen thousands of pieces of PII, and they have sold it on the dark web for thousands of dollars. It is easy money—if you don’t mind a visit from Interpol.

In addition, nation-states like Russia are refusing to extradite the cybercriminals to the country where they committed the cybercrime. This makes it hard to stop the offenders.

Michael: Yes, large businesses typically have dedicated risk managers and chief information security officers (CISOs) whose job is to focus on managing cyber risk. Small businesses do not have such positions, and dealing with cyber risk and buying cyber insurance is often just one duty of an employee with many other duties. Cybercriminals may give up on attacking well-defended large businesses and go after small businesses, which are much easier to successfully attack.

Anne: Everybody has to worry, to be honest, just like we as individuals also need to be concerned about our own cybersecurity. Small businesses can be very vulnerable because they don’t have the resources that larger businesses have. Depending on the business, especially if they store customer information like credit cards, they can just as easily be targeted. One should not assume that you’re not a target.

That being said, the amount of resources spent or dedicated to cybersecurity is going to be proportional to the company size, but it is important to practice good cyber hygiene.

Bill: All businesses with an online presence should be concerned about, and plan for, cyberattacks. The vast amount of sensitive information available via the Internet makes all businesses targets of cyber criminals. All businesses, regardless of size, can become the victims of ransomware, fraud attacks, phishing attacks, and other scams.

Should small businesses be as concerned as large businesses? Yes! Large businesses are a target, not only because of the potential haul of sensitive information, but because the large business is more likely to be known to the public and potential hackers. However, large businesses are more likely to have the advanced resources to properly protect themselves from cyberattacks. Small businesses, on the other hand, may be less of a target, but may have systems that are easier to breach. For that reason, small businesses should be just as concerned about cyberattacks as large businesses.

Nick: One of the key elements of managing cyber risk is asset management. As companies grow, networks, servers, and software also grow. Unless a company has a systematic way of asset management, i.e., knowing the existence, location, and status of each asset, sooner or later, one of these assets will be forgotten.

A forgotten asset is an asset that never receives security patches and is not monitored for signs of intrusion. Most of the high-profile attacks that we eventually find out about, start with the exploitation of a forgotten asset (such as a server running an outdated piece of software) that was vulnerable to a well-known attack.

For example, the 2017 Equifax hack that compromised the data of hundreds of millions of U.S. consumers started with the exploitation of a two-month-old vulnerability on a server in Equifax’s internal network. Due to the asymmetry of cybersecurity, this “game” favors the attacker.

To defend itself, a company needs to protect all of its systems, whereas, to be successful, an attacker needs to discover just a single vulnerable system. Comprehensive asset management (combined with other techniques such as penetration testing and intrusion detection) are necessary components of a modern defense strategy.

John: The first and best thing for all businesses to do is to regularly back up data. Ideally, this should be done daily if not more often. Use a hybrid approach: Save your data in the cloud and have an air-gapped (removable hard drive that is used to back up data and then immediately removed from the machine) backup that is kept locally. For the local backup, it is good to have two devices that are never in the same place at the same time. I use three. This will allow for quick recovery in the event of a disaster, but more importantly, if you have your data secured and air-gapped, you will not have to pay the ransom because you can restore the files immediately.

Secondly, educate yourself and your employees about cybersecurity. Learn about phishing emails and social engineering. Develop and enforce cybersecurity best practices such as strong passwords, two-factor authentication (TFA), and computer usage policies. These will be inconvenient for many, but they reduce your risk and liability considerably. Many of these privacy laws are built around the National Institute of Science and Technology (NIST) Special Publication SP 800-171 found here.

Finally, realize that this is a non-partisan issue. This is happening to everyone, every day, all of the time. Both sides of the fence, urban and rural, in all states.

Many businesses spend money on cameras, security guards, alarm systems, and perhaps even personal protection in the event something might happen. Cybercrime and cyber warfare are happening, and cybersecurity is an investment you must make in addition to the physical security measure.

Welcome to the 21st century.

