Why Your Business Needs Cyber Liability Insurance
Fact-checked with HomeInsurance.com
It’s hard to imagine a time before Facebook, smart phones, and the internet, much less one consisting solely of cash and check books. Today, we laugh at parodied images of business accountants stuck behind large accounting books, drowning in a sea of paper because it’s outdated. Businesses of all size rely on modern electronics like computer and credit card processing technology because it’s convenient and reliable, not to mention greener.
Like everything else, convenience often comes with a price though.
Table of contents
If You Build It, They Will Break It
As computers made their way into homes and gained people’s trust, motivations became more sinister. In contrast to computerized convenience, there are hackers sending viruses like “Melissa” and “I Love You.” And cyber crimes continued to gain momentum. In 2000, the first DoS attack affected large e-commerce sites like eBay and Amazon, costing over $1.5 billion.
As large of a loss as that sounds, it was only the beginning. During the stone-age when people used paper, the biggest risks posed to businesses’ important documents were fires, floods, and physical theft. Otherwise, folders were locked in file cabinets or even storage units for years, especially when certain professions are required by law to keep records for a designated number of years, like attorneys. Now, information is stored on databases and personal computers, and cunning criminals have taken advantage of this, turning such ‘modern day convenience’ into a crime that’s a threat for practically any business. With just the click of a button, hackers and identity thieves are able to extract virtually any and all valuable, private, and confidential information businesses have in their records, and even the tiniest of security breaches can lead to just that.
A Network of Information: The Importance of Cybersecurity and the Dangers of Data Breaches
In today’s modern society, technology has allowed us to become more efficient and successful than ever, but it’s definitely exposed us to greater risks due to higher chances of security breaches.
What constitutes a security breach? The Identity Theft Resource Center defines a breach as “an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.”
Given the combination of both electronic and paper records, and since many businesses still keep ‘hard copies’ in addition to electronic formats, operating without some form of cyber security is taking a big risk in an internet dominated business world. At first, cyber security began as a term describing any kind of digital problem, be it a network failure or email issues. Today, it’s taken on a more specific goal of preventing data breaches and leaks. At any given moment, businesses are transmitting millions of pieces of secure information through a vast network.
Of course, as new technology is developed, there are those who will always try exploiting it, but data breaches aren’t just the result of internet criminals.
Chris Boylan, a liability underwriter with Stuckey & Company in St. Louis, Missouri, acknowledges the threat businesses face, and says security breaches leading to cyber crimes can result from a wide array of unexpected circumstances.
“When people think of cyber liability they think of the big, bad computer virus software programmer sitting in a dark corner far, far away trying to swipe credit card info. But really, that is only a portion of the exposure out there,” cautions Boylan.
Other potential security breach threats are actually right under your nose. Employee negligence and simple mistakes can lead to breaches that potentially cost millions of dollars too.
According to Ponemon and Symantec’s 2013 report Cost of a Data Breach: Global Analysis, “human errors and system glitches caused nearly two-thirds of data breaches globally in 2012.”
These can be both intentional crimes and ones that were pure mistakes; however, even a small mistake can have big consequences, and we all know mistakes happen. Consider the following scenarios, a mixture of intent and mistake.
- A laptop is stolen from a health insurance call center. On this laptop was information on over 1 million customers including things like name, address, and social security number.
- A digital marketing company is hacked and email addresses as well as full legal names are obtained.
- A vendor accidentally sends reports to the wrong individual that contains customer credit information.
- An insurance agent, who does a lot of work on computers and smart phones, visits a few clients on an average day with their laptop and phone. The agent loses the phone and laptop one day—something that can happen easily. In just the span of a day, the agent has collected and recorded the medical histories and personal information of over 20 people electronically. For a criminal, finding something like a computer or smart phone is the pot of gold at the end of the rainbow, a wealth of information obtainable via the agent’s laptop and phone.
It’s not just replacing a precious iPhone to worry about though, and sometimes the resulting consequences just don’t seem ‘fair.’ The harsh reality making extreme cyber security measures even more important is that even if the personal information is never abused, the fact the information was lost, or rather, compromised, at all is a security breach that can still lead to some major costs.
The Best Things Come In Small Packages: For Cyber Criminals
In a world where we want all of our technological gadgets smaller, simply misplacing something like an USB drive is not only very possible, but constitutes a breach. In fact, nearly 70% of businesses have lost valuable information solely because of USB drives, and 55% of it was related to viruses stealing the information. Although some businesses have rules on USB safety, only 21% used data loss prevention tools. And smartphones should be another concern. Many employees use business smart phones every day, and according to the recent Consumer Reports State of the Net report , 40% of smartphone users don’t even take minimal steps to secure the phone.
