The financial services industry is a prime target for cybercriminals. Many insurance professionals and more specifically small insurance agencies are unprepared for a breach. Cyber risk for surety bond professionals is not an exception. Surety underwriters receive and regularly warehouse private financial documents and identity data belonging to applicants and indemnitors. These parties need to be aware of the tremendous impact that a cyber event can have on their enterprises and take measures (and countermeasures) to manage the risk. Mandatory remediation and notification requirements are expensive enough to drive a small business owner into bankruptcy and worse, suffer irreparable reputation damage among consumers and insurance carriers.
Being prepared for a cyber event is imperative. If you are in business long enough, it WILL HAPPEN. You may or may not be aware of a breach or compromised email and never know. Preparedness begins with a risk assessment. The goal is to identify where painful losses can occur so that you can immediately stop the bleed (reduce severity) and remedy the breach (fix the problem). There are awesome resources available to agencies to assist in this. The National Cybersecurity Alliance is a great place to start. You must have a foundational understanding of cyber risk for surety professionals before you can take the steps to protect your agency.
A risk management plan must be developed. The plan begins with a security policy that applies both to your surety agency AND to third-party service providers that may cause a cyber event or would be affected by your own internal one. Your plan must be written and distributed among all staff members of your business, then the practices of the plan must be implemented. Upon report of a cyber event, regulatory authorities and cyber risk policy insurers (which you absolutely should carry) will ask about this plan first. “Implementation” necessarily includes training and periodic retraining of surety agency staff to recognize malicious activity such as phishing and social engineering. Internal safety measures such as the encryption of private information is an excellent skill to offer your employees, which is also a proficiency that they can apply in all areas of their professional and personal lives. The management of cyber risk for surety bond professionals should focus most especially on protecting personal identifying information of surety bond applicants and financial statements belonging to them or to their business enterprises. Multi-factor authentication is another excellent tool now available for almost all software functions.
A cyber risk insurance policy is indispensable. NO SURETY AGENCY SHOULD OPERATE WITHOUT IT! Per Business Magazine, “The costs stemming from a cyberattack can vary tremendously but are inarguably significant. Recent studies have shown that the average cost of a data breach to small business can range from $120,000 to $1.24 million, and that’s strictly limited to a small business market. Stepping outside the small business filter, IBM’s 2019 Cost of a Data Breach Report recently found that the average cost of a data breach was $3.92 million, and that breaches cost smaller businesses more (relative to their size) than they cost large businesses.” Remediation of a breach, hard and software corruption and damage, obligatory notification of all affected parties and in the case of personal identifier data losses, the ongoing credit monitoring costs will break a small insurance agency. The absence of some shift of risk to an insurer will likely mean the end of your insurance agency.
Cyber risk for surety bond professionals is more than significant. Surety products are largely distributed through specialty insurance brokers and agents with bonding expertise. Those enterprises tend to be small and local, exactly the type of business that is least likely to be prepared to manage a significant cyber event.