PIATN 2017 Winter Edition Magazine by PIA of Tennessee

WARD-WINNING A 

Winter 2017 • Tennessee

PAGE 12

CYBER 07

Prevent ransomware attacks

Clients want cybersecurity solutions

The financial impact of a data breach

BURYING YOUR HEAD IS NOT A PLAN

Trends in cybersecurity

Stepping Forward to Serve Clients MidSouth Mutual has provided quality Workersâ&#x20AC;&#x2122; Compensation insurance and services to agents and their clients since 1995. Every step of the way, the company has moved forward to provide exceptional service and expanded coverage areas across the Southeast.

MidSouth Mutual provides strength, reliability and value to agents and their clients through quality products, forward-leaning loss control and superior claims services.

Examples of clients we serve include: HVAC Contractors

Bricklayers

Carpenters

Masonry

Building Suppliers

Electricians

Framers

Insulation

Dozing Services

Plumbers

Dry Wallers

Cabinetry

Road Contractors

Painters

Landscapers

Flooring

MidSouth Mutual provides insurance to customers in Tennessee, Georgia, Arkansas, Mississippi, Alabama, Kentucky and North Carolina.

Contact Tom Perez at tom.perez@bwood.com or 615-379-8245 www.midsouthmutual.com midsouthmutual.

Departments 04 In brief Winter 2017 • Tennessee

07 Connect 09 Risks 21 Cyber 23 E&O 26 Readers’ service and advertising index 27 Officers and directors directory

Cover story 12 Burying your head is not a plan Trends in cybersecurity

Feature 17 Guard against digital theft Clients want cyberdefense and financial protection

Statements of fact and opinion in PIA magazine are the responsibility of the authors alone and do not imply an opinion on the part of the officers or the members of the Professional Insurance Agents. Participation in PIA events, activities, and/or publications is available on a nondiscriminatory basis and does not reflect PIA endorsement of the products and/or services. President and CEO of PIA Management Services Inc. Mark LaLonde, CPIA, CIC, AAI; Executive Director Kelly K. Norris, CAE; Communication Director Mary E. Christiano; Senior Magazine Designer Sue Jacobsen; Member Information Manager Jaye Czupryna. Postmaster: Send address changes to: Professional Insurance Agents of Tennessee, 504 Autumn Springs Court, Suite A-3, Franklin, TN 37067. “Professional Insurance Agents” is published quarterly by PIA Management Services Inc. PIA Management Services, 25 Chamberlain St., P.O. Box 997, Glenmont, NY 12077-0997; (518) 434-3111 or toll-free (800) 424-4244; email pia@pia.org. ©2017 Professional Insurance Agents. All rights reserved. No material within this publication may be reproduced—in whole or in part—without the express written consent of the publisher.

Cover design Patty Dykeman

In brief 0

from the executive director

The finish line

Anyone who has coached or played sports knows that the best athletes push through to the end. Runners are trained to burst through the tapeline. Football and rugby players play until the final whistle. NASCAR drivers accelerate to the checkered flag. The game is not over until the lady sings.

This would be a great time to look at the PIA membership benefits and see what resources are available that might help you or your agency. I am confident there is a resource that could help put more money in your pocket. Here is a quick summary:

You could be receiving a revenue-share As you are reading this article, we are from one of our strategic alliance compaheading into the final weeks of the year. nies, while you are helping some of your We have all started celebrating the holiclients with business planning, payroll Kristopher Mark Fisher, days. Those holidays give us a moment to services, merchant services or other CPIA, LUTCF Executive Director take a short breath before the final push services your business clients need. PIATN to the year-end. The trick is not allowing You could be saving money on your errors Franklin, Tenn. yourself to coast across the finish line. It and omissions, umbrella, cybercoverage is the time to work hard to finish strong. or group benefits. If you do not need the production for this You could be utilizing the PIA Career Center, employee year, it is important to set-up for the beginning of the profiling services, new employee training or licensing next year. courses. Are your plans in place for 2018? What could you do in We hope that you will jump online to review the PIA the next couple of weeks to prepare for a strong start? website at www.PIATN.com. Please contact us at the Could you prepare some new marketing or branding office for any assistance you need to take advantage of efforts? Could you reach out to a couple of top clients your member benefits. to make sure they know how important their business The PIA wishes you and your team a Merry Christmas is to your agency? Could you tap into some training and a Happy Holidays. We hope you finish the year strong for you or your staff to be even more informed, effective and we look forward to working with you in 2018. and efficient?

Professional Insurance Agents magazine

platinum partner profile

AccuAgency 5855 Jimmy Carter Blvd., Suite 200

expanded into Alabama, Florida, Louisiana, Mississippi, Pennsylvania, South Carolina and now Tennessee.

Norcross, Ga. 30071 www.accuagency.com

AccuAgency writes in Alabama, Florida, Georgia, Louisiana, Mississippi, Pennsylvania, South Carolina and Tennessee.

