Businesses must evaluate cyber coverage, contingency plans

Wayne Dipper: Businesses need to be vigilant against cyber threats – and not be silly.

Chase Marable: Some business owners failed to reevaluate level of cyber coverage over time.

• 
• 

Five Security Steps

Wayne Dipper of KPM Technology LLC said all businesses need to take five steps to firm up their cybersecurity:

1. Multifactor authentication. This requires at least two verification factors to gain access to a user account. “If you don’t have that, cyber insurance isn’t going to pay for anything,” Dipper said.
2. Third-party email scrubber. A filtering tool like Barracuda can keep dangerous emails from reaching employees, Dipper said.
3. Next-generation firewall. This is a security apparatus that can inspect and block traffic that might exploit weaknesses.
4. Antivirus protection and endpoint security on every machine. Dipper said every computer in the network should have antivirus protection and more.
5. Endpoint detection and response. One of the most powerful tools available, according to Dipper, EDR can contain threats on a compromised machine. “If it gets all the way to you and you make a mistake and click on a ransomware link, it can lock the computer down, and we can still get in your computer and clean it up,” Dipper said.

“If businesses do those five things, they’re going to be 98% good,” he said. “The other 2% comes from the user not being silly.”

On July 19, many Windows users woke up to cloudy skies – and blank, blue screens.

That was the day of the CrowdStrike incident, in which a bug in the cybersecurity software known as CrowdStrike caused operating systems to crash.

CrowdStrike is not a virus or malware, and the incident was not a cyberattack, as Wayne Dipper, owner and chief operating officer of KPM Technology LLC, explained.

“In broad strokes, CrowdStrike wasn’t even a cybersecurity breach,” he said. “They just sent out a bad patch for their end-point protection software, and it broke Microsoft all over the country.”

Cloud monitoring firm Parametrix Insurance calculated direct financial loss among Fortune 500 companies, not counting Microsoft, at $5.4 billion and noted existing cyber insurance policies were expected to cover just 10% to 20% of the losses.

Emily Reed Buckmaster, executive director of Springfield Tech Council, said although the CrowdStrike incident was not a cyberattack, it brought tech concerns to the top of mind for many.

“It’s also reported hackers exploited the outage by posing as CrowdStrike in the aftermath,” she said.

She cited a June 20 news report by KY3 about two attempted cyber attacks at CDK Global, a dealership management system provider, that impacted 15,000 car dealerships across North America. John Widiger, owner of Springfield Nissan and Kia, implored patience, telling the TV station the incident affected all dealers in town, forcing them to fill all documents out by hand.

In August, STC covered the topic of cyber insurance in its Learning Over Lunch series with a focus on trends, requirements, recommendations and predictions for cybersecurity.

Buckmaster said the topic is a popular one that STC addresses annually in the series.

“We tend to offer it this time of year as organizations are looking at budgeting and insurance renewals for the following year,” she said.

Buckmaster said managing risk in current times includes attention to cybersecurity, no matter the size of one’s business.

“Cybersecurity liability insurance can help businesses of all sizes protect themselves from the financial risks of cyberattacks and other digital threats,” she said.

She noted companies can be liable for damages caused by the theft or loss of third-party data.

“As the digital landscape evolves, the risk of cyberattacks on networks, devices, applications and users is increasing,” she said. “A data breach can have a significant impact on business, leading to lost customers, revenue and reputation.”

Cyber insurance ever-changing
Dan Watson, chair of STC, said three years ago the organization sought to start a conversation between insurance carriers and business professionals who were struggling to meet the requirements to gain coverage.

“There was a significant disconnect – and still is – between the application and reality,” he said.

STC invited Austin Allen, cyber resident expert for the Midwest region of Travelers Insurance, to address the topic this year.

In his STC presentation, Allen outlined the benefits of cyber policies as financial protection and risk management, constant vulnerability scanning and monitoring, access to risk management training and access to breach support.

Underwriters also take into account the class of the business and its revenue and any prior loss history in determining coverage, Allen said.

Watson described cybersecurity insurance requirements as ever-changing, and for that reason, the topic continues to be important to STC members.

“It continues to be one of our better-attended events that fosters great interaction between insurers and insurees,” he said.

Chase Marable of Higginbotham Insurance Agency Inc. said many business owners are taking a second look at whether their cyber insurance coverage is sufficient for the risks and exposures they face day to day. They try to find ways to benchmark their coverage, he said – meaning they are trying to determine how to benchmark their limits if they have X amount of sales and Y amount of payables.

He said benchmarking is important, noting that some business owners have the same limits for multiple years and don’t check back to see if it’s the right fit.

He noted the insurers themselves were not immune to the CrowdStrike incident.

“Most insurance agencies’ operating systems went down for maybe 5-6 hours due to this, and a lot of our clients had the same experience,” he said. “Those clients, including us, had contingency plans to operate during that time.”

Marable said Higginbotham handles contingency planning on a general basis, and businesses can take that planning and design something specific to their company.

“It’s not if – it’s when,” he said. “Cyberattacks happen daily, and business owners need to know that when they happen, they need to have a great contingency plan in place and have adequate cyber coverage to make sure that when a claim happens, coverage is available.”

Companies also need proactive cyber training, Marable said.

“Most attacks happen by social engineering, with cyber criminals phishing employees and employees responding to a fake email or fake work order, causing a breach in their internet system,” he said. “Any company can do a great job on proactive training, whether quarterly or semiannually. It’s a necessary evil.”

Dipper agreed: Most cybersecurity breaches begin with phishing. As an example, an employee gets an email from an entity posing as a familiar entity, like a bank, Microsoft 365 or FedEx, and that entity asks them to change credentials because of an alleged breach.

“What you’re really doing is giving away your credentials,” he said.

The phisher can then start sending emails asking for payments or wire transfers, Dipper said.

“That’s the No. 1 way ransomware and identity theft happens,” he said.

But Dipper said phishing can also happen through phone text messaging or even through AI voice generation.

He noted he used to have his voice on his mobile phone’s outgoing message, but AI can capture a voice sample and use it in nefarious ways.

“They’re capturing your voice, and they know enough about you to give your grandmother a call and say, ‘This is Karen, and this is my one and only call,’” he said.

As a result, grandma takes the routing number she is offered and sends money to help.

He noted he requires his employees to use AI to generate call tree information so his voice cannot be captured.

“I don’t allow them to have their voice on their outgoing message just for that reason,” he said.