What Is Cyber Liability Insurance For Small Businesses?

Do you own or manage a business? Does your business use computers? Do those computers store data such as social security numbers, credit card numbers, driver’s license numbers, medical records, or other confidential information?

If you answered “yes” to these questions, your business probably needs cyber insurance. And this is true regardless of the size of your business—small businesses are subjected to phishing and other types of online attacks almost as often as large businesses.

Cyber attacks may seem like a remote and unlikely occurrence, but that simply isn’t the case. While hacking used to be something seen mostly in movies, it’s now more common than ever and no business is immune.

Despite media coverage of major hacks, such as the Equifax breach, many business owners still only take minimal measures – if they take any at all – to protect their companies. Unfortunately, cyber attacks often have devastating effects, often causing the affected businesses to close their doors for good.

How Vulnerable Are You?

A 2016 survey of small to medium-sized businesses revealed some startling statistics. First, only 14 percent of the 600 companies surveyed claimed to have highly effective systems in place to mitigate cyber attacks and correct vulnerabilities. Not surprisingly, then, half of these companies experienced breaches within the past year.

Second, while we mostly hear about high profile breaches at major corporations, it is small- to medium-sized businesses that are the most vulnerable, since they rarely have a dedicated IT staff and lack employee training, too. This makes them more susceptible to cyber ransom, phishing, malware, and e-commerce attacks (learn more in Why You Might Need Cyber Insurance – Even if You Run a Small Business).

Third, a 2017 Manta poll shows that 87.21% of business owners do not feel they are at risk of experiencing a data breach. The same survey, however, also shows that this confidence doesn’t come from having secure systems: only 17% reported using antivirus software and only 14% use anti-malware software.

All of this points to the same conclusion: many businesses do not take the threat of cyber attacks too seriously, but they should.

Growth in Cyber Crime

According to Symantec’s April 2017 Security Threat Report, data breaches almost doubled from 2015 to 2016. Breaches exposed over 1.2 billion identities, with most attacks taking less than 2 minutes.

The variety of threats continually grows, too. Companies must stay abreast of the latest technologies and adopt best practices to protect themselves from cyber attacks. The Computer Crime and Intellectual Property Section (CCIPS) of the Justice Department states that “ransomware is the fastest growing malware threat.” But it is far from the only one.

According to 2017 IBM X-Force Threat Intelligence Index, spam emails increased fourfold in 2016, increasing the likelihood that employees receive phishing scams attempting to retrieve personal information, such as user names and passwords.

Malware infections also doubled from 2015 to 2016, mostly through Android phones. With more companies relying on mobile technology to connect employees and provide superior customer service, there is an increased need to take precautions. Regrettably, employees entrusted with sensitive information may use public Wi-Fi, fail to update their devices, not bother with antivirus software, or use simple and easily cracked passwords (for related reading, see How to Protect Against Identity Theft).

Associated Costs

Even if a hacker does not use ransomware to extort money from your company, the costs associated with rectifying the situation are colossal.

Most states require customer, supplier, and third-party notifications which cost tens of thousands of dollars. Experiencing a hack can also seriously damage the trust you’ve built with customers, clients, and investors. If your reputation is harmed as the result of a cyber attack, you may need to hire a PR firm. And to deal with the situation effectively, you will need to hire lawyers, train employees, and develop best practices and procedures.

A major customer disruption can be financially catastrophic. Ponemon Institute’s 2017 Cost of Data Breach Study found that each instance of records being compromised costs a company $225, for an average cost of $37k per breach. These costs are not easy to bear, and statistics from the National Cybersecurity Alliance indicate that 60 percent of small businesses close following an attack.

Best Practices

Recognizing the threat is the first step towards finding solutions. Naturally, establishing proper protocols and using up-to-date software is your first layer of defense. Industry experts such as Microsoft, Cisco, and Symantec recommend the following security measures for businesses.

• Inventory Current Technologies – Make sure you are using a firewall, anti-virus, anti-malware, and intrusion detection software
• Identify Valuable Assets – Understand what’s at risk and who can access your data to highlight any weaknesses in your systems and procedures; encrypt stored data to add a layer of protection
• Use Digital Certificates – Protect each website with an SSL security certificate from a trusted authority
• Budget for Security – Kaspersky provides a handy IT security budget calculator to help you determine how much of your budget should be allocated to cyber security
• Restrict Removable Media – Flash drives and removable hard drives simple and convenient, but they are also easily breached, lost, or stolen
• Filter Spam – Using spam filters on email servers removes unwanted emails from inboxes, reducing the likelihood that someone in your company will be the victim of phishing attacks
• Update Patches and Software – Defenses are only effective if they keep up with new threats, so make sure they are regularly updated
• Back Up Your Data – Ransomware can block you from accessing important customer data, so back up your information on a heavily encrypted, secure, off-site location
• Train Users – Educated users take fewer risks with your company’s data

Cyber Liability Insurance

Businesses should also seriously consider purchasing cyber liability insurance to protect them if their defenses fail.

Cyber liability insurance can cover losses from a data breach, as well as crisis management costs. For instance, resolving hacks involves an investigation and remediation. You may need additional resources to handle customer notifications and to manage calls, too. Most states require notifications, but even if you operate in an area that does not demand it, it’s a crucial step to salvaging your reputation.

Covered costs may also include cleaning infected devices and systems, legal fees and court attendance, and penalties and fines. Most policies also cover multimedia and media liability, such as a damaged website or social media account, or property right infringement to third-parties.

