Yahoo, Marriott, eBay, Target — we have all heard of these large corporations that have been affected by cyber breaches over the last few years. The financial impact of these breaches can be calculated, but what about their reputational impact? Were you one of the thousands who stopped shopping at Target after their breach in fear of your personal information getting leaked?

The issue is that, although we hear about the large corporations getting breached, the majority of the breaches are occurring in our own backyard. If you’re a small-to-mid-sized company, you are at a greater risk of a cyber breach compared to those large corporations. Beazley, a leading cyber liability insurance carrier, found that 72 percent of their ransomware claims come from small-to-medium enterprises. They state that 2015-2016 was a real turning point for ransomware within their book of business. These matters have proven to mostly be industry agnostic, but they have seen the highest claim activity in healthcare, financial services, professional services, and manufacturing companies. You may not hear about these breaches, but the financial strain they place on smaller companies are often more impactful than those on larger companies.

In 2019 alone, Holmes Murphy has seen a significant uptick in ransomware activity within our own client base, and our carrier partners are reporting the same. We are having very different conversations with our clients about cyber exposures than even just a couple years ago. The threat landscape continues to evolve from a frequency and severity standpoint. The bad actors are becoming more sophisticated and casting a wider net. Every business faces these exposures, and it is no longer okay to ignore the threats because they will catch up with you eventually.

One of our leading cyber insurance carrier partners, Chubb, reports that ransomware claims increased by 30 percent from 2016 to 2017. They go on to state that higher ransom payments are being demanded by bad actors, with the highest payments doubling from the prior year. Beazley claims a similar trend.  Where Beazley used to see demands in the 100s of dollars in the past, they are commonly seeing ransom demands in the 10s of thousands and even 100s of thousands of dollars now. Even on the smallest scale, these matters are debilitating to the affected company.

Most of these matters have a common set of events. A typical scenario plays out like this: An employee at the company is targeted by a phishing attack. The bad actor sends the employee an email, which appears to be legitimate. It may appear to be from the company’s HR department and contains a link to update information in order to receive their next paycheck. The note is personal and has a sense of urgency to it…this employee wants to get paid! When the employee clicks on the link, malware is downloaded to their device, which sets the process in motion. At that point, the bad actor has access to the company’s computer system, and they encrypt the company’s data and a ransom demand is made. The demand is 50 Bitcoins, which has current value of approximately $500,000. Not only does the company’s computer system contain private employee information, it also runs most of their equipment that was needed to keep the business going. Since the victim company’s systems are completely locked up and their backups are also encrypted, they are left with no choice but to negotiate and pay the ransom so they can get up and running again.

In addition to informing the FBI, a forensic consultant is notified as well as an attorney who specializes in cyber events to protect a company’s interests. After paying the ransom, the bad actors slowly start releasing the encryption keys and the victim company begins to restore their systems. They also have to rebuild data that was lost during the outage and incur significant costs due to their downtime and additional resources they had to direct to remedy the matter. The company’s employees’ and customer’s credit now must be monitored to ensure their personal information was not compromised. It’s easy to see the expenses and time a company puts into recovering from a cyberattack can be just as impactful as the ransom itself.

Although this was a significant cost in time and money for this hypothetical company, the average for these events can be exponentially higher. In IBM’s “2018 Cost of a Data Breach” report, the study shows:

• The global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million.
• The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent to $148.

If you’re a small company, these expenses are what could put you under for good. Studies indicate that 60 percent of small companies without adequate insurance to cover cyberattacks fail within 6 months after the breach.

Whether you’re a large corporation or a small manufacturer, it’s not a question of if you will have a cyber breach, but “when.” As a company continues to evolve and grow, your company’s risk must always be evaluated by your internal team. A few years ago, we weren’t talking about cyber risk being a major concern for companies, but in the age of doing everything electronically, the risk is at the forefront for a company’s exposure. Is your company prepared when it does?  With October being Cyber Security Awareness Month, it’s a great time to take a look at the protections your company has in place and take action today, if necessary!