October marks the recognition of Cybersecurity Awareness Month, an opportunity to take the time and vet your cyber risks of your business and even your own personal digital presence. Cyber threats are evolving rapidly, and few understand their implications better than Sonyia Townsend, Vice President and Senior Broker of Professional Liability at Arlington Roe. OIA’s E&O and Cyber team sat down with Townsend as she shared her expertise on the most pressing risks facing businesses today—and why cyber insurance is no longer a luxury but a necessity.
According to Townsend, the two most prevalent threats are ransomware and business email compromise (BEC). Ransomware attacks, which surged during the COVID-19 pandemic, remain a dominant concern due to their increasing severity. Meanwhile, business email compromise has become a favorite tactic among cybercriminals for its simplicity and effectiveness. “It’s incredibly easy for a threat actor to gain access to an email account through phishing,” Townsend explained. “Once inside, they can manipulate communications, impersonate executives, and authorize fraudulent fund transfers.”
Human error, she emphasized, is the root cause of most breaches. “About 95% of incidents stem from someone clicking the wrong link or sharing credentials,” Townsend said.
Even with strong security measures like multi-factor authentication, the human element remains a vulnerability.
One particularly alarming trend is the use of artificial intelligence by threat actors. Townsend described cases where criminals used AI to mimic voices, craft convincing emails, and even place calls through compromised Microsoft Teams accounts. These tactics make social engineering attacks more believable and even more dangerous.
Townsend recounted a chilling case in which a CEO clicked a phishing link disguised as a Microsoft alert. The attacker gained access to his inbox, set up forwarding rules to hide incoming emails, and impersonated him to authorize payments. Nearly $200,000 was transferred before the breach was discovered. Fortunately, the insurance carrier was able to recover most of the funds—but only because the incident was reported quickly.
Speed, Townsend stressed, is critical. Reporting a breach within 72 hours significantly increases the chances of recovering stolen funds. “Time is everything,” she said. She also warned against relying solely on cyber endorsements within package policies. These often come with low limits and exclude key coverages like social engineering, PCI fines, and reputational harm. “Standalone cyber policies are broader, more responsive, and better equipped to handle today’s threats,” Townsend advised.
For agents and businesses, her message was clear: review your policies carefully, educate your teams, and act now. “The market is soft right now,” she noted. “Coverage is broad, premiums are low. This is the time to get ahead of the risk.”
Turning Awareness Into Action
Whether you manage IT infrastructure, lead a team, or aim to strengthen your organization’s overall security posture, there are several important considerations.
One effective approach is implementing security awareness training (SAT) alongside simulated exercises—such as phishing tests—that safely evaluate how employees respond to potential cyber threats. These activities reveal vulnerabilities and highlight areas where additional training is needed.
Using interactive methods and simulations not only makes training more engaging but also improves knowledge retention. This ensures that security principles are not just taught but practiced and remembered. It’s important to keep in mind:
- Human error is a detriment in cybersecurity. 95% of incidents are the result of someone clicking the wrong link.
- 36% of data breaches stem from phishing attacks, according to Verizon.
- Organizations that adopt security awareness training (SAT) see up to a 70% reduction in social engineering attacks, according to Gartner.
By creating an environment where employees actively participate in their learning, organizations build stronger defenses. A cyber-aware workforce is one of the most reliable safeguards against today’s rapidly evolving threat landscape.
Key Takeaways for Agents
- Human error is still the biggest risk. Most breaches start with a simple click.
- Business email compromise (BEC) is just as dangerous as ransomware. It often leads to fraud, extortion, or broader system compromise.
- Policy details matter. Sublimits, exclusions, and reimbursement vs. “pay on behalf” provisions can make or break recovery.
- Standalone cyber policies add real value. They include training, monitoring, and incident response — not just reimbursement.
- Act now while the market is favorable. Coverage is broad, premiums are low, and risk is only growing.
Strengthen Your Defense This Month
Cybersecurity Awareness Month is a reminder that preparation is the best defense. As Townsend noted, speed and readiness often determine the outcome of an incident. Now is the time to review your protections, educate your teams, and make sure you have the right coverage in place.
OIA and Arlington/Roe & Co., Inc. have partnered to offer our members an exclusive program to help protect agencies from information security breaches. To learn more about our cyber program, visit our website or contact us at (800) 555-1742. Our team with over 50 years of combined experience in E&O and Cyber services will be happy to help!
Additional Resources
The ACT Services Issues work group, alongside the Big “I”, created a sample cybersecurity policy to help agencies easily comply with the requirement to have a cybersecurity policy in place. Agents will need their Big “I” ID and password to download the template, but it can be accessed on their website here.
About the Author
Jeannine Giesler, CISR, CPIA, and past President of the OIA Board of Directors, Foundation for the Advancement of Insurance Professionals, currently serves as Resource Center Advisor for the OIA. The purpose of the Resource Center is to contribute to building a comprehensive library of resource materials for our members. We pride ourselves on being the one-stop shop for all OIA members and work to solve every problem or situation you may come across.
Legal Disclaimer: This material is intended to provide you with general background and insight. The material does not constitute, and should not be regarded as, legal advice regarding any particular facts, circumstances, or issues. This material is not intended to serve as a substitute for legal counsel, and we advise you to contact legal counsel for specific analysis, drafting and advice.
More Information: Seek your trusted advisors Attorney, Banker, and CPA that your legal and financial interests are adequately protected. The information provided in this publication is not intended to be a substitute for legal advice. You should consult your legal counsel and make certain that you are in compliance with state law. These laws and rules are subject to change.
Cited Resources
Jul 17th, 2025
12 Most Common Types of Cyberattacks
Kurt Baker - May 12, 2024
BIG I ACT
Turning Cybersecurity Awareness into Action in 2025
January 15, 2025
Gartner
Security Awareness Computer-Based Training
KnowBe4’s Security Awareness Training
America’s Cyber Defense Agency
USCS Institute
Types of Social Engineering Attacks and Their Prevention Strategies
