After the town of Peterborough made headlines recently when employees fell for an email scam that bilked the community out of $2.3 million, organizations statewide saw just how vulnerable they can be to cyberfraud. While Peterborough was able to recover almost $600,000 through the Secret Service and the town’s bank, there is still a question of whether its insurance policies will cover any of the losses.
The disruption of daily routines, the increase in remote work and learning, and the often-urgent nature of transactions in the pandemic have created opportunity for scammers, who according to the FBI and Interpol, get more sophisticated and better organized every day.
“Everybody has an exposure to cyber risk,” says Jackie Roy, business account executive at Optisure Risk Partners in Manchester. “I walk into a small business, such as a restaurant or retail, and their response is, ‘We do our own backups into the cloud and have a merchant services company [credit card processor] and therefore we are not responsible if personal information gets stolen,’ but that is a big misconception. The law places responsibility on the business owner.”
She adds while some merchant services provide protection, it may be limited and doesn’t cover other software not connected to credit card processing, such as an email program. Companies may also feel safer by not accepting credit cards, but sensitive employee data in a bookkeeping system is also a point of risk. “There is so much data online and within software programs that create exposure, but people aren’t always aware of the risks,” Roy says.
While many basic policy endorsements will include Payment Card Industry (PCI) compliance coverage, which would compel a business to provide customers with credit monitoring or other services should a breach occur, they might only provide as little as $10,000 in coverage. “So, depending on how much data you have, it may not be enough,” Roy says.
Marc Weinstein, principal at East Coast Global Insurance in Somersworth, says, as with all insurance, the level of risk must be assessed and the product priced accordingly, and cyber risk is problematic.
“The threat level changes daily. No one has a good feeling of what they are involved with. The carriers are trying to judge what the cost structure needs to look like, and we are seeing pretty dramatic increases in premiums in the existing book as well as quotes coming in for new customers,” he says.
Weinstein says that over the past two years, companies that specialize in cyber coverage have entered the marketplace, while other carriers are making it clear that there are exclusions for cyber in standard policies. If the carriers feel the risk is too high, they won’t even quote it, says Weinstein, or the premium will be pricey.
He says it is impossible to predict what coverage is needed as Cyber coverage is such a new product, without much data to support a recommended level. Many companies go for a basic policy starting at $1 million in coverage.
“There is no actuarial table for this. You could call it sleep insurance for the CEO. At what level are they comfortable enough to be able to sleep at night?” Weinstein says.
Read the Fine Print
Weinstein and Roy say businesses need to know that no two policies are the same. The description of coverage and limits vary widely. “First, sit down with your agent and your IT staff or contractor—whoever is running your system will know what your vulnerabilities are,” Roy says. “Too often the customers just don’t know and cannot answer the questions. Your IT will know what you have for backups, firewalls, multi-authentication protocols.”
Carriers will look for loss prevention techniques, such as multi-factor authentication or MFA, where someone logging into a system must use their password and a second type of verification, such as a code sent to their phone, to proceed.
Targets of Opportunity
Early in the pandemic, the FBI reported business email scams targeting companies and municipalities were on the rise, with many targeting those purchasing personal protective equipment or other supplies needed to fight COVID-19.
A common email scam is invoice manipulation, Roy says. She had two clients that were hit with invoice manipulations—one attempt was caught, and one wasn’t. “How this scam works is that someone breaks into your email, watches for a week or so to see who you send invoices to, then they take over your email and send out a fake invoice with different payment instructions or a request for a wire transfer. But your customer pays the bill because everything else looks right,” she says.
Roy says to let customers know if the company doesn’t accept wire transfers, so they will know immediately that there is a problem. If a business does accept them, institute a policy that says before every wire transfer, customers should call to verify bank information. Loss prevention is the biggest way to fight cybercrime, she says. “We are just a trusting society, but we have to be aware.”
Peterborough isn’t the only NH victim. In October 2020, servers at the town of Salem were hit by ransomware, where the data was locked up and all town systems were offline for more than a week. Jason Sgro, senior partner and head of cyber security and human privacy at The Atom Group in Portsmouth, says the targeting of municipalities is a known risk.
“These are systems managed by people who have heavy workloads,” he says. “These are small New Hampshire communities, with very dedicated professionals who are a vulnerable target because they transfer large sums of money for projects such as schools and construction. It’s an opportunity, and these criminals are opportunistic and coordinated.”
Sgro says The Atom Group works with Primex, the NH Public Risk Management Exchange, which provides coverage to most municipalities for property and liability, workers’ compensation and unemployment compensation. “We provide professional incident response, which can safeguard money and infrastructure,” he says. “The insurance company can provide breach counsel, public relations and threat actor negotiation. Our teams are ready to respond to events in a much faster, more capable way than a [city or town] that is a victim of a cyberattack.”
He says it is critical to respond within hours not days, but sometimes there’s a sense of embarrassment, confidentiality concerns or town staff feel responsible and feel it’s their job to remediate. But they are not cyber experts in most cases.
“Think of it like a house fire. You don’t try to put the fire out for two days and then call the fire department,” says Sgro.
“Our response is highly coordinated to mitigate the damage and preserve forensic evidence. Hours matter.”
There are measures that can be taken in advance.
Incident response planning: This is something towns already do for natural disasters and should include a cyber attack in the process.
Plan for the outage: The length of an event can be measured in weeks or even months. Do you have processes to keep going?
Critical utility systems: How will a town handle electric and water services without computers?
Basic cybersecurity training: Are all city buildings linked? Break out the services such as public works, police and library. The network can be affected from any connected point.
Sgro says the public should understand that the town cannot communicate too much as the cyber attacker could see media coverage and adjust the attack. “The big thing needed from the public is patience and understanding,” he says. “These attacks are tremendously complex to remediate.”
While Interpol reports cybercrimes are shifting to larger corporations, municipalities and critical infrastructure, small businesses are not in the clear, says Roy. Insurance coverage will evolve and become standard practice.
“More than 20 years ago, the insurance industry came out with employment practices liability, and it was a hard sell but then because of all of the lawsuits over sexual harassment and discrimination, companies got on board” she says. “People are starting to see the need and as more people buy into cyber, the products will get better, and people will get smarter about prevention.”