Jeff Sloan discusses cyber insurance with Michael Spath and Kapnick Vice President Melissa Selke. Here are highlights from that conversation about why your small business needs to make cybersecurity protection a priority.
Jeff Sloan, Founder & CEO of StartupNation: Welcome to this edition of Startup Nation. We’re focused today on cyberinsurance. We’ve got Michael Spath, Client Executive from Kapnick Insurance. Michael, you guys have brought along a subject matter expert on cybersecurity insurance.
You know, it’s one of those things where a lot of businesses may say, “Eh–that’s something I’ll think about next year. They’re probably only going after the big guys.”
But the reality is, when an attack happens, it can be catastrophic, and statistics show that it is hitting small business now more than ever before, especially with people working from home.
Michael Spath: It’s interesting. Insurance conversations are all about if a business burns down, as if the fire is an actual risk out there, but cyberattacks and ransomware attacks are just as real. It’s just happening to your security, your infrastructure, all your software, all those things like that.
Jeff: Frankly, in many ways cyberattacks can be worse. Some things can withstand a fire or be saved from it. But cybercriminals can take command over the business, right? Hold them for ransom. Destroy it in an instant.
Michael: Absolutely. And where are you going to go from there? Once your business has been attacked?
To talk about it here, joining me from Kapnick in our specialty risk practice, is Vice President Melissa Selke. I’m so very excited to talk to Melissa. And then from Unishippers, a franchise owner, Dave Stavale.
Melissa, when you look at that question that Jeff asked, about why should I, as a small or mid-size business even pay attention to cyber insurance? Why should I care about it? I am not a Fortune 500 Company. I’m not a publicly traded company. I am just the mom-and-pop shop down the street. Where’s my risk?
Melissa Selke: Cybercriminals are going to come right after you because they don’t think you’re paying attention to this because of the exact conversation that we’re having right now. “I’m too small. Nobody pays attention to me.” Well, guess what? They’re focusing on you specifically as a small business and it’s time that we start fighting back and being proactive.
As somebody who isn’t focusing on cybersecurity, who doesn’t have a dedicated IT professional, who is allocating resources elsewhere, who’s extra creative and is out selling your new product or your new service, and isn’t focusing on cyber risks–the cybercriminals are targeting you specifically.
Cybercriminals are “focusing on you specifically as a small business and it’s time that we start fighting back and being proactive.”
Jeff: The first line of defense has to have some sort of cybersecurity in place. Right? Either firewall or VPN or the other things to help you keep from having the attack in the first place, whether they breach it, whether you don’t have the protection or they get through. So, cybersecurity insurance does what for me?
Melissa: Let’s go through the process quickly. First, you’re going to have a breach of your system. Maybe it’s a ransomware attack.
Jeff: Ransomware is where they seize control of your digital assets, whatever you’ve got out there in the cloud, whatever you’ve got on your internal computers, laptops, even your website so that you can’t do business anymore, then if you want it back, you got to pay them $X?
Melissa: That’s ransomware. And what are you going to do? You’re going to need some help. First, you’re going to need some legal guidance. So you’re already starting to pay right off the bat. Then, you’re going to need a forensic analyst to help you through this situation. You’re going to need a negotiator. You may end up paying the ransom, maybe. You are going to be losing revenue while your business is shut down. So, you’re losing money. You may be losing customers who realized that you had this attack.
Well, guess what? The insurance pays for the legal guidance. It pays for the notifications. It lets you set up credit monitoring for those people so that they can watch their credit for the next couple of years, it pays for public relations because you’re going to have a reputation to defend. You’re probably going to lose a contractor too after the breach and the insurance pays for that as well. It’s called reputational loss.
Most importantly, it’s going to pay for your revenue loss. So while you’re shut down, you’re going to have this revenue stream coming in from your insurance.
And you’re going to have a whole team of vendors helping you, the forensic analysts, etc., because you don’t have that in house. You’re a small business. You’re focusing on your art. You don’t have all of these people lined up and your insurance just gives those to you, these vendors and all of that breach response in the worst-case scenario.
Jeff: That’s a lot of bang for the buck.
