As the world becomes increasingly connected, it is crucial that businesses understand the risks associated with doing business online and the potential costs incurred by a cyber attack or incident. Regardless of a business’ size, industry or degree to which they utilize technology, the threat of a cyber attack is real and the damage could be irreparable. To address this need, innovative insurance providers offer protection through comprehensive cyber insurance. Small businesses can proactively mitigate their risk by partnering with a cyber insurance firm to cover the costs incurred by a breach.
What is cyber insurance?
All businesses are liable for myriad aspects of their operations - physical and virtual. Small business owners are held responsible (i.e. liable) for mistakes resulting in employee harm, damage to property and much more. While most business owners and contractors are aware of common general liabilities like personal injury, few ever consider their liability for information that passes through their networks, servers and web platforms. Business owners and operators that are not subject to Health Insurance Portability and Accountability Act (HIPPAA) or Payment Card Industry Data Security Standard (PCI DSS) requirements don’t typically think of information processing and storage as a liability.
Because a growing number of small businesses are integrating digital functions like online retail, web-based payment methods, and proprietary applications, it is more important than ever that business owners protect themselves from personal responsibility for breaches, cyber attacks or simple human error. Since 2005, business owners have increasingly invested in cyber insurance to transfer liability and help them quickly and efficiently recover when an incident occurs.
Like other forms of liability insurance, cyber insurance safeguards businesses and their owners from the fallout caused by a breach, accidental data exposure or act of cyber aggression. Specifically, cyber insurance provides protection against two distinct kinds of risk: first-party and third-party. Simply put, this means that businesses (the first-party, or policyholder) are protected against losses or damages affecting their own entity, and against claims from a third-party outside of the company (e.g. customer).
What does it cover?
Broadly speaking, cyber insurance covers a business’ liability in an event that exposes sensitive customer information. Covered damages caused by a breach might include:
- Third Party Coverages
- Data Security and Privacy - Covers any claims against the company in case of unauthorized use of the company’s computer system or the system of any outsourced providers.
- Regulatory - Covers costs related to claims made by any Federal, State, Foreign or local governmental entity, as it relates to any regulation set forth by that entity.
- PCI - Covers contractual liability when entering a payment card services agreement.
- Cyber Media - Covers claims against the company by a person who feels they have been harmed by the content of the companies Cyber Media Content.
- First Party Coverages
- Data Breach Response - Covers the insured in case of a Data Security Breach. Will help with a crisis manager, lawyer and a technical team to assist with recovery after a data security event.
- Business Interruption - Covers the insured in case of a Data Breach Event in the company’s computer system.
- Contingent Interruption - Covers the insured in case of a Data Breach Event on an outsourced providers computer system.
- System Failure Business Interruption - Covers the insured in case of an unintentional, unplanned interruption or failure of the company’s computer system not related to a Data Security Event.
- Reputation Risk - Covers the insured against any private event made public that may pose material damage to the reputation of the company.
- Ransomware Extortion - Covers the insured in the instance of any credible ransomware threat. Will also help the company with a security team to upgrade your system security.
- Cyber Crime - Covers the insured against unauthorized transfer of money or securities by anyone not related to the company.
- Social Engineering - Covers the insured when an employee is tricked into sending money or securities to any place, account or place outside the companies control.
Consider the following example outlining how cyber insurance is used. Imagine that a small company owner falls for an e-mail phishing scam, ultimately allowing criminals to access their computer and the broader company network. As a result, customer information is stolen and normal business operations are halted for several days as the breach is addressed and the impacts assessed. Furthermore, law enforcement has requested information regarding the incident and additionally delayed the business from resuming full operations. Lastly, the business must take responsibility for notifying all relevant parties who could be at risk due to the breach - mitigating resulting issues and repairing key relationships.
The business owner now faces the daunting task of internal recovery from lost sales and production capacity. Additionally, the business’ customers could pursue legal action against the company for exposing their information. One of these obstacles alone is sufficient to hurt and possibly bankrupt a small business. However, a comprehensive cyber insurance policy provides the business protection against it own losses and litigation from outside parties, allowing it to resume normal operations as quickly as possible.
Who needs cyber insurance?
While it might appear that companies only need cyber insurance if they are primarily working in the digital space, this could not be further from the truth. Almost all companies now have some assets and processes that are handled or stored using software applications; many of these are managed by third-party vendors.
As technology adoption grows explosively, it’s becoming less likely that businesses of any size and in any industry will be able to operate competitively without using some software - even if it’s only e-mail. Each computer, tablet, phone or other device presents an additional breach point, and these risks are multiplied as they connect to dozens of different networks and employ hundreds of applications that are continuously updated to guard against exploitation.
