General Inquiries

Cyber Insurance Limits?

  • 1.  Cyber Insurance Limits?

    Posted 05-13-2019 18:41

    We have had a cyber policy for a few years now and are considering a higher limit from $1MM to $3MM or even $5MM.  We are in the mid-size company market.

    Does anyone have any data on recent losses by companies in the construction space?  Has anyone purchased higher than $1MM?  And with what deductible.

    Trying to stay ahead of this if it happens.

    Thanks all!

    Jim



    ------------------------------
    Jim Weber
    Controller
    Lakeside Industries
    Issaquah WA
    (425) 313-2604
    ------------------------------


  • 2.  RE: Cyber Insurance Limits?

    Posted 05-14-2019 12:50
    Hi Jim,

    I commend you for wanting to get ahead of this issue.  It's embarrassing for me to say this but I'm doing so to help the rest of you avoid what happened to us.  We are also in the mid-size company market and recently got hit with the Ryuk ransomware virus.  ​The virus penetrated our network through an email with either a bad link or attachment, and quickly spread throughout our system and locked up the majority of our files including our virus protection program, our online backups and email systems.  It was devastating since our offline backup was a couple months old (hint: make sure you backup up frequently and disconnect your backups from your network).  We came to a complete standstill.  Fortunately, we had a cyber liability policy with a $1MM policy limit.  The thieves requested $1.6MM in bitcoin.  We quickly settled for $500,000 which our insurance company quickly paid which enabled us to get the key to unlock our files and get back to business.  The policy also covered costs for third-party IT consultants to help get us back up and running, incident response services, costs incurred by our ransomware negotiators, legal expenses, business interruption costs, and other related expenses.  Our insurance broker is advising us to purchase a higher policy limit when our policy renews, and we are still evaluating that since we will be employing a third-party firm to better protect us from these types of viruses in the future.  Luckily, we were able to get back up and running fairly quickly with the dedicated help of our in-house IT staff as well as our amazing third-party vendors and insurance broker.  But without our cyber liability policy, we would have experienced a devastating financial blow.  I hope that helps.

    ------------------------------
    Clarke La Vine
    CFO
    Gothic Landscape, Inc.
    Valencia CA
    (661) 678-1414
    ------------------------------



  • 3.  RE: Cyber Insurance Limits?

    Posted 05-14-2019 13:40
    Edited by Jim Weber 05-14-2019 13:52
    Thanks for the response Clarke - curious if the thieves requested a copy of your policy and associated limits as part of the negotiations?

    PS - don't be embarrassed.  We got hit with some ransomware a few years back (someone clicked on something they shouldn't have) but we luckily had a fairly recent backup. With some quick work by IT and the team from our insurer - we were able to stop the attack but had to resort to a two day old backup for our ERP.  Took us about three very long days to get back to "normal".  I believe our costs came in just under the deductible at the time.

    ------------------------------
    Jim Weber
    Controller
    Lakeside Industries
    Issaquah WA
    (425) 313-2604
    ------------------------------



  • 4.  RE: Cyber Insurance Limits?

    Posted 05-14-2019 14:03
    ​To my knowledge they did not ask about our policy limits, but we were using a third-party negotiator who had the Bitcoin account and communicated with them.  We were also wondering if they somehow might have seen our policy in our network somewhere but ultimately don't think they did that.  The negotiator said that we had three options:

    1.  Make a low offer which has a low probability of acceptance - i.e. longer period of downtime
    2.  Make a medium offer which has a medium probability of acceptance - i.e. shorter period of downtime
    3.  Make a high offer which has a high probability of acceptance - i.e. least amount of downtime

    We chose option 2 which fortunately worked out for us i.e. we got our files unencrypted fairly quickly.  This also left room in our policy to pay our other third-party vendors.  If we had good offline backups, we could have told them to pound sand.  That's the position we want to be in if we ever get hit again i.e. having good backups that can be restored quickly.  A third-party vendor helping us to avoid the problem in the first place will also be part of our strategy.

    ------------------------------
    Clarke La Vine
    CFO
    Gothic Landscape, Inc.
    Valencia CA
    (661) 678-1414
    ------------------------------



  • 5.  RE: Cyber Insurance Limits?

    Posted 05-14-2019 13:57
    Jim,

    As an insurance consultant I'll give you the typical insurance answer and with good reason, "It depends."  I'll commend you as Clarke did on getting ahead of the problem, but protecting your company against cyber threat actors is so much more than just an insurance policy.

    To begin to answer your question, there are many factors that go into figuring out your limits.  Cyber criminals are so advanced these days, they are often in your network for months and months going undetected gathering intelligence and connecting dots before they ever contact you with a ransom.  Often they'll know what liquid assets you have available and their ransom will "miraculously" be close to what you have.

    Fortunately, as of right now Cyber Insurance isn't that expensive and it should be easy to get several quotes.  My professional recommendation is to go to $5M, depending on the size of your business.

