The fear of experiencing a cyberattack is rightfully keeping businesses owners up at night. Not only would a cyber attack give your security team a headache , but could have profound and irreversible financial implications for your businesses. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach in the U.S. is a over $8 million. And with 30% of companies expected to experience a breach within 24 months, it’s no surprise that business are seeking coverage. The problem, however, is that businesses and insurance companies alike are still grappling over exactly what is and is not covered when a cyber event occurs.
Some businesses are learning this the hard way
Recently, a phishing campaign successfully stole the credentials of an employee at a rent-servicing company that allows tenants to pay their rent online. The phishers used the employee’s credentials to take $10 million in rent money that the company owed to landlords. The company had a crime insurance policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer,” but soon found out their claim was denied. Among the reasons the insurer gave for denying the claim was that, because the funds stolen were owed to landlords, the company did not technically suffer any first-party losses and there were not covered by the insurance policy.
In another case, the pharmaceutical company Merck found itself victim to a ransomware attack that shut down more than 30,000 of their computers and 7,500 servers. The attack took weeks to resolve and Merck is now claiming $1.3 billion in losses that they believe should be covered by their property policy. The problem, however, is that the attack on Merck was actually a by-product of a malware campaign that the Russian government was waging against Ukraine and happened to spread to companies in other countries. The insurer therefore denied the claim, stating their property coverage excludes any incidents considered an “act of war.”
Silence is Deadly
The Merck example above also illustrates the concept of “silent”, or “non-affirmative” cyber. Basically these are standard insurance lines, like property or crime, in which cyber acts have not been specifically included or excluded. Merck was filing the claims against the property policy because it sustained data loss, system loss and business interruption losses. Silent cyber is difficult for a carrier to respond to (which is why the carrier in this case is looking to the war and terrorism exclusion to deny coverage) and even more challenging to account for. That’s one reason both carriers and businesses are looking to standalone cyber insurance, which provides both the insured and carrier with a lot more clarity as to what is covered. (Although, carriers can deny coverage in situations where the attestations about the quality of security up front do not measure up at claim time.)
Predicting the Unpredictable
It’s commonly said that insurers will do anything to avoid paying out claims, but the issue with cyber insurance coverage goes much deeper. Instead, the problem centers around a number of uncertainties involved in categorizing and quantifying cyber risk that makes comprehensive policy writing a near impossible task. For one, cyber insurance is a new market dealing with a relatively new problem. There are therefore not as many data points for insurers to accurately quantify risk as there are for long-standing forms of insurance.
The real problem, however, is that cyber incidents are extremely difficult to predict and reliably account for. Whereas health and natural disaster policies, for example, are based on scientific modeling that allows for a certain degree of stability in risk factors, it is much harder for insurance companies to predict when, where, and how a cyber attack might happen. Even Warren Buffett told investors that anyone who says they have a firm grasp on cyber risk “is kidding themselves.”
Reading the Fine Print
It’s important to understand that, despite the relatively unpredictable nature of cyber incidents, there are plenty of steps businesses can and should take to understand and mitigate their risk profile. Organizations with robust risk management practices can significantly reduce their vulnerability and a strong security posture goes along way towards minimizing their risks and providing a strong defense when a claim strikes.
Unfortunately, this puts a lot of the responsibility on individual businesses when evaluating their cyber exposures and the insurance coverages which might be available to respond. A good insurance broker who has expertise in cyber is essential. Much like the threat landscape, cyber insurance coverage is constantly evolving, and it is to all parties, from businesses to carriers, to keep up.
Remember the sales contest from the movie, Glengarry Glen Ross?
“First prize is a Cadillac Eldorado….Third prize is you’re fired.”
We seem to think that, in order to motivate people, we need both a carrot and stick. Reward or punishment. And yet, if we want people to change behaviors on a sustained basis, there’s only one method that works: the carrot.
One core concept I learned while applying behavior-design practices to cyber security awareness programming was that, if you want sustained behavior change (such as reducing phish susceptibility), you need to design behaviors that make people feel positive about themselves.
The importance of positive reinforcement is one of the main components of the model developed by BJ Fogg, the founder and director of Stanford’s Behavior Design Lab. Fogg discovered that behavior happens when three elements – motivation, ability, and a prompt – come together at the same moment. If any element is missing, behavior won’t occur.
I worked in collaboration with one of Fogg’s behavior-design consulting groups to bring these principles to cyber security awareness. We found that, in order to change digital behaviors and enhance a healthy cyber security posture, you need to help people feel successful. And you need the behavior to be easy to do, because you cannot assume the employee’s motivation is high.
Our program is therefore based on positive reinforcement when a user correctly reports a phish and is combined with daily exposure to cyber security awareness concepts through interactive lessons that only take 4 minutes a day.
To learn more about our work, you can read Stanford’s Peace Innovation Lab article about the project.
The upshot is behavior-design concepts like these will not only help drive change for better cyber security awareness; they can drive change for all of your other risk management programs too.
There are many facets to the behavior design process, but if you focus on these two things (BJ Fogg’s Maxims) your risk management program stands to be in a better position to drive the type of change you’re looking for:
1) help people feel good about themselves and their work
2) promote behaviors that they’ll actually want to do
After all, I want you to feel successful, too.
At this point, many companies have instituted work at home policies. And, assuming that the organizations have taken the right steps to secure their remote workers and increase their bandwidth to handle the increased loads and redundancies, business can get back to the new normal, correct?
Not quite. The key to managing remotely is communication. And I’m not talking about emails from the company referencing COVID-19. I’m talking about ongoing communication that keeps the staff engaged, strengthens the culture and overcomes isolation.
There are many ways to do this. Here are a few you can do right away.
- Daily virtual standup meetings. Have your teams jump on a video call same time each day to have a quick chat about what went well and what blockers have come up since the prior days call. Make it video so people can see each other which improves the socialization aspect of the meeting.
- Catch them doing something good. Each day call out someone for doing something well, especially if it involves helping clients or each other. Support is now a key differentiator and it should be rewarded.
- Conduct white-hat phishing exercises. Phishing hasn’t gone away. In fact, COVID-19 has given the bad guys something else to use a lure. Keep your team digitally aware by running phishing simulations, but let them know you are doing it and reward them for any phish they report. That way you both sensitive the team to be on the lookout for suspicious emails and keep them positively engaged at the same time.
- Step up security training for privileged users. With the changes to network access and perhaps the installation of additional technologies to support remote access, it is critical you spend the time with your systems, application and network teams on security role-based training to ensure that the assets are appropriately configured. Misconfiguration poses a large cyber threat in the best of times; even more so now. Of course, make sure you are catching them doing something good, as well. (See #2 above.)
- Create standing “tea-times”. Let’s face it, part of working together is socialization. For teams not used to working remotely (and therefore not used to connecting with each other on a social basis remotely), carve out some time each day which permits them to reach out and talk to each other about whatever they want. You don’t have to over engineer this, giving permission might be all you need to do.
The resilience of an organization’s ability to respond to any challenge is in no small part due to the strength and resilience of its culture. Focusing on, communicating with, and recognizing your staff will go a long way to keep people working together. Even when they’re apart.
Subscribe to our blog here: https://mailchi.mp/90772cbff4db/dpblog