Cybersecurity rests at or near the top of risk managers’ lists of concerns for 2021. Remote work and online commerce have exploded due to the pandemic, and criminals have taken note. The FBI’s Internet Crime Complaint Center (IC3) online claims volume has nearly quadrupled since the beginning of the COVID-19 pandemic. Cyber insurance can mitigate the risk, but it is not a substitute for good security.
The Key Threats are Ransomware, Fraud and Malware
Local governments are among the favorite targets of ransomware. Atlanta, Baltimore and New Orleans have suffered attacks in recent years, with recovery taking weeks and costing millions. Many smaller towns, school districts and hospitals have been victimized.
Ransom demands averaged $886,625 in 2020. Although the FBI and the US Conference of Mayors urge victims to refuse payment of ransoms, typically requested in Bitcoin, some have no choice.
“Ransomware-as-a-service” has further lowered the cost of entry for criminals, and ransom is no longer the only concern. Criminals now threaten to disclose confidential data, not just encrypt it.
Ransomware is not the only cyber threat, of course. Payment fraud schemes, which trick an employee to wire or send ACH funds to a hacker’s account, make up another large share of cyber claims, according to NetDiligence and Coalition studies. Upon discovery, the funds are usually long gone, and two innocent parties are left with a divisive financial dispute.
Malware and other direct hacks persist. We recently discovered that Russia malware is present on many sensitive government and business systems and it will not be easy to remove or fix.
Cyber Insurance Can Give Protection
Cyber insurance is a traditional answer to this growing risk. The global cyber insurance market is expected to grow more than 21% next year, and to reach $20.4 billion by 2025. Before the pandemic, cyber insurance rates were increasing by 4% to 5%.
Cyber policies can be standalone or packaged with other coverage. Organizations should no longer count on provisions in their general liability or errors and omissions coverage to apply. A federal district court recently declined to find E&O coverage for a $520,000 wire transfer fraud based on a theft exclusion in the policy.
Buying a social engineering policy, however, is not a panacea. It may not cover claims brought by a third party against an organization duped by a fraudster. Gap analysis is crucial. With the right coverage, an insurer may help negotiate and pay a ransom.
An Ounce or More of Prevention is Worth It
The risk can be insured, but as both claims and the cost of insurance grows, insureds must take it upon themselves to mitigate risk through prudent cybersecurity and privacy practices. Here are some key actions an organization can take:
Have an incident response plan and team in place. Require multi-factor authentication. Review your software patching protocols. Force password changes. Give employees the least privileged access needed for their jobs. Keep a short leash on administrative privileges. Back up your systems – it is a lifesaver in case of ransomware.
Finally, train your employees and create a culture of awareness and security. People are an organization’s greatest cyber risk, and its best measure of protection.
 See 2020 Report at https://www.sungardas.com/en-us/ransomware-attacks-on-us-government-entities/
 See Solarwinds Alert at https://www.lathropgpm.com/newsroom-alerts-72615.html
 See decision at https://law.justia.com/cases/federal/district-courts/new-jersey/njdce/2:2018cv04131/369490/55/
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Tedrick Housch
Partner, Global Privacy, Cybersecurity & Data Protection Group, Lathrop GPM LLP
Summary of Qualifications
Tedrick leads his law firm’s work in data privacy, data security and data breaches, from compliance to litigation.
Tedrick helps organizations improve their information security and privacy practices. He helps them mitigate risks and solve problems arising from the loss or disposal of personal data, protected health information and key proprietary data. He crafts and updates website terms of service, privacy policies and data transfer and processing agreements. Tedrick is a leader in the firm’s work involving blockchain, a transformative distributed ledger technology with accompanying privacy and security issues. He has provided advice regarding smart contracts and other related aspects of blockchain.
Tedrick has been practicing law for 30 years, with 22 of those years at Lathrop GPM.
Tedrick is an IAPP Certified Information Privacy Professional in both the US and EU. He serves on the board of the KC Tech Council and on the IT Advisory Board for Johnson County Community College. He is a founding member of Blockchain KC.
BA, English, University of Oregon
JD, University of Kansas