By Bruce Geiselman
Cyber insurance can protect a business against big losses from data breaches or cybercrime.
While cybercrimes targeting large companies and organizations generate headlines, smaller manufacturers and organizations are vulnerable.
The manufacturing and health-care industries are among the most common targets of cyber criminals. Possible targets include the plastics industry, said Ken Morrison, assistant VP for cyber risk management for Travelers Insurance.
“All companies, large and small, no matter what business segment, are targets these days,” Morrison said. “If there’s a computer on the internet, it’s being scanned actively by bad guys trying to poke holes, find vulnerabilities and find ways to get in. Plastics are part of the chemical sector, one of the 16 critical infrastructure sectors that the government has identified, and specifically because they process hazardous materials, they might have chemicals of interest, or COIs, that might make them a target for terrorists. The plastics industry might also be targeted by environmental activists.”
There is a common misconception among smaller companies that they would not be targeted by cybercriminals, said Brian Gerritsen, manufacturing practice lead at Travelers Insurance. Every year, the company conducts its Travelers Risk Index annual survey of individuals and companies.
“It was very interesting that 48 percent of the manufacturers that we surveyed felt that they were just too small or not big or complex enough to be a target for cyberthieves or cybercriminals,” Gerritsen said. “It's very interesting because, like Ken mentioned, everybody is vulnerable.”
When shopping for cyber insurance, it’s important that a company or organization understand exactly what an insurance policy covers, according to the Federal Trade Commission (FTC).
The FTC recommends that cyber insurance for manufacturers include coverage for:
- Data breaches, including theft of personal information
- Cyberattacks, including breaches of your network
- Cyberattacks on your data held by vendors and other third parties
- Cyberattacks that occur anywhere in the world, not just the U.S.
- Terrorist acts
Other important considerations are whether an insurance company will defend its clients in a lawsuit for regulatory investigation and provide a hotline that’s available 24/7 if clients discover a breach.
A robust cyber insurance product should cover costs associated with cyber extortion, including ransomware payments, said Dan Zastava, director of corporate underwriting and product development for Sentry Insurance, which offers cyber liability insurance.
Insurance also should cover costs associated with business interruption, data re-creation and reimbursement of defense expenses in case a company is sued for damages, Zastava said. Other expenses that insurance frequently covers include credit monitoring services, law firm services and access to public relations specialists to help companies deal with the impact of a data breach on their reputation.
Cyber liability insurance not only provides manufacturers with financial reimbursement for losses, but it can provide access to experts needed for recovery, said Lacy Rex, VP and cyber strategic leader at Oswald Companies, an independent insurance brokerage and risk-management firm.
“When you’re purchasing a cyber liability policy, you’re essentially purchasing an outsourced disaster recovery plan,” Rex said. “Most companies don’t have a lawyer that has the privacy and cyber expertise that’s necessary
to handle these complex risks. We also see that they don’t have a digital forensics investigation and response company that can help them come in. Sometimes, you need a ransomware-negotiation company — that’s another component — and then public relations to deal with the aftermath. So, you get all of that with a cyber liability policy.”
Purchasing a cyber liability policy also can spur a manufacturer to beef up its cybersecurity.
Similar to homeowners’ insurance companies pulling out of markets prone to disasters, “the recent shift is some of the major insurance companies are no longer providing ransomware coverage,” said cybersecurity expert Marty Edwards, deputy chief technology officer at Tenable for OT and IoT. “They will not insure you to pay the ransom, which they used to.”
When ransomware coverage is available, companies must show they’ve made a strong effort to fortify themselves against attack.
“One thing is for sure, in order to obtain that type of insurance, you have to show increasingly higher amounts of due diligence in your own cybersecurity practices,” Edwards said. “The insurance companies are now looking at how well you do your cybersecurity, and if you have relatively poor cybersecurity in-house, your insurance is going to cost a lot more or perhaps you won’t be able to obtain that insurance.”
“The insurance carriers have been pushing for stronger and stronger controls from policyholders, and as a result, we’re seeing much more cyber-resilient clients,” Rex said. “When they have a cyberattack, or they have a bad actor gain access to their network, typically, they’re more resilient now because they have stronger controls. A lot of what the insurance carriers are mandating are really just best practices.”
As long as companies rely on employees and computers, there will be cybersecurity challenges. However, common-sense precautions can reduce the risks, Rex said.
“Some pretty basic things that companies can do to improve are implementing phishing training, simulations, implementing multifactor authentication — it’s going to help prevent someone gaining access to their network,” Rex said. “There’s a lot of fairly low-hanging fruit that can be identified just to make them stronger and more resilient, as well.”
Rex argues that “every organization should have cyber-liability [insurance] to protect the balance sheet of the organization.”
“It’s a staggering amount of companies that go bankrupt after a cyber liability incident,” Rex said. “They’re very expensive to remediate. You’ve got the downtime, lost business income, etc.”
But, she said, cyber liability insurance premiums are trending downward.
“This is because a lot of our clients and a lot of insurance clients in general are becoming more cyber-resilient because their controls are stronger than they used to be,” Rex said. “If they do have an incident, they’re able to get back up and running much quicker. We’re seeing rates being very competitive right now on both new business and renewals.”
Oswald Companies also is using technology to help its clients identify risks and obtain better premiums.
Oswald Companies contracts with a third party to perform a noninvasive network scan that can identify open ports through which a bad actor could gain access, Rex said. It also scans for technology that needs to be patched.
“We utilize scanning technology that helps us give our clients a rating very similar to a consumer credit report rating,” Rex said. “It’s an objective and easy data point for most companies to understand where they are right now, at least how the world sees them. It’s an outside-in scan of their network, and the insurance carriers utilize that technology or similar technology to also evaluate. So, it’s really important to get ahead and to look at those scans in order to avoid any potential challenges either at renewal or when securing coverage.”
“It’s not too dissimilar from what the bad actors are using because essentially they are looking for companies that may have unpatched software, open ports and things like that,” Rex said.
Oswald Companies, Cleveland, 855-467-9253, www.oswaldcompanies.com
Sentry Insurance, Stevens Point, Wis., 800-473-6879, www.sentry.com
Travelers Insurance, Hartford, Conn., 800-328-2189, www.travelers.com
Bruce Geiselman, senior staff reporter