Cybercrime has evolved. There are preventions, but, unfortunately, there is no cure. Businesses are involuntarily involved in an arms race where cyberattacks keep coming—every 39 seconds, according to a study from the University of Maryland—new methods appear and disappear, and some of the defenses become moot the moment they become effective.

Remembering a new password every 90 days or shredding handwritten notes with sensitive information at the end of the workday is a thing of the past. No one is going through your trash anymore. Instead, they're trying all the unlocked digital doorways, windows and entry points you didn't even know existed to break into your business.

Independent agents grow their business by researching prospects, checking expiration dates, quoting and sending proposals. It's all part of a day's work. Well, guess what? Cybercriminals are doing exactly the same thing. They're testing your door handles, looking for low-hanging fruit to make a cool $812,360—the average ransomware payout in 2022, according to Sophos's “State of Ransomware 2022" report. Even worse is that in 2023, ransomware attacks increased by 37%, according to the “2023 ThreatLabz State of Ransomware Report" by Zscaler.

Last year, cybercrime was predicted to cost the world $9.5 trillion in 2024, according to Cybersecurity Ventures, and global cybercrime damage costs were expected to grow by 15% per year, reaching $10.5 trillion annually by 2025.

The profitability of these practices means that a cottage industry has emerged. They have offices. They buy and sell off-the-shelf hacking software. They're leveraging artificial intelligence (AI) to become faster and more effective. They're structured like any international enterprise, paying armies of hackers the market rate. Heck, some of these guys' total compensation packages could be higher than yours.

What is happening is illegal. There's no doubt about that. But unfortunately, small businesses are making sure of one thing for cybercriminals: Crime does pay. And by “small business," that means you.

Troublingly, while large enterprises have used their scale to engineer the controls they need to stave off cyberattacks, small businesses have been left behind and there are few simple solutions. According to Accenture's “2023 Cost of Cybercrime Study," 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.

We know that small business owners wear many hats. They're producers, hiring managers and more. Even front-of-house staff are forced to don several metaphorical hats—social media manager, community liaison and other default responsibilities. All this leaves cybersecurity on the to-do pile, frequently bumped down the list because XYZ Enterprises isn't happy with its premium and it's up for renewal in … checks policy … nine days? SMH.

Jay Fribourg, chief revenue officer and co-founder, and Shawn Mininger, chief technology officer, of BlueZone Cyber Solutions in Austin, Texas, are on the front line of this existential war, building an independent insurance agency that couples cybersecurity and insurance expertise. Wedging themselves between two markets, they are bringing a much-needed solution to the traditionally ignored small business segment.

While ignoring the risk is fatal, addressing it may not need to be so complicated. In fact, it involves concepts that independent agencies have had to explain to their clients on a regular basis: unpacking the nuances between risk acceptance, risk mitigation and risk transference.

With cyber risk, “what most small businesses do is risk acceptance," Mininger says. “They go, 'I don't know how to deal with it. It's too expensive. I'm just going to roll the dice and hope that no one notices me.' But we all know that doesn't work."

“Cybersecurity and insurance intersect with risk mitigation," he continues. “We know there's no way that we can stop everything. We can do all that we can, but there's still always going to be the possibility of a breach. That's where insurance comes in—risk transference."

While the tangible effects of a breach or compromise can be quantified in the same way that business continuity coverages are calculated, reputational risk can be catastrophic. The loss of trust with clients and staff members alike could result in an exodus of both, Mininger says.

Larger enterprises' needs have largely been met by managed security service providers. Some have built entire departments, others have enlisted the help of a separate major enterprise. However, it has taken a while for the market to catch up to the needs of small businesses.

“Originally, this created a do-it-yourself approach, which some businesses are still doing," Fribourg says. “They buy all these products, and they don't know how to properly install them, set up the configurations, or respond to the alerts and triage them. Businesses buy all these products and they're just sitting on the shelf. They haven't even installed them."

So, when tax season comes around, do independent agencies maintain a large tax accounting group? No. They hire a third-party consultant who makes sure they don't end up with a nasty surprise from the IRS. “The same thing is happening with managed services providers," Fribourg adds. “Small businesses realize that they don't have the capability to implement and manage their cybersecurity, so they hire someone who can."

Beyond the Headlines

The cybersecurity landscape in 2024 is expansive, stretching from the high-profile, headline-grabbing hacks to the minor and relatively more significant small business-busting breaches. As the world settles in to working from home and small and large businesses clamor to enhance their customer experience capabilities with technology, hackers are exploring the plethora of possibilities presented by the cyberverse.

Nearly 35,000 common vulnerabilities and exposures (CVEs) are expected to exist in 2024, which is a 25% increase in the rate of discovery compared to the first 10 months of 2023, according to Coalition's “Cyber Threat Index 2024." A CVE is a publicly known vulnerability in software. Once made public, companies encourage users to update their systems with a patch—which you do religiously, right?

The report also found scans from unique IP addresses looking for risky technologies, such as remote desktop protocol (RDP), increased by 59%. Further, businesses with RDP exposed to the internet are at the highest risk of falling victim to a ransomware event, according to Coalition.