Senior executives Bob Capps, CEO Gordon Ragan, president Roger Walker, vice president

History Bob Capps founded AccuAgency in 1986 as a comparative rater for auto insurance in Georgia. What started as a one-person, one-product company has grown steadily and organically over the years. The comparative rater

In addition to our comparative rater, AccuAgency has a suite of products that can support all of the needs of an independent agency. These products include a web-based agency management system, which includes ACORD forms, document management and carrier downloads. AccuAgency creates and maintains independent insurance agency websites and provides web-marketing services to increase an agency’s online reach.

Philosophy AccuAgency’s philosophy is: “We are in the business of supporting our agents and their technology needs. From finding new ways to attract clients to making their quoting, selling and servicing more efficient. From day one, our company has focused on customer service. We have great products, but it is the personal, professional service that has kept us in business for over 30 years. While companies eliminate their outside marketing representative positions, we have representatives in many of our states. “With hundreds of years of combined insurance industry experience in top positions, we strive to offer customers the best service and the best value in the insurance industry.”

PIA of Tennessee and AccuAgency proud partners for independent agents

www.pia.org

platinum partner profile

Capital Premium Financing Inc. 12235 South 800 East

Trust & Respect. We are keenly aware that trust is a critical asset that can only be built and maintained by our conduct as individuals and as a company. We appreciate and highly value each other as individuals and we are firmly committed to treat all people (both inside and outside our company) with dignity and respect.

Draper, Utah 84020 www.capitalpremium.net

Communication. We communicate with others in open, direct and constructive ways. We strive to listen with understanding, we encourage and value problem-solving feedback, and we exert our best efforts to communicate in such a way that positive energy and goodwill are the result.

Senior executives Matt Libutti, national sales manager

Accountability. We are open and honest about our weaknesses and mistakes and we highly value the process of recognition and improvement.

Todd Hassell, territory director

Tennessee staff

Competitiveness. We are passionate about what we do, we radiate enthusiasm and confidence in all of our dealings and we honestly believe that we are the very best in our industry.

Joe Clayton, regional manager (423) 618-0094 jclayton@capitalpremium.net

History Capital Premium Financing Inc. was founded in 1988 as a specialty lender that provides financing for certain types of insurance premiums paid by commercial enterprises, and is made up of a highly qualified team of professional financial managers comprising combined commercial banking, investment portfolio management and financial institution regulatory experience of over 150 years.

Philosophy Capital Premium Financing Inc.â&#x20AC;&#x2122;s core values and guiding principles, include the following: Honesty & Integrity. We always strive to do â&#x20AC;&#x153;The Right Thing.â&#x20AC;? We are truthful and accurate in all of our dealings, both internally and externally.

Hard Work & Discipline. We have a bias for action, we look for ways to help without being asked and we individually take the initiative to find ways to support and improve the company. Compliance. We strictly comply with all laws, regulations and contractual obligations that pertain to our company. Fairness & Kindness. We are kind and considerate to all individuals and actively seek to understand the perspectives and needs of others. Excellence & Professionalism. We are committed to being professional, polished and organized in the way that we conduct our business. We are a learning organization that is committed to maintaining excellence through the process of constant improvement.

PIA of Tennessee and Capital Premium Financing Inc. proud partners for independent agents

Professional Insurance Agents magazine

Prevent ransomware attacks in your agency It’s no secret that ransomware has become a top concern for companies and organizations of every size, with cybersecurity firm Symantec reporting a 36 percent increase in ransomware infections in 2016. Indeed, with the well-publicized WannaCry and Petya cyberattacks crippling health systems, pharmaceutical companies, financial institutions, and other multinational firms, the trend shows no signs of stopping. Simply explained, ransomware is a type of malware that, when downloaded or executed, encrypts the victim’s files and renders the system unusable until a ransom is paid. The amount demanded can vary greatly from a few hundred dollars to tens of thousands of dollars, with the attack motivations usually being either financial or political. One growing fear is the rise of “ransomwareas-a-service,” which gives wannabe hackers—without any technical or coding knowledge—the tools needed to perpetrate an attack. Once a single computer is infected, most variants of the malware have the ability to spread across a corporate network quickly. Without access to critical files or the ability to use essential applications, business can grind to a complete halt.

What steps can our agency take? Understanding that ransomware is a growing and ever-evolving threat, a riskmitigation strategy should incorporate both preventative measures and incident response planning. From a technology standpoint, agencies should ensure that they are running supported versions of applications and operating systems and maintaining a regular schedule for applying updates on all servers and user workstations. These updates are critical for patching many of the vulnerabilities that can be exploited by ransomware and other malicious code. Antivirus software—with regular signature updates—is also an important line of defense in detecting known malware variants. From a risk-mitigation and disaster-recovery standpoint, having a process for regularly backing up critical data can make a big difference in minimizing business disruption. Whether backups are cloud-based or stored on external drives or media, it is important that the chosen method contemplates the unique needs of the agency and fits in with the overall business continuity plan. Internal IT departments or outsourced managed service providers can assist in recommending backup technology and procedures for a variety of cyber incidents, including ransomware. Regardless of the method, backuprecovery processes should be tested periodically to verify functionality and data integrity.

www.pia.org

Perhaps the most important and unpredictable component of any cybersecurity program is the human element. While some types of ransomware—including the wellpublicized WannaCry worm—can directly target unpatched (and therefore vulnerable) systems, many are propagated via email, with users unwittingly downloading and executing the virus. Phishing emails, which are designed to trick the recipient into opening an attachment or clicking a malicious link, have become increasingly sophisticated and targeted in recent years, making it difficult for even the savviest users to discern what is legitimate. Employee training and education is therefore one of the best investments a company can make in thwarting cyberattacks.

connect

evan fenaroli Product manager, Philadelphia Insurance Cos.