Cyber liability insurance also protects your business from extortion and fraud and the associated legal fees. You may also obtain coverage that provides credit monitoring services, protection for business interruption losses, and network liability costs if hackers access third-party data.

Protect Your Data

Your data is a very important asset. Cyber liability insurance is no longer something that would be nice to have; it’s become a necessary precaution.

As data breaches increase and become more sophisticated, it is more important than ever to ensure multiple layers of protection. Many data security experts claim that businesses should not wonder if a breach will occur, but when. With that kind of warning, additional insurance coverage seems like a reasonable and affordable measure.

What Does Cyber Insurance Cover?

Cyber insurance—sometimes known as cyber risk insurance or cyber liability insurance coverage (CLIC)—typically covers these four items:

Investigation

If your system is hacked, you will want to know how the breach occurred so that you can protect against similar types of attack in the future. While an investigation might be conducted by the FBI or other law enforcement agencies, you should consider hiring a private computer security firm to investigate the attack and advise you on the steps you should take.

Business Losses

Your system could be down as a result of the breach and the subsequent investigation. A good policy will cover you for losses due to downtime, costs associated with lost data recovery, and costs related to repair of reputation.

Notification and Monitoring

In some circumstances, you might be required by law to notify customers and other parties whose data has been stolen. And even if you are not legally required, you might want to do this to maintain the goodwill and loyalty of your customers.

Some states also require credit monitoring for customers whose credit information has been lost.

Lawsuits and Extortion

The attack itself might not be the end of your troubles. You might be sued by customers, be fined by governmental agencies, or be the subject of attempted extortion by the hackers. Your cyber insurance policy should provide some coverage in these events (see Insurance and Lawsuits to find out what happens when you are sued).

If you have suffered identity fraud as the result of a breach, your policy may also provide coverage to allow you to recover your identity and restore your credit history (to learn about separate coverage for identity theft, see Identity Theft Insurance: Is It Worth the Price?). Repairs to computer systems are often also covered, though these might also be covered under your comprehensive general liability (CGL) policy.

Why You Might Need Cyber Liability Insurance?

Complex Legal Obligations

As of April 2017, all states except Alabama and South Dakota have legislation requiring private entities to notify affected parties of security breaches involving personal information.

This legislation describes what constitutes “personal information,” who you must notify and when, and any exemptions within the state. Notifications may include contacting customers, suppliers, and third parties affected by data loss. Most companies do this voluntarily to salvage their reputation and brand, but it is a painstakingly long and involved process.

Serious Reputational Damage

Data breaches also cause serious reputational damage. Recovery from a breach may require hiring more staff to field calls, employing a PR company, establishing best practices and training employees, and more.

A cyber incursion also impacts your profits when you need capital the most. Consequently, small businesses are very vulnerable to cyberattacks without layered protection.

Major Financial Impact

Statistics from the National Cybersecurity Alliance show cyberattacks are so financially catastrophic for small businesses that 60 percent of them close following an attack.

According to Ponemon Institute’s 2017 Cost of Data Breach Study, breach costs hit a record high in the United States this year. The average cost is now $225 per compromised record, including the cost of greater than normal customer loss, new technologies, and legal fees. The post-hack costs for forensic and investigative activities, audits, crisis management, and communication with customers also reached all-time highs.

The First Market Data Insight report states that the average cost for a small business breach is $37k.

What to Look for in Cyber Insurance Policies

Cyber insurance has only been in existence for a little over a decade and is still evolving. Policies, then, can vary significantly across insurance companies. Given all of the variations, shopping around is highly recommended. Here are some of the things you should be asking yourself when evaluating policies:

• Is the cyber policy stand-alone or part of some other type of insurance, such as E&O (errors & omissions) insurance? Stand-alone policies are generally better, since they indicate that the insurer has given more thought to carefully writing the coverage provisions.
• What deductibles apply and how big are they?
• Does the insurance cover the first party only (that’s you) or does it cover first and third parties (the second party is the injured person, such as your customer)? If you (the first party) are sued by a customer (the second party) as a result of a breach, does the insurance provide coverage for third party negligence? Third party coverage can protect you from certain liabilities in the event of a breach. In these situations, the third party might be a computer technician you hired to install your system. If the technician doesn’t have insurance, or is no longer to be found, you could be held liable for their negligence in installing your system. If your policy provides coverage for third-party negligence, you will covered under these circumstances.
• Are both social engineering and network attacks covered? Social engineering attacks often come in the form of phishing, which occurs when someone misrepresents themselves over e-mail or social media in order to elicit confidential information, such as account numbers or login details, from you or one of your employees. Network attacks are direct attacks on the system, including denial of service attacks, browser attacks, and botnet attacks. Read the exclusions carefully so you can be sure that you are covered in either case.

Your CGL Policy Probably Doesn’t Cover Cyber Attacks

Note that your CGL policy almost certainly does not cover you in the event of a cyber breach, with the possible exception of damage to your computers. CGLs almost always cover property damage only. Investigation, business losses, notification and monitoring, and lawsuits and extortion are likely to fall outside the scope of your coverage.

Compare Cyber Insurance Policies

As is set out above, cyber policies can vary significantly among insurance companies. Take a look at no less than three or four of them so you can get a good sense of your options. Notice what is covered, what is excluded, what the deductibles are, and what the premiums are. Think carefully about what kind of coverage your business needs, how much you can afford to pay, and, importantly, how much you stand to lose if you aren’t adequately covered.