Valley businesses have a lot at stake when it comes to cybersecurity. In a market where tech is constantly evolving, hackers or disgruntled former employees can find multiple ways to disrupt workflow and compromise what would otherwise be protected information. Data breaches can come from an internal source or hackers, and intellectual property as well as consumer data are highly targeted, according to Michael Grant, principal at Marsh & McLennan Insurance Agency, a Los Angeles brokerage firm that does business in the San Fernando Valley. “By and large, it’s outside parties, either by hack, malware or social engineering,” said Matt Sarazen, client service executive at Arthur J. Gallagher & Co.’s Glendale location, the No. 1 company on the Business Journal’s list of Insurance Brokerage Firms. “Insider attacks are still less than 10 percent, probably closer to 5 percent, of privacy breaches and security events.” Given the newness of cyber threats, coverage and potential liability often don’t match. The average insurance payout for a small to medium-sized enterprise data breach is $400,000, according to a recent Chubb Insurance study. The average cost to an employer of a data breach is $3.62 million, according to a cyber security survey by Ernst & Young’s Paul van Kessel. Specialist brokers Identifying exposure of intangible property like customer data or intellectual property can be challenging, even for specialists. Insurance brokerages such as LBW Insurance and Financial Services, No. 13 on the Business Journal’s list, have entire divisions devoted to cyber liability policies with specialists who only handle these types of policies. Howard Miller, director of the Tech Secure Division at LBW in Valencia, started selling cyber liability insurance in 2007 and became head of the division in 2011. “The framework is an approach to risk management that takes into account cyber-physical exposures as well as traditional risk,” said Miller. Miller presents a proactive approach to employers and then introduces them to third-party coverage for unauthorized access, breach of privacy and network security liability. Policies can cover costs for computer forensics, notifications, public relations, network system repair and indirect losses from a cyber attack. One of the best ways to utilize cyber liability insurance in a proactive way comes down to awareness training for executives and staff, according to Miller. Employers that better understand social engineering are less likely to fall prey to a malicious link, business email compromise or misdirected wire transfer. “We had an insured who had an issue of a lost drive with donor information,” said Miller. “The insurance was helpful in providing breach coach services and drafting notification letters. In general, insurance carriers have specialized resources ready to respond in the event of a crisis that most (small and medium-sized enterprises) have not secured on retainer.” Roughly 77 percent of organizations operate with limited cybersecurity, according to the Ernst & Young survey, and 87 percent don’t have the budget to provide adequate insurance coverage. Focusing on the “crown jewels” of a company, in terms of data and intellectual property, can help a business protect itself when faced with a limited budget, the survey said. Rethinking security in a way to support the business effectively and efficiently helps mitigate protection costs. “It’s important for brokers to have strategic kinds of relationships, with the pre-breach and post-breach service providers. Using all this information, brokers can usually tailor a cyber solution that suits each company’s specific exposure,” said Sarazen at Arthur J. Gallagher. State rules California legislation is changing liability terms for cyber attacks too, adopting a broader view of privacy and consumer protection, according to LBW’s Miller. The California Consumer Privacy Act was passed in June 2018 and parallels the European Union’s General Data Protection Regulation. The new law is effective Jan. 1, 2020 and specifies that a business must disclose personal information it collects on a consumer, source categories, its purpose for collecting the information, and who they sell or share data with. “I’m sure you’ve noticed that every time you go onto a website recently, you get the cookie notification; that’s one of the implementations that companies have had to use as a result of GDPR,” added Sarazen. Regulation for Internet-of-Things (IoT) devices will require device manufacturers to include a security feature depending on the information the device can “collect, contain or transmit” if the device has a way of connecting to the internet. This rule takes effect in 2020.
