Ted Richmond is an insurance broker and program manager specializing in cyber liability insurance at RGS. Formed as a family business in 2007, RGS has evolved into a provider of broad cyber liability programs for various verticals servicing small businesses. In 2018, the company became part of Acrisure. In this Q&A with Ullico, Richmond talks about how cyber attacks are constantly changing and what unions can do to protect themselves from liability.
Cyber security is a field that’s always changing from one day to the next. From your perspective, what are the most recent trends? What’s happening right now?
In the past two years, there was a drastic rise in ransomware attacks, specifically against smaller and medium-size insureds. Ironically, as criminals discovered that insureds have insurance, that elevated the risk and drove up the costs. When they discover organizations have cyber insurance, they’ll see what they can get from the carrier. In some cases, they’ll pull the policy up during negotiations. So instead of asking for $5,000 or $10,000, they’ll try to get $1 million.
In the past 18 months, we’ve also seen a shift from ransomware to funds transfer fraud as the focus of claims. We think unions should put controls in place to mitigate this risk.
What risks do unions face, specifically?
I wouldn’t say unions are more targeted than any general small business. There are your high-risk classes in small business, like real estate. But a union is no better or worse than some other targets. They have the same data. If they’re transferring funds, they’re still a target.
However, unions are sometimes a prime target because they have a lot of sensitive data on their members, and they can have a lot of members. The question is, just how much of it do they have? From a Personal Identifiable Information (PII) standpoint, they have the same data that a larger enterprise will have, but not as many records.
So, criminals have a decision to make. They think, “I can breach Experian and get millions of records or go after unions and small businesses and get the same information but not as many records all at once.” Ultimately, hackers may not get as many records, but unions are potentially easier targets.
When we talk about funds transfer fraud, unions and small businesses often don’t have proper controls in place. Things can slip through the cracks more easily than they do in larger entities. They don’t have the resources to work with the banks and get the stolen money back right away. That’s why it’s crucial that unions implement risk-mitigation controls.
Speaking of controls, what are some immediate actions unions can take to protect their data and avoid wire transfer fraud?
I don’t think most controls are that difficult or costly to implement. Some are free tools. For instance, if you use Gmail as your email platform, you can use multifactor authentication (MFA) to get into your account. It’s not that difficult to set these basic controls in place. By the way, to get insurance coverage, you must have certain controls, like MFA and data back-up procedures.
In addition to MFA and data back-up procedures, how else can unions lower the risk of a cyber attack?
Disperse their funds. We’ve seen companies put too much of their funds in a bank account instead of dispersing it. We had one case where an organization kept funds in their account until the end of the year and then dispersed them. Someone hit them at the right time. They got hit with wire fraud. They were unsuccessful in recovery because they didn’t catch it early enough.
If you wire money to someone, make sure they get it in a timely manner. If they didn’t get the money, don’t wait a week or two weeks to act. There is a solid recovery rate if you notify your financial institutions and the FBI within 24 hours. It drops off thereafter. If you notify the FBI within the first 24 to 48 hours, there’s a better chance you’ll recover the lost funds.
Also, it’s one thing to have the cyber security controls in place, but the best practice for funds transfer fraud is educating your staff. If you educate your staff on what to look for, they’ll know what to do. If something looks suspicious, they’ll know to escalate it to their supervisor.
Sometimes, union leaders see the cost of cyber security insurance, and it seems higher than they expected. What’s behind the cost of cyber insurance?
When union leaders see what they spend on other lines of coverage, to come in with a policy that’s thousands of dollars, it’s sticker shock. They’re still grappling with those premium dollars, but that’s where an agent can come in and find out what they need. I think cost is still the driving factor for people going without cyber liability insurance.
If you’re pursuing a complex policy, there are still some lengthy applications out there, but there are also applications that aren’t too burdensome and the control requirements, which are necessary, aren’t that burdensome for insureds to put in place.
There’s always a policy that unions can afford. They can find it. If a union says we don’t want this policy due to the cost, there’s always some affordable option, to have some level of coverage. Cost should not be a reason for not having a policy. Maybe it ends up not being the broadest policy or the highest limit, but there are various levels of coverage and prices. Spending something is better than nothing.
Tell us something about cyber security that union leaders may not know.
One thing unions may not know is that banks are not liable for their losses. If there are losses, and they happened because of something your organization did or didn’t do, it’s on you. Unions or small businesses think they have a means to recover funds from the institutions they work with, but that’s a big misconception. Sometimes you’ll see a financial institution work with a customer if there was a failure on their end, but that’s typically at the insured’s level.
So what happens if there’s a breach, and they can’t recover the funds. What comes next for unions with cyber liability insurance?
The number one thing outside of getting relief in a claim is your getting all the tools necessary at your fingertips to deal with that event. When you have insurance, you only have to make one phone call. You don’t have to decide who to work with. Insurance companies have a panel of providers. They know who’s best to handle your type of incident. They know who to call if you have to pay a ransom. Insurance gives you an emergency hotline that has all the appropriate and necessary vendors to support your business.
For example, if you have a breach and your members’ information is taken, part of the response is credit monitoring. There is a statutory obligation to notify people and how to notify them. It varies by state law. Part of the policy is to help fulfill your obligations to state law and federal regulations. An insurance policy helps you to provide and respond to the affected individuals.
Without that help, you’re on your own. You not only have the financial loss, but you have to put a response together while running your organization’s day-to-day operations, and that is very, very difficult.
This interview was edited and condensed for clarity.