The internet is a scary place: data breaches, identity theft, network security failures, and more. We’re in an age of technology, and these are the realities that face small businesses when they have a real internet presence. Tune in as we talk to Scott Burns and Ben Moore from BB&T about cyber liability.
Andrew: I’m Andrew Bowen, your host of CBR’s B2U Podcast, presented still by CBRbiz.com. We’re here to bring business resources directly to you–to your home, to your office, to your car, to your universe, to your world, wherever you might be.
Back with us today are Scott Burns and Ben Moore from BB&T. If this is your first time tuning in, we have previously talked about the wonderful world of business insurance and workers compensation, and today we are talking about cyber liability.
The internet is a scary place, right, bottom line?
So welcome back.
Data breaches, identity theft, network security failures,…more words. We’re in an age of technology, and these are the realities that face small businesses, whether they have a real internet presence in the sense of a website, or just a Facebook or Instagram. But that exposes them–because we’ve been talking about exposure.
So that, I guess, is called cyber liability–is that right?
Scott: Yes, and to echo what you said, it doesn’t take long; if you Google about cyber statistics of attacks and all…I mean, the statistics are staggering. In fact, today or yesterday, Yahoo was attacked, allegedly by the Russians and all, and so, those are the big names. So, really what’s going on out there is there is it is incredibly dominant in small to medium sized businesses. So if you think you are immune to it, it is not the case at all. We’ve seen, probably, in the last couple of years…you know and this product has been out there maybe 5 to 10 years…but, in the last couple of years, Ben and I have been spending a ton of time with our business owners talking about–not only the threat, the exposure–but also what are the evolution of the insurance products out there.
Andrew: So when we talk about cyber liability, just for clarification for the listeners…Hello again, Mom…are we talking cyber liabilities specifically like the internet, or are we talking about things like credit card processing? Because I know a lot of small businesses use things like Square and not necessarily the old-school, you know, credit card swipe machines. Is that kind of covered under this word?
Scott: So when you talk about cyber, the main thing you want to think about is sensitive data.
Andrew: Sensitive data. Okay, great.
Scott: Typical things: social security numbers, credit card information, client information, dates of birth, addresses…things like that. People say, “Well, I don’t do a whole bunch of e-commerce, I don’t do a whole lot of credit retail thing and all.” But think about it: every business who has employees contains social security numbers on their server of their employees and any employee that they have ever interviewed or has been a part of their company. And so, that information–if it’s stored, not only electronically but also in paper form–is exposed to attack by the bad guys, and if they get a hold of that then each state law…
Here in North Carolina, for example, you have to specifically notify the affected parties, and we can get into what goes on down there when the claim occurs. But, what as a response to this over the last few years has been, the insurance industry has said, “Okay, we need to have a policy to address this,” and thus became born the cyber liability, which deals with several kinds of modules, if you will, of what is covered, and Ben will address that.
Ben: Yeah. The different modules that are covered are…and Scott talked about the claims, but the different limits that are typically purchased is… we usually see people buy around a limit of a million dollars. Now there are sub-limits under that that cover various things like social engineering, cyber-extortion, response limit like Scott talked about. You have an amount of money that you’re going to have to basically pay to notify all of these people. Those are the limits that the insurance companies have been adding and constantly tweaking. In our industry, property hasn’t changed in a long time–workers’ comp, statutory–a lot of this stuff has kind of been around for a long time.
Cyber liability is one of the new things. We’ll call it the “Wild West” of the insurance world if you will. Again, humor me. Basically, what that means is, these policies are constantly evolving and changing, and quite honestly, they’re being reactive. So, we have a claim, we have to figure out how to protect it. So we need to add something else to it.
Digging down into what’s called social engineering, social engineering is…the best way to explain this is with a real-life example. We had an insured who got a request to wire funds, and when they wired those funds, somebody had spoofed the owner’s email address–he had added like a dot somewhere, asked him to wire some money, then asked him to wire some more money. In turn, we come to come to find out that was a syndicate out of Europe. So, that’s kind of how social engineering triggers coverage.