While relevant, the news cycle about vulnerabilities can have misleading results, as illustrated by several CVEs that made a splash in 2023, either for their disruptive nature or other factors, according to Coalition's 2024 report, referring to them as “celebrity CVEs." Citrix, MoveIt and Exim top Coalition's list of high-profile vulnerabilities in software that, despite alerts advising users to patch their software, could not prevent attackers from executing widespread attacks leading to data compromise.

Headlines aside, Coalition's report determined that the most fitting “anti-celebrity" security concern of 2023 was self-hosted IT infrastructure. “This choice focuses on the reality that many organizations lack the resources and threat intelligence to prioritize patching their infrastructure in a timely manner, leading to a disproportionate risk of suffering an adverse cyber incident or a cyber insurance claim," the report said.

As independent agencies build their tech stacks, piecing together software from multiple vendors, they face a variety of vulnerabilities from unpatched software, the consequences of which will never make the headlines. Meanwhile, at the other end of the independent agency technological spectrum, legacy technology systems pose a threat too.

Unpatched or end-of-life (EOL) versions of databases are a prime target for threat actors. Coalition's scans found over 100,000 EOL Microsoft structured query language (SQL) servers, including over 10,000 running Microsoft SQL Server 2000. “We find it concerning that so many EOL and unpatched servers remain exposed to the internet because Coalition claims data showed that businesses using EOL software were three times more likely to experience a claim," the report said.

“Cybercrime and the cyber landscape is ever-changing. It's never static. Agencies really need to stay proactive in addressing evolving threats rather than getting caught up in specific attack methods that are making headlines, such as ransomware," says Shelley Ma, incident response lead at Coalition. “Adopting cyber best practices effectively is really important to navigate these dynamic threats rather than focusing narrowly on a particular attack type."

Coalition also recommended that companies consider a managed detection response service (MDR) as an advanced cybersecurity measure. MDR significantly reduces response times and safeguards businesses by detecting suspicious activity, revoking privileges and suspending machines, all of which are extremely time-sensitive tactics.

Coalition's positive experiences with MDR have led it to offer a premium incentive for policyholders who take the security approach. Coalition is the Big “I"-endorsed cyber insurance partner. Coverage for independent agencies and their clients can be accessed at bigimarkets.com. All policies include a technology-driven approach providing automated alerts, threat intelligence and ongoing policyholder monitoring, along with a dedicated claims and security team should a breach occur.

“In today's landscape, a set-it-and-forget-it approach to technology solutions falls short," Ma adds. “A proactive strategy, adherence to basic cyber best practices and the incorporation of MDR with human expertise form the most robust approach."

But That's Not All

Independent agents know how valuable their data is when it comes to growing their book. However, that data is even more valuable if it falls into the wrong hands. Health insurance information, Social Security numbers and credit information all pose an immediate risk to the owner and keeper of that data. Meanwhile, banking information, transaction histories and mothers' maiden names, as well as logins and passwords, can all be used in unsuspecting, spurious ways to maximize the impact and profitability of a hack.

Due to the nature of their operations, insurance agencies communicate sensitive information and make critical decisions over email. This makes them susceptible to phishing attacks, where threat actors deploy deceptive tactics to manipulate individuals into divulging sensitive information or initiating unauthorized wire transactions.

Further, sending attachments over email amplifies this risk. Malicious payloads can be concealed within seemingly innocuous files, and once the contents get onto the systems, they can compromise the entirety of the network. Once a bad actor gains access, if the data is not segregated or controlled under access permissions, hackers are literally laughing all the way to the bank—or Bitcoin wallet.

Additionally, independent agencies, with hundreds of clients and an average of 10 carrier appointments, according to the 2022 Agency Universe Study, create a myriad of vulnerabilities.

“Insurance carriers each have their own agent portals with different requirements on how you access them, so it's not unusual for several people in an agency to share credentials to make it easier," explains Alvito Vaz, business manager, ID Federation, who recalls being in an agency and witnessing one agent shout the shared login across the office to another team member so they could continue to service clients without interruptions. He also encountered one agency that kept all their passwords in a shared online file but mistakenly put the file on the internet instead of the intranet.

“Having to deal with 10 to 12 different security mechanisms to sign in and authenticate really lends itself to some of the negative behaviors around cybersecurity," he says, and points out that the time it takes to receive a login from a carrier, as well as the processes surrounding disabling accounts once an employee leaves a company, exacerbates the issues.

“Passwords and attacking passwords is a big thing," Vaz says. “At ID Federation, one of the things we're trying to do is make multi-factor authentication (MFA) the standard process, and we want to make it standard with operational efficiency."

“If you agree to the trust framework that is maintained by ID Federation, you can have one login password and one MFA that will federate with the carrier partners you're connecting to," he says. “You eliminate multiple IDs, passwords and MFA processes, and you've replaced that with a federated token coming from your management system."