Respond to ransomware While it is certainly possible to respond to a ransomware incident without insurance, some of the benefits of purchasing cyberliability coverage are the “built-in” services, experience, and vendor relationships offered through the carrier. When an incident strikes, it is therefore crucial to notify the carrier as soon as possible—as with any cyberincident, early detection and notification can help contain the 0

problem and mitigate its impact on the business. In most cases, it will be necessary to bring in third-party forensic experts to determine the type of ransomware and prevent it from further spreading throughout the network. Data and privacy attorneys also may be engaged to help preserve evidence and determine the insured’s obligations under any state or federal breach notification statutes.

Agency E&O

Unless the particular variant of ransomware is well known and a publicly available decryption key already has been developed, the forensic team— in coordination with the carrier, agency management and the agency’s IT department—must determine another way to restore the data. The best option is usually to restore the encrypted files from backups, although success will largely depend on the original backup method and the integrity and accessibility of those files. Even when backups do exist, it may take days or weeks to fully restore the system (which is why a properly designed and tested backup and recovery procedure is so important in the first place). If backups do not exist, the options are to either manually recreate critical files or consider paying the demanded ransom. While the FBI and law enforcement generally do not recommend paying extortion monies to the criminals perpetrating the attacks, this can sometimes be the most efficient route to restoring business operations. Given their experience in handling a variety of these incidents, insurance carriers and their forensic partners can provide qualified recommendations based on the particulars of the situation and even assist in obtaining the cryptocurrency (e.g., Bitcoin, ether) that often is required as payment. However, it is important to remember that once the ransom is paid, there is no guarantee that the hackers will turn over a decryption key or that the decryption key will work. The costs incurred in restoring the data from scratch, along with lost productivity and sales, can be significant.

has a market for your agency and specific risk

Knowing the extent to which ransomware can affect an agency’s operations highlights the importance of both risk management and comprehensive insurance. When selecting a cyberinsurance policy, businesses must ensure that the policy not only covers extortion payments, but also forensic costs, data restoration expenses, legal fees and business interruption. More than just a financial backstop, cyberinsurance can provide a coordinated team of professionals to navigate a ransomware incident or extortion demand expertly.

112370 715

Fenaroli is a product manager with Philadelphia Insurance Cos.

EffortlEss marketing

Build relationships and round your business with consumer newsletters and e-newsletters from PIA. We do all the work: writing, design and distribution. • Written by industry experts • Easy and cost-effective • Print or online options • Customized to fit your agency’s brand and existing marketing efforts • Establish your agency as the authoritative, local source for insurance

(800) 424-4244 • creativeservices@pia.org

Professional Insurance Agents magazine

Contact Kristopher Fisher 800-875-7428

risks

yigal behar President/CEO, 2Secure Corp.

Workers will sell passwords for next to nothing A cyberattack could cost an organization millions of dollars, but employees have been known to give outsiders access to sensitive information via their login credentials for as little as $100. According to a survey conducted by SailPoint Market Pulse, 20 percent of employees claimed they would sell their work login credentials to an outsider for $100. This report issued recently by SailPoint, a security firm that specializes in identity platforms, has detailed that a high number of U.S. and European employees would be willing to sell their login credentials to someone for as little as $100. The study focused on employees in the U.S., Germany, U.K., France, the Netherlands and Australia.

The threat The SailPoint statistics reveal that many of the employees surveyed don’t understand the potential ramifications to their company if a data breach should occur, and many of them did not believe that a data breach would burden their company financially. However, security experts and most company managers are aware that the cost to companies that suffer any kind of data breach could potentially be millions of dollars.

For Dwelling and Mobile Home Insurance, put your trust in a company that has been insuring homes for over 50 years.

20 %

CO NEW M BU M SI IS NE SI SS O N

Our Products: • Dwelling Fire/Mobile Home • Comprehensive Mobile Homeowner’s • Limited Homeowner’s

Can Provide You With: • • • • • •

20% New & 15% Renewal Commission AAIS Policy Forms Direct Contract with National Security Partnership Profit Sharing Fast Online Policy Issuance Easy Payment Options

National Security has provided competitive, affordable insurance to policyholders for over 50 years, but we also provide a lot for our agents, with competitive commissions, excellent customer service and experienced company adjusters. As an admitted Southeastern based regional company, National Security prides itself on fast, efficient service from a friendly small town company, and online access for all agents, providing fast quotes, online policy issuance, online dec page printing, and real-time policy information. Find out more by calling Sharon at 1-800-239-2358 x213 or visit nationalsecuritygroup.com.

www.pia.org

Elba, Alabama

When you factor in the cost of possibly paying a ransom; repairing the security breach; loss of revenue because of downtime; and loss of customer base because of damage done to the company’s reputation— the total price tag can be enormous. In fact, the ultimate consequence of a costly data breach might force a company out of business. From this, it is clear that the “insider threat” is something a company cannot afford to ignore. Further, because of the statistical prevalence of such occurrences, they really need to be paid much greater attention.

