Should You Buy Cyber Insurance to Cover You in the Event of a Data Breach?Cyber insurance can protect you from hackers and data breaches — and yes, your small business is a target.
You may know that cyber insurance, sometimes referred to as data insurance, is designed to cover the cost incurred in the aftermath of a cyber attack. What you might not realize is that hackers are now targeting small businesses in a big way. In fact, they are some hackers’ top targets. More and more phishing scams, in particular, are aimed at small businesses.
While larger firms tend to have information security teams, “smaller businesses usually don’t have any IT breach controls in place, and therefore are at the highest risk of a data breach,” said Josh Holden, senior account executive at ABA Insurance Services.
Related stories: Best Business Books: 50 Small Business Owners Share Their Picks
If you haven’t considered a cyber insurance policy, now’s the time.
The risk is real
For small businesses without large cash reserves, cyber insurance can seem like just another bill that threatens to erode your capital. But if your business stores customer information or business assets online, it’s a target.
In recent years, we’ve seen a barrage of high profile breaches — think Sony, Staples and Kmart. Neil Feather, cybersecurity expert and president of Sitelock, warned, “Many small businesses may think they are immune to these threats. The truth of the matter is, it’s no longer a matter of if an SMB will suffer a security breach, it’s when.”
Such breaches aren’t cheap. Holden said businesses lost more than $525M in 2015 alone, second only in claims to fire. “In 2013, the average cost for breach response services, and legal defense and settlement costs, exceeded $1.6 million dollars.”
Put another way: “For any business that depends on computers in the operation of their business, cyber risk is unavoidable – it’s table stakes for being in business,” said David White, chief knowledge officer at Axio Global, which specializes in cyber risk.
Are you vulnerable?
Holden recommends performing an internal assessment to determine how much cyber risk you are carrying. These questions can help inform your need for cyber insurance:
- Do you store your customers’ Personally Identifiable Information (PII), such as credit card numbers or home address?
- Do you store sensitive financial data?
- Does your company use credit cards to perform transactions?
- Do employees connect remotely?
- Can you afford the expenses associated with a data breach?
What you get
Traditional cyber insurance protects businesses from the financial damages associated with data breaches and other kinds of attacks. According to White, this coverage can include:
After an attack, it’s prudent to hire experts to help restore data and manage a wealth of customer issues. Insurance generally covers expenses associated with hiring external experts to respond to and recover from the event.
Security and privacy liability.
If your hack results in the disclosure of customer data, prepare for civil lawsuits and regulatory penalties. Insurance can cover your legal defense.
Most policies include provisions to pay ransom demands, such as to recover data that’s held hostage by hackers.
You will probably experience some loss of revenue due to the hack, such as from service outages. Cyber insurance policies typically replace lost revenues or earnings stemming from such events.
That said, Steve Durbin, managing director of the London-based Information Security Forum, warned small business owners to “look very carefully at the fine print — many policies do not cover state sponsored attacks and may not provide you with the full financial cover that you seek. With each class action lawsuit prompted by data breach damages, case law precedents change and insurance companies adjust policies accordingly.”
An ounce of prevention
Whether or not you invest in cyber insurance, there are steps you should take to keep your business and its data as safe as possible. Indeed, insurance is only a small part of your overall risk management plan.
“Cyber insurance is no replacement for sound cyber security and cyber resilience practices, especially at small businesses. Indeed, well-resourced practices that are compliant with industry standards can oftentimes positively reduce cyber insurance premiums,” said Durbin.
First and foremost, train your employees. Feather advises: “A leading cause of data security breaches is employee error, so it is critical to educate and train employees up front.”
If your business is online in any capacity, you should also have a security plan in place, preferably written with the help of an IT or information security expert. Also make sure your site is protected by security tools. “Website security tools utilize rapidly evolving data sets and hacking trends to find and fix threats and prevent future attacks,” said Feather.
Holden underscored the importance of data breach prevention. “Small businesses need to either conduct an internal review of their data breach exposure or hire a risk management company to conduct penetration testing to determine gaps in IT infrastructure. The more proactive a business is in identifying and mitigating their exposure, the less likely a data breach will happen.”