Melissa: And don’t forget to the criminals have switched from just locking up your system to actually taking your data. So they’re exfiltrating your data as well and using it, and the insurance will pay for you to reconstruct all of that.
Jeff: Let’s give us a list of other things, other nefarious things that can happen, that cyber security insurance will help cover–
Melissa: –and mitigate.
That’s a great question because right now everyone’s focused on ransomware because it’s where the criminals have pivoted, but your system can be shut down in other ways.
You could have, what’s called the denial of service attack, where you’re just flooded with so much information in the form of emails or other data that it overwhelms your system and shuts you down and your customers can’t access your system. There’s also just the base necessity that you are holding other people’s personally identifiable information. I don’t care if it’s not a customer’s credit card number. You’ve got employees information. You’ve got applicants for employment. You have all of that in your system and you’re responsible for it. If that’s breached or lost in any way or accessed in any way, then the insurance steps in.
Michael: Right. And so here’s Dave, he’s a franchise owner for a shipping company. Dave, imagine if someone took control of your internal and you’ve got Customer A in Detroit and Customer B in Traverse City and Customer C in Chicago and they just start mixing those all up and they’re sending them all over.
How does that impact your business?
Dave: So predominantly that’s a pretty serious supply chain issue and hits home. It’s interesting to hear all that, about ransomware and cyber security.
You know, Unishippers is part of a larger $5 billion company based in Dallas. We have a lot of big tech muscles to hopefully save us from some of this. But then, I run my own franchise out of my basement.
Jeff: I hate to say it this way, but there’s the opportunity for the bad guys, right?
Dave: Absolutely right. I mean, just what I got from Best Buy a year and a half ago doesn’t make me feel as comfortable after this conversation.
Michael: What I appreciate about Dave adding this is, here’s this big company, but within the big company, there are smaller pieces of that. How much are you responsible? I mean, as a franchise owner, how much of the logistics, how much of the e-commerce, how much of everything falls on your shoulders that, you know? Yes. You have a big entity overlooking you, but, uh, they’re not bailing you out.
Dave: No, no. I mean, ultimately, I don’t care how big or how small, what your business is. People are going to do business with you because of you.
Melissa: They’re all being attacked in the same way right now because there are so many criminals who are not going to sleep until they crack through somebody’s virtual door. They are going after every size company. And I don’t really feel like the risks are different.
The result of the attack is a lot different because if you’re a small company you’re going down. It’s a kill-the-company risk for you. It’s the end of your company. You might not be holding a ton of data, so you may not have the same risk that a large company is, who has tons and tons of people’s information.
Jeff: You mentioned that sometimes sensitive information, customer data, customer credit cards, and other things can be taken and used inappropriately. Does cyber insurance protect businesses against lawsuits from the market, too? That may come my way as a result of a claim.
Melissa: Thank you so much for asking that. Yes, it does. And we never talk about it anymore because we’re so worried about ransom payments and breach responders.
It’s very unlikely that you are going to be sued. I think it’s between 5-10% chance of being sued. The insurance will pay for the defense costs and the indemnity. It’s just really tricky to tie your breach to that person’s loss. So in a legal environment, you have to have causation.
Jeff: But it’s expensive even to defend yourself. Right? And that helps. So the benefit is clear. Can you guys frame out a little bit about what the costs are?
Michael: Yeah. I mean, that’s the, I always get asked that and I always think about like, okay, what is a million dollars of coverage worth to you versus what is $500,000 in coverage worth to you? Keep in mind, Melissa just said $300,000 is the average ransomware payment.
Melissa: There’s a very detailed process that we need to go through with our clients and find out what controls do you have in place? What are you holding? And it might sound like a lot of work for the client at that time, but it’s a huge eye-opener to them when they see what is at risk and how it can be taken from them.
Michael: Melissa, when should someone engage with an insurance agent when it comes to their cybersecurity? Should they be doing this after they’ve built their business, or before they built their business? Like where, what is the perfect time for someone to reach out to you or me to ask these questions?
Melissa: The perfect time is right now. You need to talk to your agent about this insurance and you need to go through the insurance application process and get a sense for what you’re doing as far as your security and what changes you need to make. Because right now, you can’t even get insurance unless you have certain levels of security in place. That should tell you something.