Cyber extortion, which is–I know one of Scott’s clients has had a real-life example, I have as well–it’s when they basically take over your system, and there’s coverage for that and that’s one way…
Scott was talking about the modules of coverage, and that’s a sub-limit that protects that. So what happens a lot of times is they take over your server, and they say, “You pay us (let’s pick the number) $5,000, and we’ll release all your data to you.” Well, if you have it backed up, and you don’t have all the information backed up, you have to pay then, and it’s typically in bitcoin. So you can’t even track it because you have to go through a broker, and they ship it off.
But from a limit standpoint, definitely with a startup business, I highly recommend starting to look at it. It’s typically a mechanism of sales, and so that’s how they rate for it. But my advice is to start looking at half a million to a million dollar limit. And start looking at those sub-limits with your independent agent to figure out, “All right, do I have this exposure here? Do I have this exposure?”
And those are the things you want to know about because if you’re…let’s say you do something with the healthcare system, and you have a ton of personal information, and you’re going to have to notify all of these people. That’s going to cost you a ton of money. Even though you’re, say, a three-person company, but you may be holding records for forty, fifty thousand people. That’s what that’s for.
Scott: I think one of the best values that a cyber policy [offers] is…Ben talked on a lot of the coverage modules and all, but one of the best things is, when one of these attacks occurs–and if you’re in business long enough, you will get that email and have a claim, or they’ll get into your system–the ability to go ahead and pick up the phone and call a cyber liability expert and have, at your fingertips, attorneys, Silicon Valley forensics, computer experts, all the nine yards of all these resources. Rather than, if you don’t have any insurance policy, you’re like, “Oh my gosh, I’m getting attacked, what do I do? How do I get my data back? How do I notify? Who do I notify?” And you got to start doing Google and all that…
These people hold your hand and walk you through that entire scenario, and our experts sit in, and they give you all the information so now we can look at, “What happened? How do we stop it? How do we plug the gap? How do we prevent it from happening in the future? And how do we notify all these affected people so it minimizes the impact on your business?” Invaluable out there. The claim might only be…the one I was involved in was ultimately only about $30,000 all in. But it’s not so much about the $30,000; it’s about being able to have peace of mind and knowing you’ve got experts that can help you kind of traverse this situation out here.
And one of the best things you can do out there–and it’s very hard, especially the more employees you get–is educate your staff. That way when you get any emails out there, and you’re bored, and somebody says, “Hey, Scott, you might find this interesting. Click on this.” Don’t click on it if it’s not something that’s familiar to you. But you’d say, “Well, who would ever do that? Who would ever wire money when it’s not even authorized?” These guys are really, really good out there, and they’re getting more and more sophisticated. They even know…they can go into your system, find out what your boss’s schedule is, that he’s in Raleigh, working on a deal, and then they will notify…send his direct report saying, “Hey, this is Joe, I’m in Raleigh. I need $17,000 for the deal I’m working on. Wire it to this amount.” And they’ll be like, “Oh, of course, Joe’s there.” I mean, they know that much about what’s going on with your business through the calendar. It’s really, really scary stuff.
And we are at just the beginning of this right now because the insurance industry’s all about actuarial data. We want to have decades worth of information about workers’ comp, auto, general liability, property, fire losses, all that, so we can come up with what the rate is. Right now, we’ve got basically a few years of what was going on from cyber, and to Ben’s point, they’re charging a certain premium, but we don’t even know what that’s going to look like as the policies evolve and the claims evolve out there. So, it’s a very fluid situation, but I would encourage you…it may not be right for you, as a small two-man operation, but as you grow, it is going to be very important for you to take a hard look at it every year. And if you want to add that to your insurance program out there. So, it is the “Wild, Wild West” of insurance right now.