Statistics In the survey of a 1,000 employees in six countries, one-in-five employees said they would sell their account credentials. Some 44 percent of those who responded to the survey would sell their credentials for less than $1,000. The study also discovered that 65 percent of the employees use a single password among all applications across the organization and one-in-three workers will share their credentials among their colleagues.

What to do There are a few things you can do in your agency to lessen the likelihood of an employee compromising your agency’s cybersecurity to a third party: Employee education. The most significant step that a company can take to avoid the threat of an insider facilitating a data breach is to conduct a vigorous employee education program. This program should stress to employees that

Your association is also your own private ad agency. Logos Branding Graphic design Newsletters Printing on site Mailing services Consumer pieces Trade-show displays Member discounts! (800) 424-4244 • creativeservices@pia.org 1

Professional Insurance Agents magazine

there is a strong connection between corporate accounts and employee accounts, and both need to be managed carefully. This means every employee should use different passwords for all their accounts. Another part of employee education is to stress the awareness factor, of how their actions may affect the company. Make sure they understand the severe consequences that might arise from giving out secure company information. Two-factor authentication. To help lessen the chance that passwords will be shared outside your agency or sold to a third party, use a two-factor authentication solution. Accountability. Everyone in the agency is accountable for the security of the information to which they have access. Make sure they are aware of the repercussions if they prove to be a weak link in your agency’s cybersecurity. You can send out test “phishing” emails to see if all your employees understand the importance of ignoring these emails. Behar is president/CEO of 2Secure, which offers cybersecurity services, managed defense, discover and remediation, cybersecurity assessments and cybersecurity education and training. Reach him at (646) 755-3933 or cyber@2secure.biz. You can download his book Digital War–The One Cybersecurity Strategy You Need to Implement Now to Secure Your Business for free at http://www.2secure.biz/. The book also is available on Amazon in paperback or Kindle versions.

Independent agents throughout your area Count on EMC ® for a number of reasons: • 100-plus years of commercial lines experience • Expert loss control services • Responsive service delivered by a fully-staffed branch office Let us show you how EMC Insurance Companies can work for you. SANDI DIXON, CPCU, AU, AINS Commercial Lines Underwriting Manager EMC Birmingham Branch

WE’RE READY TO HELP YOU

WIN MORE BUSINESS.

BIRMINGHAM BRANCH OFFICE Phone: 800-239-2005 | Corporate Office: Des Moines, IA

Professional Insurance Agents magazine

ADAM STERN Founder and CEO, Infinitely Virtual

Burying your head is not a plan Trends in cybersecurity

orewarned is forearmed. Ah, if only that applied to hacking. After all, if you’re not warned, it’s tough to take up arms. A recent survey conducted by a national carrier found that of 1,000 business owners nearly half (45 percent) of those who experienced phishing, hacking or other forms of cyberattacks had no idea they had been victimized.1 As reported in Becker’s Hospital Review, 57 percent of respondents said they didn’t have staff dedicated to monitoring cyberattacks; 37 percent cited cost as an issue while 34 percent didn’t anticipate being targeted by an attack in any case.

www.pia.org

Of course, those responsible for cyberassaults typically do not send around an advance team, heralding the arrival of a hack or a Distributed Denial of Service attack. The element of surprise is kind of the point. Insurance agencies are inherently vulnerable to data (and therefore identity) theft, given the volume of personally identifiable information upon which the industry depends. PII can walk out the door in any number of ways—some innocent, others malign. Employees may inadvertently mishandle information while accessing a public network off-site or by opening an email from an unknown source. Clicking or replying can mean giving away the keys to the kingdom. Bad intent ranges from programmatic brute force hacks to more genteel (but just as pernicious) social hacking—seemingly innocent email and even phone solicitations that get the job done more discreetly. Insurance agencies need to determine role-based access to data (i.e., who gets access to what, and when) in their organizations. They also need to determine what to encrypt and when to do it. They also need to create technical and policy/procedural measures that demand codifying, testing and periodic retesting.

The cloud Overkill? Not these days. It’s a tough world out there, and getting tougher. In May, the ransomware worm WannaCry fueled a massive attack that paralyzed some 300,000 computers in 150 countries, disabling systems at public hospitals throughout the U.K. along with those connected to Telefonica, the Spanish telecom provider, among other victims. WannaCry wreaked havoc— but, tellingly, not at the public cloud providers like Microsoft Azure, Amazon’s AWS, IBM and Rackspace. Nor the smartly managed midsize public cloud providers, either. In this turn of events is a counterintuitive lesson about what was indeed a major hack. The experience of public cloud providers should put to rest the notion

Online Education

• Pre-Licensing • Training and Education for the New Employee • Continuing Education from CEU.com

www.piatn.com/education Education at your convenience

www.piatn.com/education For more information, call Pam Cass, CPIA, at 800-875-7428

Professional Insurance Agents magazine

that the cloud isn’t safe. WannaCry makes a compelling argument that the cloud is the safest place to be in a cyberattack. Internal IT departments, fixated on their own in-house mixology, were affected greatly, raising the legitimate question of why some roll-your-own insurance agencies and other organizations devote precious resources—including, with WannaCry, Bitcoins—to those departments in the belief that the cloud is a snakepit.