Think for a moment about all of the data that businesses handle daily:
- Personal customer information
- Medical records
- Payment data
- Employee data
- Student records
Now consider the numerous ways that attackers are continually attempting to steal this information, disrupt processes or otherwise cause harm to businesses:
- Complex and convincing phishing scams designed to acquire sensitive information.
- New malware specimen being released every 4.2 seconds.
- Vulnerability exploitation affecting software applications that are essential to your operations.
- Brute force password cracking to gaining entry to your network.
- Disruptive attacks (DDoS) that consume available bandwidth across multiple processes, denying access to your website or other critical business tools. This can even impact phone and fax lines.
These examples only represent a few of many methods that are used daily against small businesses. It is important to note that these types of incidents do not only impact the bottom line, they also impact the customer. It might delay your service or product delivery, or worst of all, it might expose your customer’s personal, financial, medical or other sensitive information.
Why is cyber insurance critical for small businesses?
The financial, retail and media industries have recently been rocked by massive compromises at the largest institutions. These companies were considered to be the most secure in the world, with impenetrable systems and highly advanced methods of incident monitoring and detection. These companies have large, highly sophisticated and well-funded information technology departments protecting their assets. Most large companies also use several external cyber security partners to further augment their prevention measures. Even with this elite level of protection, mistakes happen.
Small businesses, with their lower caliber network protection and reduced capability to monitor activity, are unarguably the most at risk for suffering a damaging cyber incident.
- In 2017, 61% of registered small businesses suffered some kind of breach.
- 60% of small businesses close permanently within 6 months of a breach.
- Approximately 48% of breaches are caused by malicious intent; the other 52% are caused by negligence or human error. Small businesses, which are usually understaffed and operating frantically, are at exceptionally high risk of a human error that exposes sensitive information.
- At least 43% of recorded cyber attacks target small businesses.
These statistics clearly show that small businesses are not only at significant risk of experiencing a breach, they are also the least likely to recover from this incident. With such high-risk factors and potentially devastating impacts, it’s clear why small businesses are the best candidates for comprehensive cyber insurance coverage.
What if I don't buy cyber insurance?
The risks incurred by continuing to operate without cyber insurance are clear: full liability for the costs and damages associated with any cyber incident impacting your business (and possibly a vendor used by your business). As seen with large national retail chains, breaches impacting multiple customers means that multiple customers can seek damages against the company (potentially resulting in a class action lawsuit).
The damage to a small business caused by a breach is not only financial, it is also reputational. A small business’ reputation and brand are what give it market uniqueness and competitive advantage. Suffering a breach and failing to properly contain the fallout can cause irreparable damage to a small business’ brand. Instead of being recognized as innovative or trustworthy, the business’ name will be associated with a harmful incident and bad customer experience. It is difficult and costly to recover from this level of negative brand perception.
How much cyber insurance does my business require?
The type and amount of coverage needed for each business depend on several factors. Like all insurance providers, those offering cyber security protections are primarily concerned with risk exposure. Therefore, they will consider a business’s industry, age, size, number of employees, current risk mitigation practices, infrastructure, and much more when determining the kind of coverage needed. Based on the results of this analysis, providers can specially craft policies to ensure comprehensive protection. The complexity and scope of coverage will directly impact the price of the policy. Thus, the range of potential annual premium costs varies widely, with companies paying anywhere between $750 and $8,000.
I have business liability insurance. I don't need cyber insurance, right?
Cyber insurance is very different from business liability insurance. While business liability insurance covers general liabilities like employee accidents and property damage, cyber insurance specifically addresses costs associated with digital recovery and incident management. General business liability insurance policies don’t have the necessary specificity or explicit coverages required to help manage cyber incidents.
My customer data is handled by a third party. It's not my problem, right?
Businesses can be held liable for breaches that expose customer information, even if the breach occurred at a third-party. Customers are able to hold companies accountable for the choices they make regarding which third-party vendors to use for data storage, payment processing, etc. Small businesses owners must use caution when selecting these providers and ensure that they are covered if an incident does occur. Cyber insurance offers the protection that small businesses need to mitigate risks associated with using third-party solutions.
The value of cyber insurance is clear when the threat is well understood. Although many businesses continue to operate with full risk exposure regarding their digital assets, the insurance industry is signaling a distinct shift. As small businesses change their approach to cyber security and begin to think more proactively, they will create a safer standard for themselves and their customers, and greatly increase the longevity of their companies.