Cyber Risk Awareness

We help companies of various size, industry, and level of technology sophistication understand exposures to cyber events. It is important for organizations to inventory and catalog cyber risk.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Evolving Cyber Attacks

Cyber threats have changed and attacks are not just levied against large corporations like Target, TJ Maxx, Sony, or government infrastructure like the Colonial Pipeline. There is a level of prestige in successfully hacking an enterprise level company or government infrastructure; however, the monetization and economics have been reduced. Black market prices for novel credit card numbers is a fraction of what it used to be.

Cyber crime has shifted to high volume, high probability of success, but smaller rewards. Latest data from Accenture shows 43% of attacks are aimed at small businesses with more than 50% of small businesses suffering a breach within the last 12 months. This is an annual increase of 424%, with ransomware being the most common attack. The average ransom is over $70,000. While this number seems low, this represents over 2x the average annual income in the home countries where many hacker’s reside.

The damage to small businesses is staggering. Nearly 60% of hacked companies close their businesses within 6-months. This shows the financial and reputational damage a company may sustain if not adequately prepared. Companies do not question the purchase of General Liability Insurance, Worker’s Compensation, or Fire Insurance but they do not purchase Cyber Insurance even though it has a greater probability of an insurable event than all other policies combined.

Identification of Vulnerability

We have surveyed hundreds of small business owners and a frequent comment is a lack of understanding around cyber vulnerabilities. These owners want to learn more about cyber vulnerabilities and how it can impact their business. Common questions are: Is my company at risk; how do I know my company has cyber security vulnerabilities; who can help me identify risk?

A starting point is to simply review a cyber insurance application. The questions contained in the application are indicative of a lack of network controls where the insurance industry has experienced the most claims or breach events. Ask yourself some of these questions that are contained in a majority of applications:

  • Do you have a cyber business continuity plan and has it been tested?
  • This may include having a dedicated person responsible for cyber security
  • Having employee training annually that includes training on phishing emails, banning personal downloads, and testing continuity plans
  • Having frequent backups of your sensitive data which is stored off site on an offline server
  • Are employees required to set up multi factor authentication when logging into critical applications remotely?
  • Do you have multiple persons review large wire transfers and authenticate the recipient by two means of communication?

If you answered “no” to any of the above, your business might be at higher risk than believed. Further, your business might be uninsurable as these are viewed as necessary cyber controls for a carrier to offer a quotation. Many of our clients first focus on cyber resilience and then pursue insurance.
You can begin by asking your IT vendor why they haven’t been encrypting data in transit and at rest, why they don’t have training of employees on phishing, and if they have daily backups that are stored off-site, off network, and enable recovery in a reasonable amount of time.

Cyber Risk Assessments

The process of purchasing cyber insurance is somewhat similar to purchasing life insurance. An applicant first completes an application from which the carrier can determine past and present hygiene and determine statistically the potential for future habits. The life insurer may then require a risk assessment of health by means of a blood test and EKG.

The process of purchasing cyber insurance involves the completion of an application that attempts to understand the applicant’s current level of cyber health, and whether a company is cyber risk resilient and its potential to adapt to, and avoid future risk (good health habits). Some carriers then provide the applicant with a free cyber risk assessment - like a blood test and EKG.

The cyber risk assessment is a process where the carriers evaluate the applicant's public facing digital assets. These include the hardware and software used to run things like the applicant’s website and email.

Every time you visit a website, your computer performs a digital handshake with the web server of the page you are viewing. The computers on both sides need to determine the language being used and translate appropriately so what you view isn’t gibberish. A cyber risk assessment is doing the same thing - a digital handshake that identifies the hardware and software being used by a company. But the assessor determines if the hardware is obsolete, the software unpatched, and if any known vulnerabilities exist.

A detailed report is provided to our applicants regardless of whether coverage is bound.

Hardware and software is evaluated and benchmarked against similar companies. Any known vulnerability is identified and a link is provided to learn more about the deficiency and corrective solutions. The report often provides actionable recommendations that the applicant can administer themselves with little or no money to implement.

Is this a complete cyber security solution? Of course not. These evaluations don’t get behind a firewall. Sophisticated cyber security solutions work behind the firewall to protect sensitive data and report on intrusions. But for small businesses without an internal cyber security team the carrier evaluations are an important first step.

More on Cyber Liability

A one-liner about events and how useful of a resource it is.
Cyber Risk Transfer
Dive deeper into the specifics on cyber insurance and how it is unique from other insurance products. Cyber risk is not well covered by traditional policies like professional, general liability, and crime.
Read More
Cyber Risk Mitigation
Reduce the likelihood of a breach by implementing the right procedures and controls. Underwriters favor companies that demonstrate not only strong security controls but also a culture of risk aversion.
Read More
Cyber Risk Quantification
Understand the financial impact of various types of cyber incidents. Make informed decisions by understanding the potential cost of a cyber event coupled with the probability of such an event.
Read More