Chuck and Grant discuss cyber liability, how you can protect yourself from ransomware, and how it differs from ID theft and the theft of digital assets.
Below is a transcript of the episode, modified for your reading pleasure. For more information on the topics discussed in the episode, see the links at the bottom of this post.
* * *
Grant FINLEY: Welcome to another edition of Your Insurance Connection Podcast. I'm your host, Grant Finley, joined once again by Chuck Hembree, President of CLH Insurance. Chuck, it's good to see you again. How are you?
Chuck HEMBREE: Good morning. It's a good Fall morning and we're ready for a new podcast. I'm excited about it.
FINLEY: Yeah, it's a beautiful day today, isn't it? Kind of a break from the norm we've been having lately, but -
HEMBREE: That's it.
FINLEY: Happy to have it. So, today we wanted to dive into a topic that's getting more and more attention and it's more and more relevant and there's a lot of confusion around it. So, that topic, without further ado, is cyber liability. You hear that name, you might have an idea of what it's about, but I'm sure there's a lot of grey area. So, can you just unpack what cyber liability is to the best of your ability?
HEMBREE: Well, cyber just sounds futuristic itself, but cyber means electronic or not tangible. That's where we're having to delve and explore. As much as we've heard about it, it's still a relatively new phenomenon that we don't have lots and lots of actuarial data like we have for property that's gone on for decades and decades and maybe centuries. So, when we're talking about cyber liability, that means the protections that we, as an insured, owe somebody else. Whether we have a house and personally owe somebody or a business - the protections that they owe the public when we're entrusted with their private information. So, that's cyber liability; what we owe. Cyber hacking is what happens when somebody comes in and invades our personal space or our business's space through the internet and takes from us information that's private to us.
FINLEY: So then how would this differ from - I know we kind of talked about cyber, digital - but how is this different from just a generic ID theft? I'm sure that's already covered, so if somebody steals my identity online, digitally, how is that different? Or if they steal my possessions, like a theft of digital assets, whether its photos, or money, or whatever it might be. How are those all different from each other, or are they different from each other?
HEMBREE: Good, no, that's a great question. ID theft doesn't even have to be cyber related. ID theft could be because somebody stole our actual credit cards. They can access our personal information that way, and we do have a little bit of coverage underneath our traditional insurance products for that. But most of that is after the fact. We don't have anything for prevention, and even cyber liability is not necessarily prevention. Theft of digital assets is not protections we owe someone else. That's if somebody gets in - and you it it pretty well - gets into our bank account, whether we're a business or personally, and they steal our money, or our securities, or other assets, or other private information, like pictures, and they do it electronically through the internet. So, they're kind of all interrelated. The problem is, traditional insurance products, if we read the language in them, they always protect injury to tangible property, and all policies talk about that. Injury to tangible property and loss of use to tangible property, that's stuff we can touch and feel and everything, and the problem is electronic data is not tangible property.
FINLEY: Okay, so, maybe walk me through it a little bit. If I'm John Q. Public, is there a policy out there that I can buy that's going to protect me from ransomware? Maybe my computer gets hacked and I can't access it until I pay these hackers a penalty, a fine, the ransom. Is there something I can get to protect myself if I am hacked and data is stolen, digital assets are stolen, ransomware, etc. or am I kind of on my own?
HEMBREE: We're kind of in a grey areas now. There are more commercial or business solutions than there are personal solutions. Although, there are a few insurance markets out there on the personal lines side that are starting to bring cyber liability into their product inventory. But we see more protections, unfortunately, on the commercial side because, face it, we've heard statistics that 50-60% of commercial businesses have been hacked. And I've also heard that 40-50% of other businesses just don't know they've been hacked. We know it's wide spread there and they have more to lose of our private information. But on the personal side, we have a little bit more limited solutions and so, probably prevention, which we can talk about in a moment, is probably the best thing. It's not an insurance product. It's those things that we can do to prevent us from having to use cyber liability. I think we need to assume that we're going to be hacked.
FINLEY: Yeah, and so on the business side - I think I touched on it, but I'll just make sure that I'm clear on it. If I'm a business, and obviously I'm using credit card data and personal information, I can get the cyber liability insurance so that if I'm hacked and your information is exposed, then I'm covered by that.
HEMBREE: Yeah, you can buy some coverage for the results of that. So, let's talk a little bit about that, if that's all right?
