October 20, 2022
‘A Necessary Evil’: Promo Firms Paying Much More for Cybersecurity Insurance
Costs and requirements for coverage are increasing, but certain industry companies deem the protection essential and are investing. Still, others are eschewing coverage, saying the price is too steep.
680%.
That’s how much iPromo’s (asi/229471) cybersecurity insurance policy costs increased between 2021 and 2022. Given that astounding rise, did Leo Friedman consider dropping the coverage?
Not for a second.
“We absolutely need it,” says Friedman, founder/CEO of the Chicago-based distributorship, which pays $21,000 annually for cyber coverage. “The risk of not having it outweighs the cost.”
iPromo’s situation is one other promotional products companies – and businesses across industries – are finding themselves in.
Cybersecurity insurance costs are soaring at a time when companies, government agencies, utilities and others need the coverage more than ever to protect against increasingly numerous and sophisticated attacks.
Along with rises on premiums and deductibles, insurers are also requiring would-be insurees to establish more robust technological safeguards to serve as stronger bulwarks against cyber strikes before they’ll provide coverage. That’s another cost accelerator – and operations complicator – for companies in promo and beyond.
Still, it’s a bullet some branded merchandise executives say they simply must bite.
“Good cybersecurity insurance is a necessity nowadays due to the increased cyberthreat globally,” says Tuan Huynh, vice president and chief information officer at Lewiston, ME-headquartered Top 40 distributor Geiger (asi/202900).
Rising Costs, Increasing Requirements
Promo companies are far from the only ones contending with cybersecurity insurance price hikes.
Consider: Cyber insurance premiums soared by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
$86,000
The average cost for small and mid-sized businesses to recover from a data breach.(Kaspersky)
Marsh found even steeper rates of increase in recent research. The insurance broker/risk advisory firm reports that average cyber insurance rates were up 54% in July. On the bright side, the research shows that the rate of the rise was down from 133% in December 2021. Still, 54% is a steep incline.
Key factors driving up the price of coverage are the multiplying number of cyberattacks, as well as the financial severity of successful strikes.
In its most recent Internet Crime Report, the FBI says the number of cyberattack complaints it received in 2021 increased 7% year over year – continuing a trend of annual rises. Reports of ransomware attacks in particular soared an eye-popping 51% between 2020 and 2021, the FBI says. Perhaps even more alarming is that potential losses from overall digital raids skyrocketed 64% to more than $6.9 billion.
Analysts say most cyber strikes go unreported, with some estimating that as many as 90% in the United States aren’t reported. Researchers from the University of Maryland have estimated that a cyberattack happens every 39 seconds. One in 10 small businesses now suffers a cyberattack every year, according to the Insurance Information Institute.
The grim reality these statistics depict means that cyber insurance providers are exposed to ever-greater levels of risk and are compelled to compensate their client victims more. That drives rate hikes: The more insurance actually gets used (or even the greater potential for it to be used), the more expensive insurers tend to make coverage.
$1,589
The average cost of cyber insurance in the U.S. in 2021. However, firms can pay much more depending on the specifics of coverage. The higher your revenue, expenses and operating costs, for instance, the more you can expect to pay for cyber insurance. The more people who have access to your systems, the more you will pay. (AdvisorSmith)
“Large-scale attacks – such as last year’s Colonial Pipeline ransomware attack, which led to short-lived gasoline shortages in the Southeastern U.S. – have highlighted the potential for catastrophic financial damages,” says Dan Garcia-Diaz, managing director of the U.S. Government Accountability Office. “As a result, insurers are starting to take steps to limit their exposure to these losses.”
Rising demand is also a factor in policy increases. Marsh found that the percentage of first-time cyber insurance buyers has almost doubled in five years, from 26% in 2016 to 50% in 2021. While some reports indicate more insurers are entering the market, which may help slow the rate of increases, there are still only so many entities that offer coverage. As demand for coverage increases, so can the cost.
Beyond the policy cost hikes, underwriters are aggressively trying to minimize losses stemming from cyber claims. They’re doing this by enacting more stringent standards that companies/entities must meet to receive coverage. For those paying for coverage, that adds up.
“Many insurers now require businesses to have deployed two-factor authentication, endpoint detection and response, and sophisticated system backup services at a minimum in order to be insured,” says Dan Pantano, president/CEO of Trevose, PA-based Top 40 supplier alphabroder (asi/34063) and a member of Counselor’s Power 50 list of promo’s most influential people.
What Does Cyber Insurance Cover?
Cyber insurance is a specialty insurance that protects businesses from web-based threats, and more generally from risks related to information technology infrastructure and activities. Policies may provide first-party coverage, third-party coverage or both. The Federal Trade Commission explains:
First-party cyber coverage protects your data, including employee and customer information. This coverage can include a business’s costs related to: legal counsel to determine your notification and regulatory obligations; recovery and replacement of lost or stolen data; customer notification and call center services; lost income due to business interruption; crisis management and public relations; cyber extortion and fraud; forensic services to investigate the breach; and fees, fines and penalties related to the cyber incident.
