Cyberattack surge at Northern California companies fuels demand for special insurance

GARY QUACKENBUSH

FOR THE NORTH BAY BUSINESS JOURNAL

February 2, 2022

Order Article Reprint

Information security research findings

• Only an average of 15% of information assets are covered by insurance

• 66% of employees surveyed downloaded mobile apps without permission

• 68% of U.S. companies permit employee-owned devices in the workplace

• 86% of respondents were concerned about using Facebook and Goggle

• Cyber liability/intellectual property risk ranks in top 10 of all business risks

• The average cost of a full data center outage has increased 38% since 2020

• 52% of data breaches are caused by malicious attacks

• The average time to identify and contain a data breach is 280 days

• 68% of respondents say they have become more concerned about their privacy and security of their personal information in the past 3 years.

• 59% of respondents said “threat sharing” improves the cyber resilience of their organization

Source: Ponemon Institute

From the start of the COVID-19 pandemic there has been an unprecedented rise in database attacks by criminals using illegal phishing, malware, ransomware and other tactics to extort money from public agencies and business owners of private and public data sources or to get information for sale to others.

With that, costs of “cyber insurance” continues to rise. And that raises the question: Is this coverage worth it to offset the potential cost of enterprise IT damage?

Ask Traditional Medicinals CEO Blair Kellison.

On the last Sunday of September, the tea producer, with offices in Sebastopol and Sonoma Mountain Village, was the victim of a data breach, forcing a shutdown of the company’s computer system but it did not result in lost production.

“We ran for two weeks without a computer and systems were back up in another 2-3 weeks,” said Kellison. “Our Office 365 email system in the cloud was not affected. We had cyber insurance before the breach but still spent upwards of $500,000 for a vendor to come in to repair and restore our system and to also pay for other things we had to do.”

The global average cost of a data breach in 2020 totaled $3.86 million, based on an IBM and Ponemon Report, but the average cost of a U.S. data breach reached an all-time high of $8.64 million. (See Data Box for additional research information)

Data breaches produce a variety of negative consequences, such as reputational harm, regulatory fines and class action law suits, along with state requirements to notify all those included in the stolen files, and other remedial actions costing thousands to implement.

The spike in cyberattacks has led to increased demand for cyber insurance as part of a multi-prong preemptive strategy to stave off and mitigate computer system hacking disasters that includes having an incident response plan.

With more people working remotely since 2020 using personal computers, cell phones and other mobile devices (that may not be secure ways to access company databases at their company’s worksite), opportunities exist for hackers to more easily penetrate networks with an eye toward firms with a considerable amount of sensitive and valuable data.

The cyber threat is not limited to major corporations -- health care centers and medical practices, financial institutions, government institutions and larger retailers are also targeted, along with nonprofits, wineries, the education community and small retail businesses.

The most common form of unauthorized access typically involves phishing scams – the unlawful practice of sending fraudulent emails, log-in credentials, or malware to nonsecure websites disguised as messages from reputable sources. Malicious attachments are also deployed to entice recipients to release personal information, passwords (log-in credentials) or credit card numbers.

Ransomware, the most expensive cyberattack, involves compelling a victim to pay a ransom to regain access to his or her data (unlock the code and unencrypt data) and also to keep that data from being released to the public.

With double ransomware, if the initial ransom is not paid cyber criminals demand higher payments. The victim’s access to databases is often permanently compromised, and stolen data is often encrypted and then sold or traded to other attackers for future extortion attempts and can be leaked online.

The most widely publicized cyberattack in 2021 was made against Colonial Pipeline Company exposing vulnerabilities in U.S. cybersecurity while disrupting thousands of miles of the U.S. fuel supply.

Colonial Pipeline paid a $4.4 million ransom, but later the Department of Justice recovered $2.3 million of the cryptocurrency (bitcoin) amount from this most disruptive U.S. cybercrime on record. Seeing the impact on the national economy, the federal government quickly stepped up efforts to fight this growing concern with a series of initiatives.

On Dec. 11, Kronos Inc., based in Pleasanton in the East Bay, was hit by a ransomware attack leaving customers for its workforce management software platform (the Kronos Private Cloud) without a way to contact its server. Repairs took more than just a few weeks to fully restore the system.

Before Traditional Medicinals September 2021 cyberattack, Kellison said hearing about a vendor’s data breach convinced Traditional Medicinals to get prepared in advance.

“Whether you have less than 50 employees or 500 employees or more, you must plan ahead, be ready and do everything you can to ensure that cyber criminals cannot get into your data. The attack on us was a ransomware attempt – but we paid no stinking ransom.”

He recommends having data backed up off site, and to wall off all data using separate access codes for different segments of the database rather than a single master code.

Kellison also believes in having a 24-hour network monitoring system using a cyber intrusion detector to sense a breach and report it as soon as it occurs so the system can be shut down to limit further damage. He said it is also important to seriously consider having an ongoing standby agreement in place with a firm that can repair and restore the system quickly when an emergency arises.

He used an illustration to drive home the need for continuous scanning.

“Imagine if every country on earth was a car in a large parking lot with a hacker going from one vehicle to another checking to see if a door is unlocked to gain entry -- this is what hackers do across numerous global IT networks.”

This is not a one-time event. Since cyber attackers continuously probe for weaknesses, database owners need to implement ongoing monitoring.

