Massive data breaches have become so prevalent that they are no longer big news. The cyber attacks that do grab headlines typically involve banks or large retailers, in which tens or hundreds of millions of records may have been stolen.
Because most businesses do not maintain confidential information on that scale, the chances seem slim that smaller firms would be the target of hackers. This may be one reason many businesses don't buy cyber insurance. But that decision misunderstands the cyber risks smaller firms do face.
In fact, most claims under cyber-insurance policies don't involve Target- or Sony-style attacks, but more mundane events. These might include employee or contractor mistakes in handling information, a lost or stolen laptop, the failure to change a dismissed employee's network permissions, or the unfortunate practice of leaving system data exposed.
Clearly, then, small businesses are not immune from external attacks. They also have less sophisticated data-security protections, making them an attractive target: Only one employee has to fall for a phishing email or click a link that imports a worm or malware before the network is compromised, leading to costs that can severely impact a company’s reputation and financial well-being.
An example: In 2013, the owner of a specialty t-shirt store, 80sTees, received notices from banks about suspicious credit card charges. Upon learning of the problem, the company stopped accepting credit cards, recoded the company’s website so that it no longer stored credit card information and notified approximately 3,500 customers that their personal information may possibly have been compromised.
The company assumed it was the victim of computer hackers. But the more likely culprit turned out to be a former high-level employee who had set up an unauthorized email account that captured information about credit card transactions.
Despite the relatively small size of the breach, the response costs were substantial. According to published reports, the breach caused $200,000 in damages, not including lost sales during the period the company was not accepting credit cards.
80sTees survived its breach. But not all firms do. In a 2012 study, the National Cyber Security Alliance concluded that 60 percent of small firms go out of business within six months of a breach. To mitigate the risk from these events, then, and protect a firm's bottom line, companies should take some basic remedial steps.
1. Businesses of any size must recognize that data security is not just an IT problem but an enterprise risk-management issue.
Data-breach risks come from multiple sources, not just external threats. Because data security should be administered on a companywide level, senior management, not IT personnel, should set the company’s policies for data management and protection, with IT’s input, of course.
2. As with any major business risk, insurance should be an integral part of the equation.
At least once a year, companies should survey their insurance to ensure adequate protection against cyber-related risks.
3. Businesses should not expect traditional insurance to cover this type of loss.
Traditional products -- such as commercial general liability policies or property policies -- are designed to cover bodily injury or damage to tangible property. Data breaches and other cyber events, on the other hand, involve damage to intangible assets such as information or computer software. For protection against that risk, companies need cyber insurance.
Third-party cyber-risk policies protect against liability and other costs arising from data breaches. These costs may include breach-notification costs, free credit-monitoring for potentially affected customers, liability and defense costs for civil lawsuits and costs to respond to regulatory inquiries.
First-party cyber insurance protects the policyholder against business interruption losses or costs to repair or restore lost data or software. In the case of a breach, a forensic team probably will have to scour the company’s system to identify and fix any problems -- and that process can be expensive.
Cyber policies tend to offer targeted coverages for discrete harms, with each coverage having a separate premium. One coverage part might apply only to data breach notification costs and claims arising from civil lawsuits; another coverage part might apply only to forensic costs to identify or fix a breach; a third part might apply to the cost to respond to regulatory proceedings.
Because cyber-related coverages tend to be compartmentalized, firms should scrutinize the risks they face and ensure that their cyber policies actually cover those potential losses.