AI Has Entered the Chat

At their core, independent agents want to help. They pick up the phone at 3 a.m. They show up. It's what they do. However, cybercrime preys on psychological impulses. Unfortunately, the need to serve and help makes independent insurance agents particularly susceptible to social engineering.

When a long-time client or community leader's name pops up in an agent's email inbox or a text from a family member asks to fulfill an order or pay an invoice, independent agents' DNA dictates that their instinct is to offer assistance. However, all these situations can easily be used as cover for cybercriminals to inject themselves into business deals to trick staff into opening the business' wallet to bad actors.

Earlier this year, the FBI's Internet Crime Complaint Center (IC3) released the “2023 Internet Crime Report," which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion. The report highlighted four online crimes that caused the most financial losses in the U.S. last year: business email compromise (BEC), investment fraud, ransomware, and tech or customer support and government impersonation scams.

BEC scams, which include social engineering tactics, resulted in over $2.9 billion in losses in 2023, illustrating how cybercriminals are doorstepping Americans and businesses. To prevent these losses, agencies must implement a series of measures to stave off these attacks.

Cybersecurity awareness training to educate employees on how to recognize fraudulent emails is a key measure. However, as cybercriminals adapt their approach, employers should mandate regular education to keep up with changing tactics.

Further, in combination with a provider that can monitor and react to suspicious traffic and emails, requirements should include clear procedures for communicating sensitive information and making wire transfers, as well as who can access certain amounts of data.

However, as agencies grapple with the hard market and years of inflation that have pushed up overheads, ticking all these boxes to make their business secure takes time and money that some agencies don't have. This conundrum is pulling agencies between two posts: security and efficiency.

“Agencies have to operate on the scale of having efficient environments where everything's accessible to everybody and is quick and easy to use—but the problem is the bad guys can get into that stuff too—versus a completely secure environment where you could have everything locked up—but nothing can get done because it's so secure," says Ryan Smith, president and principal consultant, RLS Consulting.

“We're in a world where agencies have been told for the last 20 years to leverage technology, become more efficient, go digital and do all of this stuff, but efficiency and security are things moving in the opposite direction on that scale," Smith says. “All these different tools start to compound the level of risk. Unfortunately, efficiency is usually the enemy of security."

The security versus efficiency paradox plays out neatly in the race to utilize AI. On one hand, cybercriminals are using AI to write more convincing and grammatically accurate phishing emails; design automation to test systems; scan swathes of data for valuable, sellable information; and even write code to create sellable software that can be bought on the dark web by cohorts of cyber pirates to take to the digital seas in exponential fashion.

On the other hand, the good guys are using AI in almost equal measure to prevent these attacks. AI-powered predictive analytics, vulnerability scanning, behavioral analysis and automated responses can be combined to identify and stop suspicious activity.

Further, companies that aren't using AI to speed up efficiencies are being shamed by thought leaders who proclaim that they'll be out of business in a few short years if they don't adapt. Or, at the least, will be significantly behind their peers.

While there is no doubt about the efficiencies that can be gained in terms of quoting, marketing, underwriting and more, “agencies need to assess all third-party vendors, including those that use AI, to understand what that exposure does to increase their risk," Smith says.

Between the Geeks and the Government

As cyber threats evolve, the regulatory environment is also changing rapidly. In the face of a cyberattack, agents and brokers are presented with a double-edged sword: business interruption costs and reputation loss associated with an attack on one side and the regulatory requirements—whether an attack has occurred or not—on the other.

Every state has its own laws about responding to data breaches, and they might keep changing. The Gramm-Leach-Bliley Act (GLBA) is a federal law that is supplemented by state-specific laws, such as New York's Department of Financial Services (NY DFS) rules.

The laws govern how independent agents and brokers must collect and protect sensitive client information. The penalties for non-compliance are fierce. Financial institutions found to have violated regulations can be struck with fines up to $100,000 per violation, while directors and officers of financial institutions may be personally liable for a civil penalty of up to $10,000 per violation.

While resources such as the Big “I" Agents Council for Technology (ACT) 12-step compliance and protection roadmap go some distance in helping agencies meet cybersecurity regulatory requirements, “many agency owners do not realize that they're not being compliant because the states do a very poor job of explaining the regulations under which they fall," explains Anthony Riccio, director of sales at Rhodian Group, an IT, cybersecurity and compliance services company.

Among the patchwork of regulations, all states have a breach notification law. A key component of each state's law is a written incident response plan. This is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal of these plans is to handle the situation in a way that limits damage and reduces recovery time and costs while complying with federal and state regulations. This includes communication and notices to the state superintendent upon detection of a cybersecurity event and communication to customers, insurers and third-party service providers.

“If you have a breach and the state comes in to investigate, if you have a written response plan—and followed it—that will prove that you are a victim and haven't been negligent," Riccio says. “If they look at you and see that you don't have a response plan, haven't done any cybersecurity awareness training and haven't met any of the requirements, the state is going to look at you as negligent and that's where tremendous fees and penalties start adding up."

Will Jones is IA editor-in-chief.