Third-party cyber coverage generally protects you from liability if a third party brings claims against you. This coverage may include: payments to consumers affected by the breach; claims and settlement expenses relating to disputes or lawsuits; losses related to defamation and copyright or trademark infringement; costs for litigation and responding to regulatory inquiries; other settlements, damages and judgments; and accounting costs.
'The Benefit Outweighs the Cost'
Despite the elevating costs and mounting requirements, many promo companies are sticking with and even expanding their cyber insurance, given what they say would be the potentially business-devastating repercussions that could result from sustaining a crippling cyberattack and lacking coverage.
Alphabroder suffered a ransomware attack in 2019. Insurance helped out. “We used our cyber insurance to assist with recovering losses related to business disruption and system recovery,” Pantano shares.
The supplier recently renewed its cyber insurance coverage. The new policy premium increased 125% compared to the cost of the previous policy – for the same amount of coverage. The deductible rose, too.
Cyberthreat Education at ASI Orlando
At the ASI Show Orlando on Wednesday, Jan. 4, 2023, FBI Computer Scientist Gary Hopewell will lead an education session on identifying cyberthreats and protecting your business from them. Learn more.
“Given our previous experience and the additional cyber readiness services provided by the insurance companies today, we feel the benefit of having the insurance outweighs the cost,” Pantano says.
Friedman can relate. Earlier this year, the distributor was the victim of a phishing scam. The company received, through email, fraudulent purchase orders from what appeared to be an existing client. However, the client had been hacked and crooks were using this illicit access to convincingly pose as the customer. Friedman says it was almost impossible to spot the scheme; iPromo shipped six figures’ worth of travel kits to the fraudsters – and never received payment.
Thankfully, iPromo had good cyber insurance. The firm’s carrier had to explore a number of options in order to determine the appropriate way to classify the hacking incident within coverage guidelines. Ultimately, the insurer was able to provide coverage for the stolen product. Reimbursement is currently pending but expected, says Friedman.
“It’s not a matter of if your company will be breached; it’s a matter of when and how bad the impact will be.” Dan Pantano, alphabroder
“We’ve seen a dramatic increase in cyberthreats that are sophisticated and targeted,” Friedman shares. “We need to always keep ourselves abreast of and protected from current threats and anything that may be lurking on the horizon. Our insurance carrier is not only committed to providing a fast resolution in case of an attack, but also to preemptively protecting against one.”
A couple of years ago, Geiger had to notify its insurer that it was investigating a potential breach stemming from one of its remote offices. Fortunately, the Top 40 firm wasn’t actually penetrated by hackers, the investigation showed. Nonetheless, the experience affirmed the necessity of cyber insurance. It’s part of why Geiger didn’t consider letting coverage lapse when its insurance plan cost nearly doubled recently. In fact, the firm increased its liability for higher coverage from 2021 to 2022. A premium increase is expected in 2023.
“Even with just the whisper of a possible intrusion like we experienced, it requires time to fully investigate,” says Geiger CEO/President Jo-an Lantz, a Power 50 member. “We were lucky that our defenses held. But it was another warning that even with the best systems, we have to be alert and aware.”
Why Some Promo Firms Don’t Have Coverage
Certain market analysts worry that if cyber insurance rates and requirements to receive coverage continue to rise exponentially, smaller companies will drop coverage, not seek coverage or simply be unable to afford/obtain coverage even if they want it, exposing them to existential risk.
In the promo market, it’s already the reality that there’s no shortage of companies that don’t carry cybersecurity insurance. Cost is a big reason for some. “Last time we looked, it was quite expensive,” says a C-suite leader at a Top 40 supplier. “We spend a lot of money on in-house security measures to try and avoid these issues.”
“Cyber insurance is a necessary evil. We’re investing in protecting ourselves and our customers.” Howard Potter, A&P Master Images
Others don’t carry the coverage because they fail to realize they might need it and/or because they think the business insurance they already have will indemnify them in the case of a breach. While policy particulars can vary, insurance analysts say that traditional commercial general liability plans typically lack coverage for cyber strikes. One distributor that was victimized in a scam similar to the one that snared iPromo found that out the hard way.
Howard and Amanda Potter don’t ever want to be in that position.
The Potters run Utica, NY-based A&P Master Images (asi/102019), a distributorship/decorator that generates annual revenue in the lower seven-figure range. So, while the firm is far from promo’s biggest, the Potters still budget strategically to ensure they can carry cyber coverage.
“Cyber insurance is a necessary evil,” CEO Howard Potter says. “With more sales happening online, it’s very easy for someone to hack into your network to get customer information. For us, not having coverage isn’t worth the gamble. We’re investing in protecting ourselves and our customers.”
Pantano agrees with that rationale. “It’s not,” he says, “a matter of if your company will be breached; it’s a matter of when and how bad the impact will be.”