Andrew: Well it sounds like it’s the “Wild, Wild West” of insurance because it’s the “Wild, Wild West” of the internet.
Scott: It is.
Andrew: Or the world of digital information.
Ben: And I think that’s, to Scott’s point, that’s the biggest challenge with it, and until we can get a hold on it, until enough people start taking a proactive role in it, I think we’re going to have that issue.
Andrew: You mentioned the folks that, you know, if something happens you pick up the phone, and they’ll kind of handhold you through the process. Not to be offensive, but I know that’s not you guys, right? But those are the folks that…
Scott: You wouldn’t want me.
Andrew: Yeah, right, exactly. But these are folks that, because you have the policy, are covered under one of those sub-limits of assistance in making it through something like this, right? Is that what you’re offering?
Scott: That is right, and you’ll want to hear two of my favorite terms that I’m fairly new to here.
There are fraudsters; fraudsters are the ones that are trying to dupe you out there. Then when a breach does occur, and you pick up the phone and you call the policy, you get to speak with a breach coach, and the breach coach walks you through what you need to do. So there we go. Put that in the lexicon.
Ben: No, I totally agree, Scott. You know, it’s funny–with that claim you and I have talked about and others–the interesting thing with that is, you know you have the breach, but a lot of people are like, “How did this happen? What? Wow!” You know? Because you got the claim, so you’re out the money, but I know with a lot of these claims paying that forensic IT guy to come in and figure out like, “All right, which wormhole did they come through to figure this thing out?”…that can cost a significant amount. I mean, those guys usually charge like maybe $1,000 an hour. They are brilliant guys, but they are not cheap. And the insurance company coverage will trigger that, and I’ve talked to a lot of business owners who were like, “I can see that. I would want to know why it happened, so I can educate my staff and educate myself on what are we doing.”
Andrew: Especially, when probably–I’m sorry, real quick–but it sounds like something like this could also ruin your reputation, and if you can’t say that I went through the process because I had the coverage, that I know what happened, that I’ve notified you and I’ve fixed the issue…if something happens to your customers, then they may not be your customers anymore.
Scott: And that’s why there’s a public relations aspect of that policy, too, that can help you. Professional PR person goes and says, “All right, this is what you got to do. This is what the letter should say, and we’ve got to send it out certified or whatever.” And that’s a huge thing. And again, we don’t go a week in our office without having somebody have noise about this going on. You know, we’re not talking about 5,000 employee companies; we’re talking, you know, 25 to 600 employee companies–every single week in a month, we’re dealing with this. So, it’s something you’ve got to really protect yourself from, and if you’re not protecting yourself properly, then know that you might want to consider an insurance policy.
Ben: That wire there I was using the example of, that happened to one of my clients; it is a four million sales gross company. So it’s not…there’s 15 employees…it’s not big.
Scott: And my last comment I want to say, because a lot of people say, “Oh we’re using this server farm. They got it. It’s offsite,” or whatever. One thing always I would encourage you do is to talk to your vendor that is hosting and look at what their agreement is because if they get hacked, and they lose all the information, what is the recourse? What money are you going to get back, or how are you going to be a part of that process? And each one of those contracts are different. And a cyber policy…they should have a cyber policy in place, but you could also have one to kind of dovetail into what they’re doing.
Andrew: Great. Anything else? We got it all?
Scott: That’s it.
Andrew: Great. Well, Scott and Ben, you two have given us some great advice over the last three episodes. Let’s see. We talked about insurance, workers’ compensation insurance, and then, our favorite, internet-based cyber security coverage. So, listeners, if you have any questions for Scott or Ben, be sure to tweet us @CBRbiz, where we will make sure questions get to them. And you can also find all three parts of our conversation on insurance at CBRbiz.com.
Until next time. We mean business, right, guys? We mean business still?
Scott and Ben: We always mean business.
Andrew: All right, we mean business.