Ten days. That’s how long it took Moon Distributors Inc. of Little Rock to recover from an Oct. 11 cyberattack. For the Batesville School District, recovery took three weeks after an attack in late July.
The district’s teachers lost about 60% of their personal files, Technology Director Cheston Cooper said. Moon Distributors couldn’t put products on liquor store shelves, CEO Stan Hastings said. The company is insured for cyberattacks but has not yet filed a claim.
As cyberattacks like these become more common and more organizations look to transfer the associated risk to insurers, the availability of such policies has not kept up with demand, said Brendan Monaghan, vice president at BXS Insurance in Little Rock.
Arkansas Insurance Department spokeswoman Jennifer Bruce confirmed by email that there hasn’t been a significant or notable increase in insurers offering commercial cyber policies.
Policy costs are also on the rise, they said. Monaghan said underwriters are scaling back coverage amid the unanswered questions they and insurers have about the risks cyberattacks pose.
Hastings said he has not filed a claim yet because getting his business back up and running took priority. He also said he is unsure of what is covered by his policy or how to provide proof of loss. He said he’ll likely never know how much his company lost when consumers bought competitor’s products instead.
Hastings also believes cyberattacks are exacerbating supply chain issues. Monaghan said the insurance industry is struggling to define business interruptions tied to supply chain delays caused by a cyberattack.
Cyber liability insurance has been a “hard market,” where premiums are going up and coverage is being scaled back, for several years, Monaghan said.
Bruce, at the Insurance Department, said, “Insurance costs are rising significantly, and insurance companies are changing policy limits as well as implementing changes pertaining to deductibles and retentions. Underwriting requirements are tightening as well.”
Monaghan said insurers are requiring companies to have certain cybersecurity measures in place. Some companies that haven’t been insured in the past also lack cybersecurity measures as robust as those that have been insured before, so prices are being adjusted accordingly — even on old policies — to balance out the varying risk to insurers, he said.
In addition, the market has continued to harden as the number of cyberattacks and the average size of those attacks grows, Monaghan said.
Ransomware is of particular concern, prompting the consideration of sub-limits for those claims, he said. Sub-limits dictate how much can be claimed per year for certain and usually more common incidents. Both Moon Distributors’ and the school district’s attacks involved ransomware.
Last year, 21 ransomware attacks and 15 corporate data breaches in Arkansas were reported to the FBI. The victims’ losses from each were tallied at $150,000 and $454,948, respectively. A caveat is that the ransomware figures may include nonbusiness victims. That seems low because these attacks are underreported, according to Connor Hagan, spokesman for the agency’s Little Rock office.
He said some businesses fear that being the victim of a cyberattack could damage their reputations and that many don’t realize the FBI can be subtle in investigating attacks.
The school district and Moon Distributors reported their attacks to the FBI. But Hastings acknowledged that there isn’t much the agency can do given that cybercriminals are most often based in other countries. He said doesn’t plan to make significant changes to the cybersecurity measures his business had in place before the attack because there is only so much businesses can do to avoid being a victim.
“We felt like we were as safe and as secure as anybody could be. And we had been told that by others that have looked at the way we were structured, but I think anybody is susceptible,” Hastings said. “It doesn’t matter how good you think you are. It doesn’t matter if you’re running in a cloud or if you’re running on your own systems. Anybody can be hit. If you’ve got a computer that’s connected to the internet, you’re susceptible.”
Hastings said cybercriminals are “running a high-end, sophisticated IT company, but they’re getting their customers in a nontraditional way. That’s the reality of what we’re dealing with. … I really think that, for all businesses moving forward, this is going to be an ordinary, daily occurrence within the business community in our state.”