Ransomware A short time after WannaCry, a new strain of ransomware—a Petyaesque variant known as Petya/ NotPetya—swiftly spread across the globe, affecting tens of thousands of computers. More powerful, professional and dangerous than that earlier attack, the Petya-esque ransomware uses the same EternalBlue exploit to target vulnerabilities in Microsoft’s operating system. However, unlike WannaCry, this ransomware instructs the user to reboot the computer and then locks up the entire system. But, the takeaway needs to be that users aren’t defenseless, even in the wake of a nefarious perpetrator like Petya/NotPetya. The best antidote is patch management. It’s a sound practice to keep your systems and servers updated with patches— it’s the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra: Security is a process, not an event—a mindset, not a matter of checking boxes and moving on to the next step. Vigilance should be everyone’s default mode. Spam is no one’s friend; be wary of emails from unknown sources, which means not opening them. Every small- and mid-size business

wins by placing emphasis on security protections, with technologies like clustered firewalls and intrusion prevention/detection software.

educated user—someone sufficiently cognizant of threats who thinks before executing a link or downloading an attachment: a user, in other words, attuned to the real and present danger inherent in viruses and malware, and who acts accordingly.

In the cloud’s infancy, cloud-hosting providers touted scalability, initial cost savings and speed. However, the prospect of enhanced security in the cloud—indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop—has altered the conversation. Organizations assessing cloud-service providers can now seek out those whose security controls mitigate the risks of moving to the cloud. Increasingly, businesses of all stripes are facing the challenge of dealing with outdated modes of storage and finding affordable, practical, secure solutions that meet their needs.

Third line of defense: The third line is comprised of patch management and locally installed anti-virus and anti-malware software, working together to effectively block attacks. Proper implementation of third-line defense means fewer bugs and optimized performance.

On the premise that the best defense is understanding the real nature of the offense or offenses (since cybersecurity addresses a multifront battleground), it’s useful to think in terms of concentric circles—broad steps your agency can take to maximize your safety. It also may help you match your level of protection to the class of threat your agency faces. Users need to be familiar with online threats and at least somewhat conversant with tools to arrest them; no single system can circumvent vulnerabilities that haven’t been patched. Still, there are things that you can and should do to maximize your safety, which include: First line of defense: The first line should be a firewall supported by intrusion detection and prevention technology, along with anti-virus and anti-malware software, which is limited to blocking items downloaded over unencrypted protocols. Second line of defense: The second line centers around the trained,

Fourth line of defense: In the event that malware or ransomware hits the system, things can proceed without a hiccup—assuming the organization was savvy enough to install application-consistent snapshot technology, a rollback process that takes just minutes and restores the server to its exact state prior to the attack. Remember: The human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early, before it festers and productivity suffers; think smoke detectors versus sprinkler systems. The point is to make yourself as safe as you possibly can be. Yes, you can bring your own software and, yes, you may well be safe, perhaps safer than you think. However, to be safer still, you need to do these things; you need to internalize the four lines of defense. That’s how you determine precisely what “safe” means in your environment.

DDoS What technology threatens (and sometimes manages) to take away it also can restore. Consider massive volumetric DDoS—a silent killer that says, “Pay me or I’ll shut everything down.” There’s no question that massive volumetric attacks are something new and especially troubling, and no single firewall can stop them. However, a new model for real-time DDoS mitigation has emerged, in the form of technology that automatically analyzes suspected DDoS activity and deploys routing commands to ensure that immediate action is taken when legitimate DDoS attacks are detected—all without any human intervention.

The takeaway Your professional, independent insurance agency—that is, your data—is considerably safer in the cloud than parked on equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/antimalware deployment, multiple firewalls, intrusion prevention and round-theclock monitoring. These measures (and counter-measures) represent a trend that affirms that users still have a high degree of control—if they have the wherewithal to claim it. Stern is founder and CEO of Infinitely Virtual, which is based in Los Angeles and offers products and services based on virtual dedicated server and cloud computing technologies (infinitelyvirtual.com or @IV_CloudHosting). 1

Nationwide Insurance, New Business Preparedness Survey, August 2017

www.pia.org

he to

Entrepreneurial, Not Bureaucratic Niche Workers’ Compensation and Commercial Line Coverages for Main Street America Get started with an agency appointment application at amtrustappointments.com/Tenn1.

