Cybersecurity & Small Businesses

Target, T.J. Maxx, Google, Marriott -- these are the names that get the most attention in the press when there is a cyberattack, but companies of all sizes are exposed to this threat. Each year, the Ponemon Institute publishes an overview of cybersecurity in small and medium sized businesses¹. The most recent study indicates that cyberattacks on smaller companies are targeted, severe and sophisticated. In addition, an increasing number of businesses are confronting this issue. 

Phishing and social engineering continue to be the most common issue, but this year’s report shows a large jump in advanced malware or zero day attacks. A zero day attack is one that occurs the same day that a software weakness is discovered. The criminals act quickly to exploit the weakness before a fix is available. Similar to large companies, small businesses are also seeing a rise in ransomware schemes. Ransomware is particularly disruptive because a business will be unable to work. According to Ponemon’s survey, most companies impacted by ransomware opted to pay the ransom. Businesses indicate that the weakest link in their company’s ability to stop a ransomware attack is often a negligent employee.

Small businesses cannot ignore the risks associated with the rise of cyber-crime. Government agencies such as the Department of Homeland Security and the Federal Trade Commission post educational information helpful to small business owners.

Other types of businesses, big or small, that are susceptible to cyberattacks and crime, are insurance companies and agencies. While analyzing current cybersecurity landscape, the National Association of Insurance Commissioners (NAIC) established the NAIC Insurance Data Security Model Law, which establishes the following:

• Data security and data breach investigation and resolution standards across the insurance industry.
• Requires insurance companies to maintain appropriate data security standards to protect customer data.
• Enforces an onerous breach notification timeframe of 72 hours after discovering a breach.

This Model law is similar to the New York Department of Financial Services’ (NYDFS) Cybersecurity Rule which imposes the same obligations.² With this rule put in place:

• Insurance brokers will likely be faced with numerous and distinct parameters imposed by their carrier partners.
• Producers are required to have their own ‘first-party’ cybersecurity compliance structures.

More states have recently shown movement towards indorsing legislation that follows the NAIC law closely or departs from it in a few relatively minor ways. Here are a few ways states are differentiating from the NAIC rule.

• Ohio extended the breach notification to 3 business days
• Michigan extended the breach notification to 10 days
• Ohio’s law exempts those licensees with 20 or fewer employees
• Michigan’s exempts licensees with 25 or fewer employees
  • The NAIC Model law exempts licensees with 10 or fewer employees from its requirements.²

With the cyber risks that insurance companies and agencies could potentially face, we encourage agents and producers to familiarize themselves with the steps they can take to prevent these kinds of threats.

¹ Ponemon Institute, 2018 State of Cybersecurity in Small & Medium Size Businesses, November 2018.
² The Council of Insurance Agents and Brokers, Ohio and Michigan Adpot NAIC Model Law; Five Other States Set to do the Same, April 2019
³ The Council of Insurance Agents and Brokers, NYDFS Cybersecurity Rule Imposes Stringent Requirements on Third-Party Service Providers, Including Brokers, February 2019.