It’s also important to note that while it’s important to protect secure information regarding employees and customers, Tim Francis, business insurance management and professional liability and cyber insurance lead at Travelers Insurance advises investigating other areas prone to attacks as well.
“Cyber exposures go well beyond the issues associated with securing private information, and can extend to intellectual property and other concerns associated with what companies post on their websites, which could result in additional liabilities and other expenses. As a result, any company that stores personal information of employees or customers, or that even just relies on computer systems to conduct business, may have some cyber exposure.”
Although businesses may encrypt files, think they have the ultimate security, and take every cautionary measure possible, many businesses surprisingly ignore what is proving to possibly be the most necessary form of IT security protection – cyber liability insurance.
Business Size Doesn’t Matter
Cyber liability insurance used to only be affordable for ‘major players,’ and was expensive and difficult to obtain due to small demand and even fewer suppliers; however, according to Tim Woods, an insurance agent with the Farmer-Leavitt Insurance Agency in Phoenix, Ariz., cyber crime losses and risks have increased so much in the last three years – for everyone — that the number of insurers offering this insurance have increased from ten to about thirty.
Small businesses often have the mindset that they don’t possess enough ‘sensitive information’ to justify paying for a cyber liability policy, regardless of how cheap it may be. While many large corporations jumped on the cyber insurance bandwagon when first developed in the early ‘90s though, now even small businesses face the threat of data breaches, and the ‘little guys’ are often easy targets.
“We all have some sort of exposure to data loss or breach of security events,” says Boylan.
In fact, according to Verizon’s 2011 Data Breach Investigations Report, in 2010, 57% of breaches occurred at companies with only 11-100 employees. Verizon’s 2012 report revealed 72% of 2011 breaches occurred at companies with 100 or fewer employees , and showed an increase of 63% when compared to breaches analyzed in 2010.
“Small businesses feel like they’re immune from cybercrime, and they’re wrong. They are absolutely on the list of potential targets of cybercriminals,” says Larry Ponemon, chairman of the Ponemon Institute.
The increasing number of cyber crimes and data breaches continuing to rise dramatically prove it’s time for everyone to start being more vigilant – and not doing so can cost a business greatly — even millions of dollars.
Although they can be costly for businesses of any size, small businesses stand to lose much more – including their business — without the financial resources large companies have. One data breach can result in shutting down a business, not just because of total information loss, but thanks to fines and remediation costs. Currently, 47 states require all businesses to notify victims of a data breach. The Securities and Exchange Commission (SEC) has even recommended that businesses inform customers of possible vulnerabilities, but some businesses are reluctant, afraid it will hurt their reputation. The resulting fines for failing to adhere to the SEC’s requirements aren’t cheap — businesses in the medical field now face fines of up to $50K per individual violation.
The alternative is to play by the SEC’s rules, although that’s still costly. According to Ponemon’s 2011 Cost of Data Breach Study, a single security breach costs about $194 per compromised record, averaging $5.5 million for a large company. That’s something a small company can’t handle though.
“For small businesses, the notification expenses for a single breach event can be astronomical and could easily cripple a small company,” points out Boylan.
If that number doesn’t sound big enough to scare any business into obtaining extra, essential cyber liability protection in the form of insurance, there are some that may.
“Regardless of the company size, the liability can prove relatively substantial. Recent reports on average incident costs range from $2.4 to $7.2 million accounting for detection, notification, post-response and lost business income,” says Woods.
According to technology research firm Gartner Inc., last year US businesses designated an average of about 5% of their IT budgets for security. In total, that’s an unprecedented $9.2 billion reserved for new security software. Hopefully, a good portion of that will be dedicated to cyber liability insurance, now an essential for even ‘mom and pop’ gas stations. Given the fact that small businesses are often left without any security protection, this could make a breach even more damaging. Despite the alarming numbers and trends, a study by AVG Technologies, an internet security software company, revealed that 52% of small business owners don’t have any kind of IT security policy.
Doug Blakey, the CEO of WatSec, which provides Cyber Risk Management for companies, sums up the reality of the online world we live in.
“All companies connecting to the internet are essentially on the same street: big multi-nationals and small ma and pa shops.”
Real Life: Hacked! – Information Loss and Long-term Consequences
So, what really happens when your system is breached? Just ask these companies.
- In April 2011, Sony was hit by hackers who stole personal information, including possible credit card numbers, from over 70 million customers. Sony failed to respond in a timely manner, eliciting complaints from authorities and customers. In the end, the breach cost Sony over $170 million dollars, and this past January, they were hit with another lawsuit.
