By now we’ve all heard a story or two about the devastating impact of cyber-attacks on businesses.
While the headlines tend to focus on attacks against large organizations (Target, Yahoo, LinkedIn), various studies tell us that main street businesses are subject to cyber losses just as frequently as their larger counterparts. We also know that the stakes are high for small businesses owners who often have less access to preventative resources and who are less likely to purchase cyber liability insurance, leaving them totally exposed to the fallout of a cyber related incident.
Here are some factors to consider as you assess your own cyber liability.
Does your business keep physical or electronic records of employees or third parties? If so, your company might control personally identifiable information which requires the protection of that data subject to state and federal laws.
Does your business have employees? Business owners might be startled to learn that one of the leading causes of data loss is employee error, such as misplacing a laptop or opening an email containing malware.
Does your business rely on a third-party vendor for cloud backups or IT services? Your business can be held liable for a breach of private information regardless of whether you or a third party were the source of that breach.
Does your business accept credit card or other electronic payments? Nearly 40 percent of data stolen is credit card and payment information, which is the most highly sought after personal data on the black market.
Do you train your employees on proper email and internet use? The vast majority of ransomware attackers are “invited in the front door” by employees who mistakenly visit a compromised website or open an email containing ransomware.
When using these talking points as a general diagnostic tool to assess your own company’s cyber risk, some business owners might find themselves feeling susceptible to a cyber-related loss. Most industry experts agree that it’s not if, but when your small business will become the next victim.
In response to this ever-emerging risk, the insurance industry has developed a comprehensive set of coverage forms designed to address what happens after your business gets hit with a cyber intrusion or loss of sensitive data.
Let’s take a look at some real life examples of how cyber insurance has responded to losses right here in California.
It was a sunny Tuesday in the Central Valley when the electrical contractor was finalizing his bid due at noon on Friday. He returned from lunch to find that his entire network had been locked down after an employee opened an email and clicked on a link containing ransomware. Without access to his system, his bid was dead in the water. Payroll, accounting and other critical business operations also came to a standstill. The contractor was faced with a difficult decision: pay the $15,000 ransom to restore access to his system, or risk continued business interruption and possible destruction of data. With the bid deadline approaching quickly the contractor paid the ransom.
Fortunately, this contractor had a comprehensive cyber liability policy. His insurer reimbursed him for the cost of the ransom. It also paid for the loss of income incurred during the period of recovery, as well as the additional expense of taking time away from work to transfer U.S. Dollars into Bitcoins, which is the preferred currency for cyber-extortionists.
Things were going great for this small California manufacturer of plastic products, until she began hearing from several employees that their tax returns had been fraudulently filed by unknown individuals. After a lengthy forensic investigation it was determined that paper records for current and former employees had been stolen from a storage warehouse used by the manufacturer. Those records were used by criminals to file fraudulent tax returns.
Fortunately, the manufacturer was afforded coverage under her cyber liability policy. The insurer covered the cost of credit monitoring for the employees, legal fees to settle claims brought by several former employees, as well as the cost of the forensic investigator. The carrier also deployed a breach coach to advise the manufacturer of her legal duties under state and federal laws, and covered the cost of a public relations firm after local media got wind of the incident.
The local NPO
The controller of this small town NPO was planning to write “thank-you” notes to select donors over the weekend and decided to email the entire donor list to his private email address. Several months later, it was determined that his personal computer had been compromised and the list had been used to defraud the donors. Authorities launched an investigation into the matter, which resulted in fines and penalties.
Having invested in a cyber policy, the NPO’s liability was limited to a modest deductible. The full financial cost of credit monitoring, victim notification, defense of claims brought by donors and the cost of defending against and paying for regulatory fines and penalties was covered by the insurer.
In each of these three cases, although the process was painful, the outcome was cushioned by the presence of an insurance policy to act as a backstop. Sadly, outcomes like these are hard to find since upwards of 90 percent of small businesses forgo cyber liability insurance, leaving business owners to go it alone when a breach occurs.
The more common narrative is that small business owners are hit with the full force of data recovery fees, crisis management, business interruption and ransoms, as well as third party claims for mismanagement of data. With the average cost in the U.S. growing to $221 per lost record last year, it’s no wonder that over half of small businesses are forced to cease operations within six months of a breach. In light of these staggering figures, business owners are encouraged to consider investing in products designed to protect their assets and shield them from catastrophic liabilities, just as they do with any other line of insurance.
–Nelson Aldrich is an insurance broker with WISG Insurance, headquartered in Turlock. He can be reached at [email protected]