The cyber arena is changing every minute, so it can be difficult for even the most well-versed retailer to keep up. And that’s where RPS comes in, to help educate our retail partners about the various coverages, how they can differ from policy to policy, and what we’re doing to fill the gaps.
Cyber insurance is so important for small businesses—43% of companies that have a breach are out of business within six months. Previously, if an agent wanted to try to keep a small business resilient, cyber wasn’t top of mind. They’d sell them EPL insurance or workers’ comp.
But if that company has a $50,000 or $100,000 cyber breach—when a small business has an average of $12,000 in cash—that agent has now lost the renewal and that company has lost all of their employees. They're out of business.
So RPS set out to find a different, better way to reach those small businesses by making the complicated cyber insurance process simpler. Previously, buying insurance was way too difficult. “It was a hundred questions that nobody on the planet could answer,” according to Ryan Collier, RPS’s Chief Digital Officer.
With the benefit of a few years of claims, RPS saw what cyber challenges small businesses are up against and designed a product to mirror what's actually happening. Yes, there are plenty of cyber policies that throw in little coverages here and there that you'll probably never see a claim on. Our policy has those too, but we also have a functional structure to actually help a small business get back on track.
Let’s say you buy a million dollar policy—then you've got $1 million of insurance. As soon as you use it up in a year, you're done. Right? That's how we've always known insurance to be. One of the enhancements of RPS’s new policy are the first-party coverages. In other words, an insured has a data breach. They need to hire lawyers, they need to notify people, they need to hire forensics people. They need to offer credit monitoring, all these things that they have to spend money out of pocket on. Those are first party expenses. They have an event. Yes, they've got a limit—but it’s per occurrence, not per term.
Let's say it's $1 million. Once that's exhausted, it resets—so if they have another event in the same year, they get a whole new million dollars, it starts all over. What would formerly just be $1 million of coverage could be 10 times that if there are multiple attacks in a year. The business doesn’t have to worry about buying more insurance—the clock is reset automatically.
Does more than one attack in a single year seem far-fetched for a small business? Sadly, it shouldn’t. Ransomware is spreading like wildfire in the cyber world, with the highest frequency of cyber events we’re seeing in the industry.
Ransomware has changed the cyber attack game by limiting access to data, the lifeblood of any company, and there's been a big change in the execution of it the last two years. Previously, someone would go on the dark web and buy a ransomware execution kit and a list of email addresses, then send out a bogus link hoping that a few people would click on it and then spend $300 to make the problem go away.
But now, the perpetrators are inside the networks. They're looking around, getting the lay of the land and figuring out where the backups are. Once they have the backups and they can encrypt the backups, then they know they've got you.
Ransom demands have gone from hundreds of dollars to over a million dollars. A small municipality, for example, can't afford a hit like that. In the public sector, you're talking about people's job security, elections and services to citizens and things like that, that are disrupted.
Cybercriminals also are taking advantage of the current COVID-19 pandemic with new social engineering scams that prey on the emotions of employees who are working remotely, many for the first time. Given the intensity of the situation, many of these employees may respond to phishing emails, which could be disguised as legitimate emails from their companies’ IT departments asking for their login credentials. Many companies also are seeing such phishing emails that appear to be coming from the CDC and the World Health Organization asking for personal medical information or soliciting donations to help finance a vaccine.
With proper coverage in place, however, businesses are able to weather a storm that would otherwise put them completely out of business.
An average small business doesn't know how to navigate a claim. They don't know who to call. They don't know how to get a ransom paid. With our product, the average response time for a claim called into the breach response coach is a couple of minutes. So within minutes the business actually has advice to walk them through what is likely the most challenging crisis the company will face this year. The ability to dial into those resources and have somebody guide them, concierge-style all the way through the entirety of the claim, is just as valuable as the balance sheet protection. Otherwise it's chaos.