It’s a nightly occurrence in office buildings worldwide. As the business day winds down and your employees head out the door, computers are left on, laptops are left out and passwords are scribbled on sticky notes in plain sight.
We’re all aware of cyber risks in this day and age—both after hours and during the work day—and everyone has malware in place to deal with the obvious, but that doesn’t necessarily mean you’re bulletproof—or that your employees are adhering to the rules.
Organizations of all sizes are becoming more aware of the prevalence of cyber risks. In fact, cyber insurance is expected to grow from $2 billion today to more than $20 billion over the next decade. While the market is one of the fastest growing, it’s also a long way from stabilizing. This means a few things: hackers will continue to attack; clients will remain confused; and brokers will need to better understand threats and policies.
It’s a great opportunity…if you know what you’re advising.
One of your biggest threats is your employees. Those unattended devices left to fend for themselves at closing time hold confidential information, and whether or not your employees are the culprits, others—like contractors, business partners or the cleaning crew—can get their hands on sensitive data. Some will use it, some will sell it. According to Carnegie Mellon University’s 2016 Annual State of Cybercrime survey, nearly half of respondents reported an insider breach, and 30% of respondents said cyber breaches caused by insiders were more costly than external attacks. Daytime infractions happen all too often through innocent (but preventable) missteps involving use of cell phones, spam, thumb drives and unsecure networks. A recent Verizon study noted that 66% of malware is installed through email clicks alone.
How hard are you actually looking at your known (and unknown) vulnerabilities? Are you prepared to deal with them? Do you even know what they are?
According to The Council’s May 2017 Cyber Insurance Market Watch Survey, organizations are still not doing enough from a cybersecurity standpoint. Only 31% of respondents’ clients have a proactive information security program in place with capabilities in four key areas: prevention, detection, containment and response/eradication.
Therein lies the hook. Brokers are integral in educating clients about cyber risk and individual exposures. And most brokers claim (72%, according to our Market Watch survey) that they have a strategic approach to marketing and educating clients about cyber risks. But white papers, PowerPoints and webinars only go so far in arming your clients and your employees with the tools and training they need to make a difference. When’s the last time you considered a cyber audit of your own?
Cyber security has reached new levels across state and government lines. The National Association of Insurance Commissioners (NAIC) is knee deep in efforts to implement a data security model act. Though some in the insurance industry are skeptical about its prospects, if adopted, the model act could provide a path toward uniform state cybersecurity standards for the industry.
And in New York, regulators have implemented a robust financial services cybersecurity rule that applies to every individual and entity operating in New York under the banking, insurance or financial services laws. By the end of August, all individuals, agencies and brokerages licensed in New York have to operate with a lengthy list of technical requirements designed to maximize a firm’s cyber security (with some limited exceptions).
Expect these hefty regulatory requirements to pop up in other states, too. Love ‘em or hate ‘em, these rules and regulations aren’t going away anytime soon. And it’s not just the rules and regulations that provide legal accountability. Past, present and future cyber risks are omnipresent and pose potentially substantial risks to the bottom line by lawsuits, D&O liability, even to M&A transactions. The sooner you get a handle on it, the better.
Get your house in order from the top down and the bottom up. No one has the resources to eliminate cyber risks altogether, but investments in training, education and onboarding for your entire staff can help employees understand what can happen when they aren’t vigilant. Open their eyes to all of the potential exposures and insider threats (and sign up for our Cyber Watch newsletter at www.ciab.com while you’re at it). The better you understand the dangers and vulnerabilities lurking around the corner, the better you can advise your clients with their own cyber risk management strategies.