We’ve all heard of the data breaches that have affected government organizations and large businesses in the US. Although the large data breach is what makes the “News,” small and medium-size businesses are being targeted as well. It seems now that it’s not a matter of “if” but a matter of “when.”
There’s bad news and there’s worse news concerning data breaches for businesses across America. According to a report published by Property Casualty 360, small-business cyber attacks are on the rise:
- Bad News: 62% of cyber-breach victims are small to mid-size businesses.
- Worse News: the average small-business data breach costs $20,752.
Also, considering that reporting a data breach can lead to a damaged reputation, the National Conference of State Legislatures has determined that many businesses fail to report data-breach events out of fear of significant loss of business. Fortunately, insurance carriers have responded to the peril of data-breach by developing comprehensive Cyber Liability policies that will act as a financial parachute for victimized businesses.
To be clear, cyber liability insurance will not prevent someone from hacking into your system, but it will, however, pay for the significant financial losses that result from a data breach.
What is Cyber Liability Insurance?
The International Risk Management Institute (IRMI), defines cyber liability as an insurance policy designed to provide coverage for consumers of technology services or products. The coverage is intended to cover liability and property losses that result when a business engages in various electronic activities, like selling on the internet or collecting data within its internal electronic network. In other words, any business or organization connected to the internet is at risk of cyber attacks that could result in a data breach and there are various bad actors that may be culpable:
- Disgruntled Former Employees: Workers have admitted to hacking into a former employer’s system in an act of revenge for what they considered a wrongful termination. Typically these attacks happen because the employer is slow in changing logins in the workplace.
- Human Error: Consider a careless worker who leaves an unlocked phone in a taxi, or clicks on a link in an email from a party they aren't familiar with. And then there's that lazy employee or manager that uses the same password for every workplace program. These scenarios can easily lead to a data breach or Ransomware being introduced into the business' networked computer systems.
- Mobile Devices: Your data is at risk every time an employee uses a personal smartphone or tablet to access your system without the proper safeguards. Typically, employees will access your systems in a shared (not secured) wi-fi hotspot where any junior hacker could grab the credentials they need to access your network.
- Ransomware: Ransomware has become a popular method of generating income for low-level hackers. By introducing this malware into your computer, the malware then locks (encrypts) your data and you are held hostage until you pay the ransom to retrieve the key required to decrypt your system’s data.
- Coordinated Attacks: Coordinated attacks are typically instigated by a group or syndicate of hackers in a foreign country. Their goal is to steal sensitive information from organizations that typically store a lot of personal data, such as a hospital or other health care provider. Once stolen, the data is sold to others who use it to open credit accounts in the name of the person whose data was stolen. This is commonly known as identity theft.
What Does Cyber Liability Cover?
Cyber liability provides financial coverage for expenses related to a data breach. These expenses can accumulate rapidly once a data breach is discovered and reported.
- Customer Loss: Your customers that are affected by a data breach are likely to stop doing business with you since you failed to protect their sensitive data.
- Business Disruption: According to SecureWorks, a company specializing in data protection, the disruption of doing business typically accounts for about 39 percent of the total costs of a data breach.
- Regulatory Fines: Not only will your customers punish you after a data breach, various government agencies will also join the party. The FCC, FTC, HHS, and state authorities, all impose fines and /or expensive tasks you must perform once a data breach has been reported.
- Legal Costs: Business owners need to understand that friendly customers can quickly become unfriendly when their bank accounts and credit cards are under attack. When Anthem, a large health insurer was attacked, three substantial lawsuits were filed within 24 hours of the data-breach disclosure.
- Public Relations: Once your business’ reputation has been tarnished, it is expensive to hire a PR firm to rehabilitate your company’s image.
- Direct Financial Loss: Once a data breach has taken place, the attackers may obtain access to your financial accounts and will immediately wire available funds to accounts they control.
A comprehensive Cyber Liability policy will cover first-party costs and third party costs in the event of a data breach. First party expenses are the result of damage to your data and any affected systems. Third-party expenses result from your liability for customers who may be financially affected by a data breach. An example of a data-breach to a small business is described as:
Jeff owns a high-end bike shop in Miami Beach. One morning he received a call from a vendor who advised that their systems had been exposed to a data breach and that they wanted to provide notice to his business.
Since Jeff stores sensitive customer data on his hard drive, Jeff immediately calls a data security consultant to examine his system to see if his business was affected. After examining Jeff’s computer system, the consultant advised that since Jeff’s system was continually connected to his vendor’s system, all of his data were exposed during the attack on the vendor.
Jeff immediately notified his customer base and the appropriate authorities that a data breach was discovered by a security consultant. Jeff then notified his insurance carrier where he had purchased a cyber liability policy the previous year.
Jeff’s exposure after totaling all of the expenses associated with the data-breach was over $1.5 million along with resulting defense costs of several lawsuits brought by customers of $750,000. Since his cyber liability limit was $5 million, Jeff had no out-of-pocket expenses as a result of the data breach.
How Much Does Cyber Liability Cost?
Your cost for comprehensive cyber liability insurance will depend on various underwriting factors that allow the insurer to determine your potential risk. These underwriting factors include your type of business (some are targeted more than others), the number of transactions each year, what information you collect, the number of computers or devices, and the type of security you have implemented.
A typical example of insurance costs for the following high target small businesses is as follows:
- Healthcare Office: $1,202 per year
- Tax Preparation Firm: $1,200
- Retail Store: $1,100
Although your cost of cyber liability will depend primarily on your type of business, annual revenue, and the limit of liability you select, you can expect to pay from $750 on the low end and up to $8,000 on the high end. These estimates are for small businesses. Mid-size and large businesses will typically pay many times these amounts because of the exposure to the insurer.
Who is the Most Vulnerable?
Small business owners who are considered top targets for cyber attacks and data breach are those that are in healthcare, financial services, insurance services, technology services, online retailers, and online service companies.
The most important thing to remember about cyber liability risk is fairly straightforward; if your business is connected to the internet anytime during the day, your business is at risk of cyber attack and data-breach!