You may be an expert in risk mitigation and offering insurance coverage for your clients, but is your agency failing to handle its own risk for one of the fastest-growing business threats?

This year, cyberattacks reached historic levels with 1 in 3 organizations experiencing more cyberattacks than last year, according to a study by ISACA. And with Colonial Pipeline, Kaseya and CNA proving that no one is too big to fail when under attack, it's essential, and in several states legally required, that independent insurance agencies deal with the threat. 

“Every business—and every agency—should have a cyber liability policy," says George Robertson, owner of Rockingham Insurance Agency in Eden, North Carolina, and former Big “I" Agents Council for Technology (ACT) committee member.

First and foremost, laws in several states require agencies to protect client information and have a written information security plan. “It's important that agencies understand the regulations and are working annually to review cybersecurity within their agencies—and make sure they have a cyber liability policy," he says. 

Robertson points to ACT's Cyber Security Guide 3.0, which contains regularly updated information that agencies should know to abide by the laws in their state.

One key area of cybersecurity that impacts agencies relates to personal identifying information (PII). “What we continue to see are issues where agents' credentials for their carriers have been stolen, and that bad actor is entering the carrier site and accessing the data," Robertson says. “That makes the agency responsible, could make the carrier responsible and puts a lot of people at risk."

“As a result, we're seeing carrier contracts include language that really specifies the agency has to keep this data secure and that there are certain criteria that agencies must meet," he adds. 

When seeking cyber liability insurance coverages, “you have to be very, very careful because the language can be different with different carriers," Robertson warns.

One area to watch is coverage of notification expenses, which vary according to state requirements and may range from $.50 to $5 per notice, according to Zurich Financial Services Group.

“A lot of agencies may think they only have 3,000 clients to contact in the event of a breach, but they may actually have 30,000 people in their database from quotes that don't get written," he says. “That data is still in your system—and if the data is stolen you must notify everyone in the database, whether or not they're a client. Make sure to multiply that out by the cost structure so you have enough within the policy limit to cover that."

Cleanup in the event of a breach gets expensive too. Robertson cites one instance where an agency “had one account with one name that was affected by a breach in one of their vendors. The attorney fees alone for that one account totaled to $5,000. That's just one record. If you have multiple records, with the forensics and investigations that occur in a breach you could be talking hundreds of thousands of dollars easily."

Ransomware is continuing to spike and “becoming one of the top attacks on businesses," Robertson says. “Make sure you are covered for it. And extortion is another big area, especially with penalties and fines that may come as a result."

Additionally, agencies should note the requirements of their cyber liability policy to “abide by certain levels of security measures—if you don't, the policy is probably not going to pay," he points out.

Robertson emphasizes the importance of education on the topic. “I think everybody should have to take a cyber liability course so that they understand the impact," he says.

AnneMarie McPherson is IA news editor.