Sun Sentinel Palm Beach Edition

Online threats spur industry

Cyber insurance emerges in wake of internet thefts

If you run a business that collects personal identifiab­le informatio­n about your customers, insurance agents say you should be having nightmares about these scenarios:

A hacker takes control of your computer network and blocks you from accessing customer accounts, orders and inventorie­s, then demands you pay thousands of dollars for their release.

A hacker steals medical histories of every patient at your practice, then files Medicare claims under those patients’ names.

Your bank account password is stolen by someone recording everything you do on your computer, and is then used to withdraw all of your money.

Sound scary? That’s because these scenarios are happening with increasing frequency in Florida and across the nation, spurring rapid growth of insurance products intended to help businesses recover quickly and comply with new mandatory response laws.

Cyber risk is the fastest-growing segment in the commercial liability insurance industry — increasing at an annual rate of 30 percent, said Adam Hewitt, senior vice president of Atlantabas­ed INSUREtrus­t, an insurance wholesaler that says it developed the first policy covering businesses’ use of the internet in 1997.

Horror stories about hacks costing tens of millions of dollars have made cyber insurance an easy sell to large companies.

Target paid $116 million to settle claims by Visa, Mastercard, banks and customers after 40 million consumers were targeted in a massive 2013 hack.

A hack targeting thousands of P.F. Chang customers was revealed in 2014 after banks discovered stolen credit and debit cards offered for sale online had been used at the Asian food chain.

Major attacks nailed Home Depot in 2014, HEI Hotels and Resorts in 2016, and health insurer Anthem in 2015, among many others.

But though large companies realize the need to protect themselves, small and midsized businesses have been slow to embrace the concept of cyber risk insurance, industry representa­tives say.

Industry officials say cyber coverage should be considered by any business that collects and stores personal identifiab­le informatio­n: names, Social Security numbers, dates and places of birth, mother’s maiden names, biometric records, driver license numbers and even email addresses.

“It’s a tremendous growth sector but also a very hard sell to business owners,” says Ed Brown, managing member of The Fairway Insurance Group in Fort Lauderdale.

Currently only 15 percent to 20 percent of small- and medium-sized businesses have cyber coverage, Hewitt says.

Brown says that’s because “most people don’t realize their database is worth something to someone. They also don’t realize someone can come in and take over.”

In Florida, discoverie­s of data breaches affecting 500 or more customers of health care companies increased from 19 companies [62,523 individual­s affected] in 2015 to 28 companies [2,872,912 individual­s affected] in 2016, according to a database maintained by the U.S. Department of Health and Human Services.

The largest of those involved 2.2 million customers of 21st Century Oncology and 483,063 customers of Radiology Regional Center, PA. Also hit was Southeast Eye Institute [87,314 customers], Public Health Trust of Miami-Dade County [24,188 customers] and Family Medicine of Weston [500 customers], according to the database.

Nationally, 1,093 breaches were reported in 2016, a 40-percent increase over 780 the previous year, the nonprofit Identity Theft Resource Center reported.

Tough sell or not, Brown says his firm’s cyber insurance sales increased 50 percent between 2015 and 2016. He expects larger growth this year after the firm mails informatio­nal fliers to more than 1,000 of its commercial customers.

Alexandra Horblitt, a general lines agent with North Broward Insurance in Margate, said 40 percent of her small business clients have added cyber coverage since 2016. The cyber coverage is priced between 10 percent and 30 percent of a typical premium, she said.

Any business that collects personal informatio­n is vulnerable, the agents say.

Several types of coverage can be necessary after a single breach, Brown said. “Let’s say Mike’s Pizza Parlor gets breached. Mike takes credit cards.”

A cyber policy would cover:

Loss of income from Mike closing his business while his computer operation is repaired,

Any equipment or software repairs

Repairs to Mike’s reputation after word of the hack spreads

Fines levied by credit card companies

Hiring a call center to notify victims of the breach, as required by state law within 30 days

Cyber coverage would cover other types of breaches, such as funds stolen if hackers get hold of Mike’s banking passwords, ransom paid if hackers seize control of data, and reconstruc­tion of Mike’s website if vandals break in to delete and deface, Brown said.

Small- to medium-size businesses most in need of cyber insurance include physicians, attorneys, restaurant­s, bars and retail stores, Brown said.

To that list, Horbiltt adds online stores and boutiques that save customer data, real estate agents, mortgage brokers, data centers, IT consultant­s, and web-based marketing firms.

Cyber insurance is complicate­d and confusing because coverage can kick in for numerous reasons, officials of several firms said at a seminar last week in Deerfield Beach presented by INSUREtrus­t and the trade associatio­n Profession­al Insurance Agents of Florida.

Intentiona­l theft or sabotage can be launched by internal employees, such as a disgruntle­d IT staff member, they said.

Human error — installing the wrong patch, for example — can create openings to networks.

Attacks on large companies often start with attacks on less well-protected vendors like logistics, shipping or fulfillmen­t companies that have personal identifiab­le data of the larger companies’ customers. This kind of attack is called “leapfroggi­ng.”

Health care companies in particular are vulnerable because they all use outside vendors — such as outside laboratori­es, accounting and billing firms, and digital transfer companies — and because health records are worth three times more to criminals than regular credit card informatio­n, says INSUREtrus­t’s Steve Haase.

“They just post them on the Dark Web and people buy them and use them,” Haase said.

Criminals use real-life medical histories to submit fraudulent Medicare claims because the phony claims are verified against databases of historical medical data, Brown says.

That makes health informatio­n “the granddaddy” of data sought by thieves, Brown said.

The good news for small and medium-sized businesses is that insurance companies are in gold-rush mode with their cyber products, the officials said.

INSUREtrus­t is writing cyber policies from 42 different companies as new and old players try to get a foothold.

For now, says Hewitt, competitio­n is heavy and prices are low. Asmall- or medium- sized business with revenue of $3 million or less can buy coverage for about $1,000, he said.

“It’s a buyer’s market,” Haase says. “Everyone is trying to grab market share.”

“They just post them on the Dark Web and people buy them and use them.” Steve Haase, employee at INSUREtrus­t