We are coming to the time of year when we take stock of all we’ve just endured and look forward to the year to come. Much has taken place in 2015; certainly more than I could write about in a single article. So, as we reflect, let’s consider what I think is the most overlooked and neglected of the year.
Last month, a year after the now infamous Home Depot data breach, the New York Times reported that “estimates of the fraudulent charges (related to the Home Depot breach) total well into the billions of dollars.” The story was coupled with another about how the banking industry has taken steps to protect itself with credit cards that “dip” now, rather than “swipe.” The headline read: “Banks Look to Retailers for Losses in Data Theft.” I’d phrase that another way: “Big pockets push risk responsibilities to smaller businesses.”
I know I keep talking about cyberliability, but it’s one of the most pressing threats we agents face. Our agencies are not necessarily the biggest or richest targets, but we are subject to the same threats, which could cause even greater havoc on our businesses and livelihood than the big financial powerhouses. What’s more, there’s evidence to suggest that the smaller our business, the more likely we will be hit.
The big events make the news, but trust me: After the banks, big health insurers and major retailers, the wealth management groups will be targeted, and small businesses will be on the list. The news may not make the New York Times (and in these cases, a lack of publicity is a blessing); but small agencies are easy pickings and they are hacked. There are examples of cybercrime every day: In fact, according to Philadelphia Insurance Companies, PIA’s largest cyberliability carrier, the average cost of a data breach is $204 per lost record, lost customers and public relations expenses to rebuild an agency’s brand accounting for half of that.
I, personally, know of a few examples, and the fact that I know them personally demonstrates that this type of risk is real and happening more than we imagine. More than one industry acquaintance of mine has been extorted online. Hackers actually invaded the businesses’ files, encrypted them and held the data for ransom. In scenarios like this, the data kidnapper threatens to destroy, or worse—make public—your electronic files unless you pay up. But, it’s not always some unknown hacker. I’ve heard in CE classes about disgruntled employees installing worms, viruses and other malicious code.
These are just the situations in which proactive malicious thieves attack; more often than not, our agencies are placed in peril because of human error. Mistakes happen: Computers with client data on them are lost or stolen. Well-intentioned staff have been known to distribute private information via email and even traditional mail to the wrong recipients. Some agencies I know have neglected to properly dispose of client records, including names, addresses, credit card numbers and other sensitive information—even putting them out on the street for unscrupulous credit thieves to take as they want. An agency that does this puts itself at risk of hundreds of thousands of dollars in fines and penalties including customer recompense for credit monitoring for the client-victims.
The tragedy is that while agents understand and even sell coverage to our commercial lines clients, for some reason many of us neglect to protect ourselves and our clients. A recent study report by the Council of Insurance Agents and Brokers said that agencies may be slow to purchase or sell cyberliability insurance because the coverage is not standardized and they find it difficult to understand, let alone sell. “Sixty percent of respondents do not ‘feel there is adequate clarity from both the specialist cybersecurity insurance market and traditional property casualty insurers as to what is covered and what is excluded.’”
It’s true. This is new territory and coverages vary. I suggest turning to our associations for information, education, and of course coverage. I know PIA offers both an endorsement and a stand-alone cyberliability policy from Philadelphia Insurance Cos., with limits up to $20 million in addition to add-on coverage. The Philadelphia policy covers first- and third-party protection; covered cause of loss (including administrative or operational mistakes); breach of privacy coverage (for violations of HIPAA, state, federal and foreign privacy protection rules); and customer breach notice expense.
What’s most important is that agents keep up with the times. As we look forward to the New Year and the future of our business, we have to remember the risks we face are evolving. The good news is that our industry is starting to get it: As Steve Acunto reported in the Oct. 26 edition of the Advocate, the rate at which businesses are purchasing cyberliability insurance is on the rise. We see new surveys and reports everyday on the risks and coverages available. Even the National Association of Insurance Commissioners has acknowledged the need for protection with a cybersecurity bill of rights, which sets expectations for insurance companies, agents and other businesses regarding how they handle client information. But, this evolution is taking place too slowly.
Perhaps the best evidence of this is advertisements I’ve recently received promoting a New York City conference for businesses on cyber-risk management. The event is sponsored by a “who’s-who” of the major law firms, and it includes speakers from the legal field. I see the handwriting on the wall: The legal industry is ramping up and I think we have just begun to see the tip of the cyberliability iceberg.
The world is turning faster and faster. It’s time to protect your biggest financial asset before the sharks attack and you have no protection. Make sure you are offering your clients cyberliability insurance—and if you haven’t done it for your own business, do it now!
End Note: N. Stephen Ruchman, CPIA, is a retired independent agent and founder of Ruchman Associates, Inc., the agency he started in 1961. A past president of the Professional Insurance Agents of New York State, Inc., he is an active supporter of PIANY, and he has sat on or chaired nearly every committee including the Executive Committee and the Long Island Advisory Council and PIANY’s Political Action Committee. He can be reached via email at: nsruchman@gmail.com.