HEMBREE: What kind of exposure does a business have if they get to my personal information that I'm trying to protect of my customers? There are several things that come to mind there. First of all, there's the third party losses that we're talking about, when we have to protect other people. We have to notify them. We have to restore. We have to repair their credit, and we've seen all the big, Targets, Home Depot, Yahoo!, huge there, and we've seen the largest one here now with Equifax and 143 million files taken. When they talk about 143 million files or records, that's where we can start to kind of break this down and understand it. That's a huge amount of course and I've heard things thrown out like, "the average cyber hack is $7 million or $1.8 million", that's really a wide varient, but I think more down to earth for us is: per record, because we're not all mega-huge 143 million customer folks and breaking it down per file or per record. We're starting to get better and better data on what that is. The average record that's stolen is going to cost somebody to restore it and put it back to where it is, do the investigation - all that, $158. $158 per file. So, let's put that in perspective. If I have 1,000 customers, I need $158,000 worth of protection at least, you know, that's the average. If I have HIPPA information, medical information, it's much higher - around $355 per file. And if they just get me, Joe Blow, my records are probably a lot lower around $80 per file. So we're starting to be able to check this out from the public sector, up to medical records, and all the industries in between, we find they have different averages so that helps us to try to determine how much protection we need to purchase and how much are we going to be liable for. So that's what we have to look at to see how we protect.
FINLEY: So, what are some of the companies a person or business could go to to get some of this protection?
HEMBREE: Many of our standard companies and our excess surplus lines like Lloyds of London and other markets that will customize the coverages that we need. But there are plenty of standard companies who know that their customers needs this and have developed good products. Now, for the average retail business, it's pretty obtainable. If we're big into doing programming or have websites and have things like that that we're doing, and we're more into working with software and so forth, we may need broader protection, and if we can't get the limits that we want that's where we have to go to more specialized companies like Hiscox or Beazley that can provide it for us. But most of our standard companies can start to give us the minimal coverages. We just need to watch to make sure that they are sufficient.
FINLEY: And then real quick, you talked about prevention, what are some of those key tips that somebody can take to prevent this type of thing happening to them?
HEMBREE: Well, I had a chance to sit down with Frank Abagnale, the real "Catch Me If You Can" guy and he says cyber breaches happen because people simply do things they're not supposed to do. They know they're not supposed to open that email. They know that looks suspicions, but curiosity gets us and we do it. So, like we talked about before, you oughta assume that you're going to be hacked and some of the things that you can do is, first of all, develop a response plan. Do we have all of our information in one place where we can readily get to it, cancel our credit cards, call our insurance people, all of those things. Do we have that in one place? Do we know how we would act? If I'm out of town, does my wife know how to handle that if something happens? Second, simple things - keep our security software up to date. Run those updates. That's such an easy thing but it's so hard because we're all so busy running around all over the place. Make sure that our security software is current. When we see something on our email and it's in doubt, delete the thing. Get rid of it. If it's important they'll probably call you again or contact you again, so when in doubt, delete it. And make sure you're protecting all your devices, and when we think about all our devices that's our desktops, our laptops, our ipads, our cell phones, all of those things, but even anything that is run by the internet. So, our echos, our refrigerators, our thermostats - all of those things. If they're connected to the internet, we need to put protections on there and that means firewalls, that means router protection and software to protect those types of things. If you use USB's or thumb drives, plug and scan it first. Make sure you've got software that will scan it first before you use it. Certainly, consider cyber insurance if it's available to you, and beyond the internet, be safe with your credit cards. Watch how you use them. Look - we've seen several cases where at gas stations, people are copying them and they're putting them into readers - scan readers. Look at what you're putting your credit card into at retail and gas places. Does it look different? Ask about it. And then, for businesses and for personal, encrypt sensitive files. We can get software and hardware that does that more easily. It's pretty affordable and if it's important, encrypt it so if it's stolen, all they're getting is an encrypted file that they can't take care of. So, those are a few things that we can do on a very basic level to take care of it. Not all insurance related but certainly insurance is available.
FINLEY: A lot of great stuff there, Chuck. I think there's a lot here and as we touch on in the beginning of the show, it's only going to get more and more important. So, if anybody out there has any questions, whether you're just trying to expand on anything we talked about here today or you're going into business and you need this protection, like Chuck said, we've got a number of companies who can help, so feel free to give us a call and we'd be happy to talk with you. Unless you've got anything else, Chuck, I think we'll wrap it up there.
HEMBREE: I think that's got it. Thank you.
FINLEY: All right, thanks for listening and we'll catch you on the next episode.
Your Insurance Connection podcast can be heard on iTunes and Stitcher or by visiting clhins.com/content/podcast. If you like what you’ve heard you can support this podcast by rating and/or sharing it on your social platforms. CLH Insurance is a “Trusted Choice”, independent agency servicing Missouri, Kansas and Illinois. For more information on CLH Insurance, visit clhins.com or call 636.391.0700 to speak with an agent. Until we connect again, thanks for listening.
* * *
Show Notes - Where you can learn more about the people and ideas discussed in this episode.