A.M. BEST RATING OF “A” (EXCELLENT), FSC “XV”

robert zimmer Vice president, Strategy and Business Development, GamaSec

Guard against digital theft Clients want cyberdefense and financial protection

Small- and mid-size businesses have become acutely aware of the importance of protecting their businesses and their data from cybercriminals. For these businesses, the need to strategically protect their digital assets has become just as, if not more, important as their other needs that are typically addressed through their insurance agents.

of mind as well as cyberprotection—an essential need for many businesses, especially if they rely on their online presence to sell or market products and/or services. In today’s internet-based world, there is so much at stake— customer information, intellectual property, brand loyalty and the hard-earned good reputation, that go far beyond their bottom line.

It’s clear that several arms within the federal government as well as many state governments are increasing their focus on small- and mid-size business security, noting that small businesses are the heart of the country’s economy, yet they often are incapable of protecting themselves from cyberattacks, let alone recovering from one. Small businesses are struggling to leverage technology to reduce their cyberrisk and transfer the residual risk to a third party via cyberinsurance.

Agencies can strengthen their value proposition to existing clients and open doors to many new businesses by offering cyberinsurance and cybersecurity services to reduce their clients’ cyberrisk. Small- and mid-size businesses need enterprise-class solutions that are built and priced for them. They don’t see many viable solutions and they naturally lean toward the trusted vendors they’ve worked with in the past. There is a big opportunity for IT solution providers to include financial protection, and at the same time, there is an opportunity for insurance agents to offer cyberinsurance with cybersecurity services to manage cyberrisk better. Both solution approaches are required because they address different customer segments.

With today’s constant borage of news headlines and seemingly unlimited information available with the click of a button, business owners learn about potential cyberthreats, but the steps to take to mitigate or prevent an actual data breach still are unclear for many business owners and their IT staff. Small- and mid-size businesses are demanding robust solutions to deliver financial peace

As businesses continue their transformation to a digital business, they’re now more aware of their need to manage

www.pia.org

risk and shore up the resilience of their business. Your agency can help fill this void in supply to address the ever-growing demand.

How agents can help Professional, independent insurance agencies that realize the need for speed can ride this wave of growth. Existing and prospective customers will see the benefits, although agencies need to present the correct combination of easy-to-understand, effective solutions—after all, it’s a brand-new concept to purchase financial protection alongside cybersecurity. It is important to offer a robust policy with proven cybersecurity technology and services at an affordable price. Now is the time to marry cyberinsurance with cybersecurity technology and services. The market needs strategic partnerships between insurers, agencies and the technology side of cybersecurity—just as small- and mid-size businesses struggle to acquire solutions that simultaneously meet their business and IT requirements. Small-business owners need strong guidance from their agents. In fact, the integration of cyberinsurance with technology can simplify the entire process—from application to claims, as the technology and services end of the deal helps to show insurability as well as what happened following a cyberattack. Agencies can play a primary role in this transforming market that aims to bring the two industries together to meet critical small- and mid-size business needs before, during and after cyberattacks.

Professional Insurance Agents magazine

Agencies should consider the following guidance to strengthen their ability to capture this largegrowth opportunity with their clients: During an attack: The need for risk prevention. A business’s ability to limit risk is directly associated with its ability to proactively find its cyber weak spots. Doing so by firing a series of test attacks against the company is both an effective and enlightening process—further illustrating the need for protection. Additionally, businesses are not experts at purchasing hardware or maintaining software. They usually don’t have the time or desire to be experts. Instead, they demand cloud-based security that’s managed on their behalf, offering advanced protections from a wide variety of the latest threats—all automatically,

without any initial intervention from the owner or his team. During an attack: Lower the risk of cybercriminal attacks. To prevent potentially catastrophic damage to businesses, your customers need security services with strong capabilities to prevent a wide variety of adversaries, some of which are persistent, patient and well-funded. They attack your customers in many ways, such as through Distributed Denial of Service attacks that cannot be blocked by normal antivirus or anti-malware solutions. Once compromised by a DDoS attack, a company may be blacklisted or banned by web-hosting services because of the abnormal traffic. After an attack: Help keep the doors open. The impact of financial loss experienced by a business owner in the aftermath of a data breach is

never an easy situation with which to deal. Their private customer data can fall into the wrong handsâ&#x20AC;&#x201D;and unhappy customers can walk away forever. Itâ&#x20AC;&#x2122;s not only embarrassing, but also a potential door closer. Unfortunately, many businesses across most industries already have experienced this, or will in the near term. The immediate money required to allow businesses to move forward right after a loss can be an overwhelming burden. The marriage of cyberinsurance and cybersecurity technology and services will enable your customers to quickly get back on their feet following a cyberattack and significantly increase the resiliency of their businesses. To meet the critical needs of the business, we need to transform the claims process so that it doesnâ&#x20AC;&#x2122;t take business owners forever to get their money, if at all. Managing each cyberattack and its associated claim with speed and efficiency is essential to the overall survival of the business. Embedding cybersecurity technology and services into the claims process actually reduces the time between claim submission and payment. Educating agents is a critical success factor to driving your growth with smalland mid-size businesses. Cybersecurity companies need to educate agents and develop enablement programs so they know how to address the obvious pain points that small- and mid-sized businesses face each day. Agents need to seek out or establish strategic partnerships with cybersecurity companies and technology leaders that offer this knowledge. With this daily concern facing all

www.pia.org

businesses, there is little stopping a well-equipped team once those involved “know their stuff.”

