The Independent Insurance Agents of Georgia held its 119th Annual Meeting a couple of weeks ago at the beautiful Amelia Island Resort. I had the most fun at the annual corn hole tournament held by the Young Agents Committee on the beach, and I learned the most at the presentation by John Immordino on Cyber Liability. His presentation focused on both the challenge to agents and agencies of protecting their customer and business information and the opportunity presented by the need of every other business, small and large, in the U.S. and the world to do the same.
With respect to the challenge, Mr. Immordino made the point that, contrary to common belief, hacking is not the greatest risk a business faces when trying to protect its confidential customer and business information. More such information is taken or lost due to the negligent or intentional acts of employees and other insiders than from attacks by hackers on a business’ computer system. Mr. Immordino said his personal information had been improperly used four times and in only one instance was it due to the actions of a hacker. The other three times involved current and former employees of his business who had obtained his personal information, along with other confidential business information, from the business’ computer system.
While it is important to protect your agency’s computer system from outside attack, it is just as, if not more, important to train your employees on the proper procedures to follow when dealing with confidential customer or business information and to keep reminding them of those procedures at regular intervals. It is also a good idea to encrypt the data on any smartphones, laptop computers, or tablets that are supplied to an agency’s employees for their business use and to include remote data wiping software on any such devices if they are lost or stolen. It is possible to install such software on any such devices that belong to the agency’s employees and limit the data wiped by it to just business related information.
Employee training should include how to recognize phishing, spear phishing (bogus e-mail comes from what appears to be a familiar source), and social engineering (hacker has taken over a valid e-mail address of company employee or customer and uses it to request the transfer of money to bogus account) and what to do if they suspect an email or other communication they have received is not genuine. It is especially important to be vigilant for social engineering attempts because the voluntary payment of money in response to such a scheme is not a covered event under standard crime or cyber liability policies. A fact that an agent can use when discussing the need for the various types of insurance coverage required to protect a business from loss due to data breaches.
Another fact mentioned by Mr. Immordino that can be used to convince a reluctant business owner that cyber and other related insurance coverage is needed is that 60% of small businesses that have a data breach go out of business within six months. This is mostly due to the costs of dealing with such a breach, which average $217 a record according to a recent study by the Ponemon Institute. Over one-third of this amount, $74 a record, is for hard costs incurred in detecting the breach, determining the number of the records affected, complying with the applicable notification requirements (which vary by state), and dealing with any claims made by the persons affected. Insurance policies are available that will cover all these hard costs and will provide the help needed to deal with the various aspects of a data breach. In many instances, the existence of such coverage is the difference between life and death for the small business affected.
There was a lot of other valuable information in Mr. Immordino’s presentation. If any of my readers would like a copy of it, please contact me at firstname.lastname@example.org and I will send it to you.