Michael: Companies without specialized cyber risk management expertise will need to rely on insurance brokers to put together a sufficient cyber insurance package. So choosing a broker that has expertise in cyber is important. The main way cyber attackers penetrate a company, especially for ransomware, is by sending out a phishing link to employees and hoping one of the employees clicks on the link. Businesses should offer regular training to their employees on how not to become a victim of a phishing attempt.

Anne: First, get a handle on the situation. Know your computers, make sure you’re not vulnerable in easy ways in terms of networks, employees using their own computers, etc. You need to take an assessment of things. How is IT used in your company, and what are some of the vulnerabilities?

A big issue that companies are worried about right now is third-party vendors and the ways that third-party vendors can compromise different IT systems. That’s something that small businesses should pay attention to. Companies must also be very clear on what IT security management or cyber risk management protocols are in your company, so you know that employees all have the correct information and that it’s enforced in terms of how people behave.

In general, don’t assume you’re not at risk, and be aware that it’s a very dynamic environment. As the technology, applications, or suppliers you’re using change, you’ll need to think on an ongoing basis in terms of how your risk may be shifting over time.

Bill: A business can effectively organize and manage cyber risk by having layers of protection. Protection requires resources, with the investment of time having the greatest impact. Businesses need to make the time to configure the systems and train the employees.

Data is the most valuable asset owned by a company. A simple way to protect against the loss of data is to routinely back up the data and keep multiple generations of these backups. There are many backup schemes, but all of them boil down to three steps: make a plan, make the backup, and store the backup offsite.

First, make a plan. Decide what data needs to be saved, how often the data should be saved, and how the data will be restored after the disaster. The longer time between backups, the more potentially lost data.

Second, actually make the backup. It does no good to have a plan that was never implemented. The data can be backed up in real time via an online service or via a RAID (Redundant Array of Independent Disks) system. If a real-time backup system is not possible, the data can be backed up at regular intervals during the day, at the end of the day, or every other day.

Last, store the backup off site so that both the original and backup are not lost in the same disaster. If a disaster were to happen, the backups can be used to restore the data that was lost.

All businesses should secure access to their local area networks (LANs). At a minimum, firewalls should be used to limit the traffic entering and exiting the LAN. Internet traffic between a source and destination is assigned a port address. For example, regular Internet traffic is on port 80, secure Internet traffic is on port 443, and incoming email can be on ports 110, 143, 193, or 195. However, someone can send traffic on any of the 65,536 available ports. By closing unused ports, the firewall restricts traffic into and out of the LAN.

The content of the traffic can be monitored and filtered. The firewall can stop unapproved applications from sending out previously identified sensitive information, like account numbers, as well as stop unsolicited updates that may contain malicious software. By identifying and blocking this traffic, the business has lessened the risk of sensitive information falling into the wrong hands.

All company-owned computers and mobile devices should be secured. These devices should have passwords to limit access, have the latest software updates installed, and have a way to physically protect the device.

Passwords should be unique and strong. Reused passwords put multiple accounts at risk, if compromised. Strong passwords contain upper case characters, lower case characters, numbers, and special characters. The stranger the password looks, the less likely it is that someone will guess the password.

All operating system and application software should have the latest updates installed. Updates close known secure holes. Older versions of the software allow hackers to exploit the holes to gain access to the system or device. By simply applying the latest updates, the systems and devices are less vulnerable to successful attacks.

Devices need to be physically protected to prevent loss and access to the sensitive information available via the device. Onsite servers, network equipment, and desktop devices can be bolted in place. Company-owned laptops used by employees can be secured to a table with a cable when the employee is using the laptop away from the office. Laptops, smart phones, and tablets can be set to delete their contents if an incorrect password is entered too many times.

Businesses should train their employees to not click on links or open attachments in unsolicited email messages. These phishing attacks usually state that an account has unusual activity, a warning stating the account will be shut down if action is not taken immediately, and conveniently provide a link for the recipient to click. The link takes the email recipient to a clone website intended to capture an ID and password. If an email is received from the bank, for example, train the employees to go to the bank’s website instead of clicking the link in the phishing email.

Everyone at the business needs to use common sense to help protect the business’ sensitive information.