“We got all of our data back, but you should realize you will probably experience one or more cyberattacks down the road. The cost of cyber insurance is relatively cheap when compared with the total cost of the attack on the business – it is definitely worth having,” Kellison said.

According to Jeff Okrepkie, producer with George Peterson Insurance Agency, premiums for cyber insurance are going up and may only cover 80% of potential costs and damages. He noted that underwriters are excluding coverage for a variety of reasons, such as if a firm does not have multiple authentication in place, lacks firewalls, 3rd party monitoring or if servers are shared increasing the risk from other parties, for examples.

He said just a few years ago cyber underwriters only asked five questions to those seeking this coverage. Now firms receive from two to 25-page or longer questionnaires to complete as part of an initial review requirement, followed by an independent check of the firm’s website to see if there are potential network vulnerabilities to aid in determining if the firm is a viable risk.

“Having internal training programs on cyber security for employees is important so they can avoid practices that can lead to unauthorized access,” Okrepkie said. “I’ve heard that 1% of employees often make this mistake and that 4% of senior management can inadvertently do this as well.”

Okrepkie said for some small businesses affected by a severe data breach it can become and end-of-life scenario leading to a death spiral that can cripple the company, leaving it with insufficient funds to pay for new equipment and networking tools with safeguards, along with costs associated with other remediation efforts.

For Joe Sucatre, vice president of the Vantreo Insurance Preferred Division, demand for cyber insurance protection prior to 2019 was far less than it is today.

“Back then, many business owners did not think they needed it. However, over the past three years demand for this coverage has come front and center.”

He said now insurance applications are jointly prepared by the business owner and an insurance company representative working together to complete the paperwork, a process that can include an onsite inspection to help identify IT strengths or weaknesses, along with a list of improvements deemed vital to prevent intrusions. Failure to comply with a list of agreed-upon improvements can void the contract.

Sucatre said today the cost of coverage is evolving and continuing to move higher, between 15% and 40% more, depending upon the industry. For one lending company, the rate went from $2,500 to $4,500 a year – based on anticipated risk. For a winery with a wine club, a $1 million policy cost $2,000 a year, up from $1,800 in 2021. For larger organizations with extensive databases, rates can go much higher.

He said the best way to explore the cyber insurance market is by contacting an agent to determine what coverage is available based on industry data (different rules may apply by business type). Leading cyber insurance underwriters include Chubb Limited Insurance Company, Lloyd’s of London, The Travelers Companies, The Hartford, etc.

Another way to look at the potential coverage needed to recover from a database attack is by identifying costs associated with notifying customers in writing about an unauthorized breach (including those individuals whose data has in fact been breached), restoring the personal identities of affected customers, recovering compromised data, and repairing damaged computer systems and equipment, in addition to legal fees and expenses.

Beginning Jan. 1, 2020, an updated California law required a business or state agency to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired by an unauthorized person. (California Civil Code s.1798.29(a) (agency) and California Civil Code s.1798.82(a) (person or business).

Any person or business that is required to issue a security breach notification to 500 or more California residents as a result of a single breach of the security system “shall electronically submit a single sample copy of that search breach notification, excluding any personally identifiable information, to the attorney general.”

Tony Schmoll, manager with North Bay Insurance Brokers, says cyber insurance claims are up by 18%, and terms of coverage are getting tougher.

“The risks are huge. For people working from home, a key question is whether or not the router used is secure.

He estimated 90% of nonprofits are getting coverage; small businesses, about 50%; while for wineries it is probably less than 25%.

About a year and a half ago, the nonprofit Social Advocates for Youth, headed by CEO Anita Maldonado, Ph.D. and supported by Jon Wheeldin, SAY administrative services manager responsible for IT, started investing in increased network security.

“With staff and counselors working from home and to protect the privacy of our clients and donors, network security begins internally with everyone trained to understand what to do – and not to do – as well as how to respond by being able to identify a data breach and report it right away,” she said. “For us, cyber insurance is a must-have -- and pricy -- investment that also involves having a good relationship with our IT providers as part of a program of continuous quality improvement.”

Wheeldin said SAY reached out for proposals from several providers on a plan involving multiple layers of security to bolster SAY’s defenses

“Using a personal computer while working offsite is not viable long term, meaning we had to purchase new equipment for staff while also realizing we could not achieve our goal with just an upgrade of our old operating system.”

In Marin County, Jason Balderama, chief information security officer in the Information Services and Technology Department (IST), announced on Jan. 10 that the county’s cybersecurity newsletter “CyberSafe News” has gone public, saying that “It’s an ominous online world out there (and) e-subscribers (need) to learn best practices. The COVID-19 pandemic has brought additional challenges with an unprecedented number of people working or attending school online from home.”

Balderama and IST specialists formed the Marin lnformation Security Collaboration (MISC) initially comprised of members from Marin cities and towns and later expanded to include Marin community partners. The Digital Marin Strategic Plan includes a description of the anticipated expansion of MISC into the Marin Security and Privacy Council.

The newsletter is distributed to some 3,500 Marin employees and partners providing alert notifications about active cyber threats requiring their attention, and provides access to a peer network to ask questions, get answers and share ideas related to cybersecurity issues.

Cybersecurity Watch: This story is underwritten by Comcast, which has had no input on the editorial content. See more stories this topic.