This is not a drill.  In 2021, the FBI received over 550,000 complaints of cyber crimes in the US, with reported losses exceeding $6.9 billion.  Total incidents have doubled each of the past three years.  The average business email compromise attack requesting wire transfers increased to over $100,000 in 2021, with many cases exceeding $1,000,000.  The initial wave of claim activity focused on phishing and ransomware.  Phishing involves a send a fake email in hope of received a reply and relevant information.  Ransomware involves an attack that disables some or all of business technology with a demand for a ransom to restore the systems.  As our security tried to keep up in these areas, the bad actors became more sophisticated.  Between January and August of 2022, Risk Placement Services (a specialist in cyber risk management) reports that over 50% of their claim activity involves sending fraudulent payments and social engineering (compared to only 16% for ransomware).  Social engineering involves a party impersonating an individual or company through fraudulent emails, texts, or malicious websites to deceive the insured into giving away private information or funds via wire transfer.  In some cases, a hacker may insert him/herself into an ongoing email conversation without either party being aware, making the attack much less obvious. 

These incidents do not only hit large businesses.  In fact, the attackers often look at small and mid-sized businesses as more vulnerable than large companies.  Industries such as construction, which have many interactions with third parties including vendors, suppliers, subcontractors, etc. are also seen as vulnerable targets.  Unfortunately, many businesses recognize the need to proactively manage this risk after it is too late.  Cyber risk should get at least the same level of attention and resource as automobile and worker injury risks. 

A complete risk management approach includes three components, all of which are necessary.

  1. Employee training and behavior.  Most incidents involve some level of human error.  The guilt associated with such an error after the fact is significant as is the financial loss and business interruption.  Best practices include a focus in two areas.  First, all employees should be trained and tested to recognize the warning flags.  With the ever-changing landscape, this training should be conducted at least annually.  Secondly, specific controls should be in place through the financial function.  These may include dual authentication for fund transfers and confirmation and validation of payment instructions via phone rather than email.
  2. IT security measures.  These actions are generally led by your IT professionals and include multi factor authentication, enhanced password management, segregated backups, and mock phishing tests. 
  3. Insurance protection.  Some general liability policies include very limited coverage for cyber threats.  These grants and sub limits are not sufficient for today’s incidents and demands.  The cyber insurance market is rapidly changing as a result of the increasing threats, however, operating without an ability to transfer some of this risk to others leaves a business very vulnerable to significant loss and disruption.  Cyber insurance should be procured in the same way as automobile and workers compensation.  Kraus-Anderson Insurance experts in this field can help you navigate the market and make an informed decision. 

Don’t wait until it is too late.