Show your true colors

Small- and mid-size businesses cyberattacks are growing at an alarming pace— and have gained significant attention in the media, which usually only reports on the big firms that have name recognition. Imagine how many untold smalland mid-size businesses face the same cyberthreats, but never gain the press that larger companies receive. There is little doubt that small- and mid-size businesses owners are starting to understand the importance of creating and maintaining a strong cybersecurity enforcement program. The attacks are common. Becoming a victim is something you can help prevent. In fact, your agency can help to develop this combination of technology and insurance that businesses will highly appreciate year after year. Zimmer is vice president of strategy and business development at GamaSec (gamasec.com), a global provider of website security solutions for small- and mid-sized businesses. The company offers a unique combination of cloud-based website vulnerability identification, remediation-as-service, web-attack prevention as well as a Data Breach Limited Warranty. Reach him at robert@ gamasec.com.

Enhance your ad with the impact of color. Reach our sales representative at (800) 875-7428. .

Get to know M. J. Kelly, managing general agents and surplus lines brokers. We offer a national company’s purchasing power and a neighbor’s personal attention. When you partner with us, you get specialists with industry knowledge, superior products, easy applications, and personal service. We’re ready to write your risks. Whether it’s special events, cyber liability, or artisan contractors, M. J. Kelly is here to help you write business. Our success is yours. Get to know M. J. Kelly Company.

M. J. Kelly Company-Arkansas 800.873.8374 www.mjkelly.com

Ask about M. J. Kelly Company Premium Payment Plan. 2

Professional Insurance Agents magazine

The financial impact of a data breach Insurance agents and brokers should be on high alert to protect client data from a cyberattack. IT security professionals, the Internal Revenue Service and media frequently disseminate warnings on new phishing schemes, ransomware and other methods that hackers use to break into systems to steal data. And, for a good reason: Cybercrime is increasing and businesses must be proactive to protect their data. Insurance agencies that are victims of a data breach can face financial, legal and other consequences if sensitive personal and financial information is stolen on their clients. Cybersecurity needs to be taken seriously because: • The law requires insurance agents, brokers, accountants and other professionals to protect sensitive client data. • Clients expect you to safeguard information they entrusted you with to do your job. • Your agency’s reputation and goodwill could be compromised if there is a data breach. • The cost of a data breach is high. • Even one successful attack can put you out of business.

Cost of a data breach is escalating According to a report published by IBM Security and the Ponemon Institute (2017 Cost of Data Breach Security: United States), the average total cost experienced by organizations over the past year increased 5 percent from $7.01 million to $7.36 million. The per capita cost of a data breach is based on the number of records compromised. So, the more records that are stolen, the higher the loss. It cost companies with more than 50,000 compromised records $10.3 million, compared to $4.5 million for 10,000 or less stolen records. The average cost of a data breach across all industry sectors is $225 per capita. This number includes both direct costs of $79 to resolve the data breach for investments in technology or legal fees, as well as indirect costs of $146, which includes higher client turnover (churn) than in the normal course of business. The cost of a data breach in the financial services industry is more at $336 per compromised record. The financial services industry has the highest churn rate at 7.1 percent compared to 5.5 percent in health care and 1.9 percent in retail.

www.pia.org

Across all industry sectors, customer turnover increased by 5 percent after a data breach. In addition to the cost of the data breach, companies lost $4.03 million in 2016 due to client attrition, reputation losses, diminished goodwill and increased new business development and marketing expenses.

Cyber

jeanmarie f. moore, cpa & scott schindlewolf Klatzkin & Co. LLP

Factors that affect the cost of a data breach Many factors affect the cost of a data breach. Compliance failures increased the per capita cost by more than $19 and the migration to the cloud, lost or stolen devices, thirdparty errors, and notifying internal and external stakeholders of the attack by $10. Companies can reduce the cost of a data breach loss by an average of $9 per capita by being proactive. This includes: having a response plan; training employees on how to recognize phishing schemes and ransomware threats; putting policies and procedures in place on the use of personal computers, mobile devices and public internet access; securing passwords; encrypting data; and investing in data loss-prevention technology.

Malicious attacks are common More than half (52 percent) of the companies that participated in the previously mentioned study experienced a malicious or criminal attack at a per capita cost of $244, which is above the average of $225. Data breaches due to employee negligence or computer glitches, including IT and business process failure are less common (both 24 percent) and less costly ($209 and $200 per capita, respectively).

How to protect your agency Cybercrime is not going away. Hackers are finding innovative ways to launch cyberattacks and no one is immune. Therefore, it is in your best interest to be diligent about protecting your data. Here are some recommendations: • Audit your IT security and data protection practices annually. • Engage an expert in the field for the audit. • Back up your files on a regular basis. • Train employees on cybersecurity. • Ensure that employees are aware of new threats by cybercriminals. • Enforce security policies and procedures to make employees accountable. • Never allow employees to leave computers on when they are not in the office. • Have computers go in sleep mode after a period of inactivity and require a password to sign back on. • Don’t allow employees to access client data on their personal computers or mobile devices. • Prohibit employees from using public Wi-Fi to access the company server and data. • Make sure that your Wi-Fi network is secure with strong passwords and encryption protocols. • Consider “plugging in” instead of using wireless technology for certain computers, printers and scanners.