    What you really need to plan for is your Incidence Response Plan or IRP.  If a cyber incident occurs, you'll more than likely be frazzled and not thinking clearly.  Having a plan (printed out) of who you call first, who has what responsibilities within your organization, what vendors need contacted, etc. is critical for success after the event.  You can find help to begin this process with a sophisticated insurance broker or any number of outside firms.  Your best result would be to include them both.

    Finally, a plan without practice is just that, a plan.  It needs to be regularly exercised.  Clearly there is quite a bit more to building a good plan, but I'll spare you having to read another 10 pages in my response.  I'd enlist the help of your current broker, and / or contract out the cyber policy to another broker that may have more depth if your current one doesn't.

    Good Luck!

    ------------------------------
    Ben Kahmann
    Insurance Advisor
    Hylant Group
    Cincinnati OH
    (513) 354-1612
    ------------------------------



  • 6.  RE: Cyber Insurance Limits?

    Posted 05-15-2019 14:35
    This is a great question and one I field often. Higher limits is not the aolution. You have already witnessed the perfect storm. Instead focus on what went wrong and mitigate. Presumably the occurrence stemmed from an employee action (or lack thereof). Focus on risk management and employee training rather than risk transfer exclusively. I hope this helps, happy to discuss.

    Brad


    ------------------------------
    Brad Anderson
    IMA
    (316) 655-9944
    ------------------------------



  • 7.  RE: Cyber Insurance Limits?

    Posted 05-15-2019 15:47
    ​I agree with the previous recommendation to focus on risk mitigation. You need to train your employees and consider spoofing your employees on a regular basis to see who is and is not paying attention to the training. Your employees need to understand what to look out for in a phishing attempt including bad links, clues that an email is a spoof, etc. You can find help for this type of employee training. Your training should be automated as well. If you plan to train in person, consider your peers who are using technology to automate their training at a much lower cost, with more efficiency, and documentation to track success of your efforts. The indirect cost of loss to your business certainly exist for this type of loss and are not covered by insurance. Always include at a minimum one risk control technique with your risk financing program.

    ------------------------------
    Jon Erickson CRM, CIC, CWCA, MLIS, CIRS
    Producer
    Insure Forward
    Fargo ND
    (701) 893-2750
    ------------------------------



  • 8.  RE: Cyber Insurance Limits?

    Posted 05-15-2019 15:53

    Thanks everyone – we definitely have been spending a lot of effort and resources on risk mitigation which we know has already prevented a few headaches.  However, it only takes one bad click.






  • 9.  RE: Cyber Insurance Limits?

    Posted 05-16-2019 07:00

    I recommend using an agent that understands the differences in Cyber Liability Coverage forms.   This is a relatively new insurance product and is not an off-the-shelf policy.  The most important factor in choosing coverage is how the policy addresses "emerging risk";  new ways thieves can gain access to your data, your employees' and your customers' data.  I suggest getting quotes on different limits and buy what you can afford.    I do agree with Brad that prevention techniques are more important than anything else.  Hope this helps. 

    Anne Erickson/ NY Insurance Broker




    Insurance coverage cannot be bound or altered via electronic mail without confirmation from a licensed Insurance Agent.

    The security, delivery, and timeliness of delivery of electronic mail sent over the Internet is not guaranteed. Most electronic mail is not secured. Do not send us confidential information like social security numbers, account numbers, or driver's license numbers by electronic mail.

    The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, re-transmission, dissemination, or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error, please contact the sender and delete the material from the computer.





  • 10.  RE: Cyber Insurance Limits?

    Posted 05-17-2019 08:34
    Hi Jim,

    Travelers Insurance Company and Chubb Insurance Company, who are both national insurance companies that are leaders in Cyber Insurance and will provide the coverages and limits that you are seeking, have great calculators available that will help estimate your exposure. Chubb and Travelers will also provide you statistics on frequency and severity of claims in your industry. I would ask your agent for this information when considering what limits to purchase.

    When purchasing Cyber you have to evaluate what data your are legally responsible for, the number of people that may be effected, how will you determine the extent of the breach, what fines and penalties you may or may not face from local, state, and national (think HIPPA for national) governments, if you had a breach that locked you up how long would it take you to get out of that breach, will you lose any revenue if you are not able to use your computer systems, if you lose data how will you replace it?

    When my clients ask me what their limits should be my response is that the purpose of insurance is to protect your assets. However, always remember that time and future income are part of a companies assets. I am not saying do not purchase the higher limits, but always ask yourself how much do we need to protect?

    Please feel free to call me with any questions.

    Kyle Ranney | Account Executive
    Lyman & Sheets Insurance Agency
    DL: 517.319.5136| C: 517.582.1225 | F: 517.371.4881
    kyler@lymansheets.com | Connect with me on LinkedIn  | Follow us on Facebook
    2213 E. Grand River Ave., Lansing, MI 48912

    ------------------------------
    Kyle Ranney CIC
    Account Executive
    Lyman & Sheets Insurance
    Lansing MI
    (517) 319-5136
    ------------------------------