- Data breaches aren’t always a direct hit. In 2011, “hacktivist” group Anonymous retrieved sensitive information from close to 70 law enforcement websites which included officer emails, public tips and information as well as credit cards. The group accessed the website through a small Arkansas-based marketing group.
- If hacked, information loss is only one hurdle to overcome. Wyndham Worldwide and its subsidiaries now face a lawsuit filed by the US Federal Trade Commission (FTC). Over two years’ time, hackers conducted three security breaches, resulting in over $10 million in fraud loss. The FTC claims Wyndham failed to take necessary precautions to protect customer’s information.
Cyber Security Insurance: Finding the Right Protection
Insurance is becoming more affordable and there are ways to offset the costs. Taking preventive measures is one of the pricing factors underwriters consider. Do you have security measures already in place? Is there a team equipped to immediately handle a data breach? No matter what kind of product is sold, the insurance industry always favors companies who reduce risk. Now, there’s a smorgasbord and variety of insurance options when it comes to cyber liability insurance.
“Cyber liability coverage is appearing across the marketplace in many forms. Typically, it is a monocline coverage form, but can also be added to various professional liability coverage via endorsement as well,” explains Boylan.
This allows many mid-size and small businesses to purchase the protection they need without spending large amounts of cash for a specialized policy. One such example of a standard commercial policy is technology E&O coverage. To ensure protection during a data breach, an endorsement such as ‘failed IT security’ or ‘unauthorized access’ could be added, depending on the insurance carrier. When examining how much risk an individual business runs, Personal Injury and Employment Practices Liability policies shouldn’t be forgotten either. Most insurance companies will offer benefits for liability claims made by customers, but may have exclusions regarding employees. EPL policies can protect businesses if an employee’s information is accessed by a breach, and in turn, a business is sued.
Boylan says a good cyber insurance product will include coverage for a variety of risks and losses, including:
- Privacy liability
- Data breach
- Cyber extortion
- Regulatory expenses
- Network damage
- Identity theft
- Notification expense coverage
At first, standalone policies were the only type of coverage available and included first and third party coverage. Under first party coverage, benefits help cover hard costs of a data breach. Things like mailing letters, fraud monitoring, and legal counsel are all still included in many policies, but some companies are beginning to combine the advantages of first and third party coverage. Third party coverage provides coverage for actions like responding to a class action lawsuit (hello, Sony?) and covering defense costs.
Although the search for cyber security insurance is still somewhat limited, it tends to come with a lot of extra products. It can be hard to navigate terms and coverage types, especially if unfamiliar with the techno world that needs protection. Here are some terms that are likely to pop up in a search for coverage:
- Territory: Just as vehicle insurance only insures a car within a certain territory, a cyber-insurance policy may be limited to a territory. Typically, the standard policy includes ‘worldwide’ coverage although some may offer ‘universal’ or ‘anywhere’ protection.
- Notification Costs Reimbursement: As previously stated, simply notifying affected victims can be extremely costly. At first, this was covered completely by many insurers, but now most only cover a specific number, but may help pay for a third party to assist with distributions.
- Cloud Failure: With the development of the cloud, it’s easy to share information quickly, but it also increases exposure. Under this form of coverage, the business is reimbursed if the failure of a cloud results in online earnings. This is a first party coverage option.
These are various types of coverage to either elect individually or add to a policy, including:
- Network security and privacy liability endorsement: If accused of negligence in maintaining personal information, this form of coverage provides legal defense.
- Regulatory action defense coverage: Normally paired with the above endorsement, this assists with legal costs — unless the allegations are made by the government.
- Crisis management coverage: Good PR pending a data breach is essential to maintaining reputation, and this can help cover those costs.
- Business interruption coverage: If a data breach causes a loss of business income, this coverage reimburses losses, but may come with a waiting period.
- Data restoration coverage: After an attack, the cost to restore valuable records can be high. This policy helps pay for re-implementation of systems and security measures.
- Computer system extortion coverage: Depending on the business, highly valuable information can be held for ransom. This coverage helps pay for an investigation, and if need be, will pay for losses related to extortion payments.
Like many other mishaps and misfortunes encountered in life, we often think ‘that won’t happen to me.’ Additionally, what we used to know as ‘Main Streets’ are now online, and that will only continue to elevate cyber security risks.
Boylan warns against the ‘it won’t happen to me’ kind of thinking.’
“The bottom line is that there’s exposure here whether you think you are Fort Knox or not.”