PIATN

For all your insurance needs www.piatn.com • (615) 771-1177

Professional Insurance Agents magazine

• Have a secure portal for clients to send you and access their data. • Avoid sending or accepting sensitive client data via email. • Password-protect and encrypt client documents. • Implement two-factor authentication for additional login protection. • Consider using fingerprint, eye scans and other biometric ID checks. • Ensure your website is secure and communications protocol is HTTPS compliant.

One final note If you receive a suspicious email, do not open an attachment or click on a link. Ransomware can hijack your data and cybercriminals may demand that you pay to get it back. According to the FBI, attackers collected more than $209 million in ransom during the first three months of 2016. Security experts warn against paying the ransom because stolen data usually is not returned. The best protection against ransomware is to back up data daily, keep operating systems and software up to date on all devices, invest in email, mobile and social-media security solutions and train employees. Moore is a certified public accountant and partner with Klatzkin & Co. LLP, and has more than 30 years of experience in the field of accounting. She is the firm’s technology partner and holds the designation of Certified Information Technology Professional. Reach her at jmoore@klatzkin.com. Schindewolf is Klatzkin’s IT manager. He oversees and manages the firm’s IT infrastructure. Reach him at sschindewolf@klatzkin.com.

Customer accountability Do you ask yourself, “Why is it always our fault when a customer has a loss that is not covered? The insured knew that he or she didn’t have that coverage.” This is one of the bigger frustrations among insurance agencies, making it an appropriate errors-and-omissions objective on which to focus. An agency would be hard-pressed to hold customers accountable without a well-documented file. When an E&O claim happens, the E&O carrier will look to secure the actual file in question, whether it is paper or electronic, to review what is in it. This file also will be available to the plaintiff’s attorney. Solid documentation will make the E&O carrier’s job much easier, assuming it is prompt, accurate and professional. A file with sketchy documentation could prove to be a challenge in an E&O matter.

Memorialize in writing Twenty-five years ago, when a client would call with a question or a decision about a coverage option, the agency standard procedure was to document that discussion in the agency file. Today, that is not enough. While these discussions should be documented in the system, they should also be memorialized back to the client in a written format (e.g., by email or letter). Without some form of documentation to confirm or memorialize the discussion to the customer, it will be the agency’s word versus the client’s word if an uninsured loss occurs. You might be surprised about what a client will say in such instances. The goal is to address any potential misunderstandings between what the customer told you or thought he or she told you and what you heard. Simply documenting the conversation in the agency management system does not help to identify a misunderstanding. Documentation to the customer should occur in a variety of circumstances. Here are some examples: • The client was given a proposal, but does not say “yes” to all the proposed coverages. There should be clear documentation on which coverages were purchased. Wording can be as simple as, “At this time, the following coverages have not been bound …” followed by the list.

signature on a document. In virtually all legal jurisdictions, customers will be held responsible for the accuracy of the information in applications if they signed them. Be sure to have clients review applications before asking them to sign them. • The agency provides a quality proposal to the client. This should include: ïï 1. a variety of limit options; ïï 2. definitions of key insurance terms; ïï 3. specimen policies to allow your client to read the actual forms of his or her insurance coverage; and ïï 4. a list of other coverages for the client to consider. Since it is not possible to list all coverages, the disclaimer should state, “Coverages include, but are not limited to, the following …” • Interaction with customers involving key information.

An added benefit

• The client asks about how coverage would apply, such as “Mom and Dad are now in a nursing home and the house is vacant. What do I need to know?” The answers to such questions must be accurate and documented.

Make “enhancing customer accountability” one of your agency’s goals. In addition to better protecting your agency from E&O claims, you may find your agency writing more business as well.

• The client has signed the completed application. The best type of documentation involves something with the insured’s signature on it. Holding a customer accountable is enhanced when an agency can get a client’s

Pearsall is president of Pearsall Associates Inc. and special consultant to the Utica National E&O Program.

www.pia.org

E&O

Curtis m. pearsall, cpcu, CPIA President, Pearsall Associates Inc.

Doing The Right Thing Since 1964 Standing Tall

Mark Maucere, Andy Roe, Jim Roe, Chad Trainor, Janet Phillips and Jim Eades

Ready to stand out? We’ll stand with you. To keep your agency relevant, you need the right products, partners and people. Our team of dedicated and responsive professionals can help you fill the gaps in your insurance offerings, providing more unique opportunities for you to meet the needs of your clients. The more you get to know us, the more you’ll see the possibilities.

Let us help you find the right solutions. ®

2017 Partners

from the people stronger

who

customer satisfaction

know.

stronger

coverage

stronger

loss control

stronger

defense

TENNESSEE

Continuous E&O protection since 1966.

504 Autumn Springs Court Suite A-3 • Franklin, TN 37067 Phone: 615-771-1177 • Fax: 615-771-3456 Contact: Kristopher Fisher, kfisher@piatn.com Visit: www.piatn.com