When designers think about cybersecurity risks, they might think about high-profile, multimillion-dollar ransomware attacks that shut down a major utility or data breaches that result in the release of millions of customer names, passwords, and other sensitive data. But they also should think about the unpublicized attacks that demand just a few thousand dollars in ransom or the firm employee who accidentally leaves their laptop in a restaurant, making the firm’s personnel records or critical competitive information highly vulnerable.
It's dangerous to assume that just because your firm is small or operates in a lesser-known niche market, bad actors aren’t interested. The reality is that risk isn’t specific to industry or size—hackers are going after everyone.
In cybersecurity, we have an adage, “There are only two types of companies out there: those that have been hacked and those that don't realize they've been hacked.”
Given the fact that approximately 50 percent or more of U.S. businesses and other entities, such as municipalities, don’t have cyber insurance coverage, you can imagine the panic that sets in when they are attacked. Most don’t know whom they should notify or the critical first steps to take to recover. Without the appropriate insurance, moreover, they will not be able to recoup the tens of thousands of dollars (or much more) they’ll inevitably spend responding to a cyber event.
The potential for cyberattacks surrounds your firm
Data breaches, whether intentional or accidental, have been around since the dawn of the digital age; every company is vulnerable, even the most sophisticated. Last summer, a well-publicized breach occurred at LastPass, a company that offers customers a secure way to store their passwords. Using an employee’s stolen login credentials, intruders made off with “encrypted files containing passwords and other sensitive data stored by .” While encrypted files are safer than unencrypted ones, they could potentially be compromised.
In the earliest ransomware attacks, the victim company would pay the (often low-dollars) ransom, receive the decryption key, and have their systems back up and running in a couple of hours. Today, cybercriminals use software and techniques so sophisticated, that it may take your company weeks or even longer to fully recover from a catastrophic event. What would having your networks down that long cost your company in terms of lost revenue, missed opportunities, and reputational damage? It could also lead to your client eventually suing you for the schedule delay.
Recently, ransomware attacks have grown even more nefarious. Some attackers demand two ransoms—one for a decryption key that will let a company back into its systems and a second in exchange for the attacker’s promise they won’t release the data they stole. It is important to keep in mind that releasing personal data is not the only threat. Attackers look for valuable data such as confidential business and proprietary information that they can hold for ransom to position themselves for the highest payout. What is the value of a draft of one of your upcoming bids or other competitive or proprietary information? What if that data was made public or delivered to a competitor?
If you think ransomware attacks are something only the biggest firms face, you’re wrong. While some hackers spend time and effort unleashing very sophisticated attacks on large enterprise companies, more often than not they are looking to capitalize on low-hanging fruit, valuing opportunity over planning. Smaller firms are seen as vulnerable—easier for hackers to break into, collect several thousand dollars in ransom, and move on to the next victim.
Of the cyber insurance claims made by firms with annual revenues under $50 million, more than half have been the result of ransomware attacks. Add the fact that in the U.S., ransomware claims made by professional services firms are more frequent than for any other sector (see the chart below, and ), and the threat of a ransomware attack against your firm becomes that much more conceivable.
The past few years also have seen a surge in business email compromise, or BEC, scams. “BEC is one of the fastest growing, most financially damaging internet-enabled crimes. It is a major threat to the global economy.”
A BEC scam is a perfect example of why firms of all sizes should be concerned about cyberattacks. A typical scam might begin with hackers covertly gaining access to employee email accounts, often the result of employees inadvertently clicking on malicious links or opening malicious attachments in seemingly legitimate emails. Hackers then use their access to steal your client and project files. Using one of your email addresses, they send an invoice to your client for an expected amount but direct the client to wire the money to a bank account that the hackers control. The hard lesson learned is that even if the money you have on hand doesn’t interest criminals, the financial resources of the companies you deal with may.
While all companies need to be aware of risks coming from outside sources, you also need to be aware that cyber risks are not exclusively external. From 2017 through 2021, 15 percent of small-to-medium firms’ data incidents were deemed “non-criminal.” This means they were caused by companies, and their employees, simply making mistakes. These mistakes take various forms, including an employee losing a laptop or phone, sending sensitive data to the wrong email address, or otherwise accidentally releasing data.
What cyber insurance coverage can do to help
When your firm is attacked, you need to quickly navigate two main areas of concern. One is technological—find out what data is missing, how the attack happened, and how you can prevent it from happening again. The other is legal—find out which individuals, business partners, and/or regulatory entities you’re obligated to notify and who’s likely to be harmed (and sue you).
Your legal obligations get more complicated if you have clients and employees (assuming the breach affects both constituencies) in multiple geographic areas, since states, provinces, and other jurisdictions may all have different laws. There is no single standard for what constitutes a breach or which government entities have the authority to act when a company doesn’t comply with notification requirements.
Now consider what happens when you have a strong cyber insurance policy. Your carrier is, in effect, wrapping a knowledgeable, reassuring blanket around you, saying, “Calm down, it's okay, we're going to hold your hand and walk you through this. We're bringing in a team and we'll work together to help you get through this incident and get back to business.” Because while you may have never experienced anything remotely like a cyberattack, your carrier knows exactly how to proceed.
For instance, depending on the specific situation and the policy, your insurer may bring in attorneys to determine your legal obligations and anticipate any legal actions that might be headed your way; retain a forensics firm to investigate what information was stolen and how; engage a public relations firm to help you address the press and the public; and assist you in providing services, such as credit monitoring and identity protection, to impacted populations if necessary. Other situations may require just some of those resources. We recommend you work with a carrier that looks at the situation comprehensively, rather than just financially, and provides the necessary resources and expertise to best help you respond, investigate, and recover from cyber security events —big or small.
Of course, the financial side also can be daunting. The chart below represents a study of 2,000 claims, mostly from small and medium-size enterprises (SMEs). For these companies, the average crisis services costs of an incident—forensic, legal, etc.—grew to $126,000 in 2021. Those costs don’t include what’s known as the incident costs—for example, the income you may have lost or additional business expenses you may have incurred while you were locked out of your system and couldn’t work on existing projects or make payroll without implementing work-around services and solutions. Those costs grew to $198,000 in 2021.
Get real—get cyber insurance
Every design firm needs cyber insurance. While cyber insurance won’t prevent a cyberattack or employee mistake, it will help you mitigate the considerable financial, operational, and reputational impacts of a cyberattack or non-criminal data incident. However, the cyber underwriting process likely will help your firm better understand its vulnerabilities and the steps it needs to take to limit those vulnerabilities. In addition, having a good cyber insurer as your partner can mean the difference between an unnecessarily long and expensive disaster and an efficient, cost-effective recovery.
About the Authors
Gwenn E. Cujdik is Manager of AXA XL’s North America Cyber Incident Response Team. She can be reached at gwenn.cujdik@axaxl.com. Michaela Kendall is Manager of Strategic Partnerships, 色多多视频Design Professional Team. She can be reached at michaela.kendall@axaxl.com.
Global Asset Protection Services, LLC, and its affiliates (鈥溕喽嗍悠礡isk Consulting鈥) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. 色多多视频Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, 色多多视频Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.
US- and Canada-Issued 色多多视频 Policies
In the US, the 色多多视频insurance companies are: Catlin 色多多视频 Company, Inc., Greenwich 色多多视频 Company, Indian Harbor 色多多视频 Company, XL 色多多视频 America, Inc., XL Specialty 色多多视频 Company and T.H.E. 色多多视频 Company. In Canada, coverages are underwritten by XL Specialty 色多多视频 Company - Canadian Branch and AXA 色多多视频 Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following 色多多视频surplus lines insurers: XL Catlin 色多多视频 Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor 色多多视频 Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.
