You’ve firmed up firewalls, strengthened passwords, and locked up hardware—all in the name of securing company computer systems from malicious hackers. But what if you’re breached anyway? There’s protection that more small businesses are starting to choose: hacking insurance.
Cyber liability policies are being issued to cover everything from the cost of informing customers and post-attack credit-monitoring accounts to the loss of business from denial-of-service attacks. While some traditional policies include coverage for computer-related losses, the rapidly expanding methods of data breaches mean business protection plans have had to adapt to an increasingly menacing digital landscape.
Small businesses haven’t exactly been keeping up: Symantec’s 2013 Threat Report estimated 31 percent of all attacks targeted U.S. companies with fewer than 250 employees, up three-fold from the year before. Yet 83 percent of SMBs surveyed told the security software maker and the National Cyber Security Alliance they weren’t concerned about the rise in hacking, with 59 percent reporting that they had no contingency plan in place in the event that they were breached.
“When we focus on hackers in the news, small businesses take that to mean it’s a problem for big conglomerates,” says Gary Sutherland, chief executive of the North American Professional Liability Insurance Agency in Framingham, Mass. “Most don’t believe they’ll be hit. They don’t think they’re big enough.” He points to a recent case where a small accounting firm’s staffers showed up on a Monday morning and found they were unable to log in to their computers. When managers investigated their locked equipment room, they discovered what may be many small business’s worst nightmare—all of their servers were gone.
The industry that aims to ease the pain from these worst-case scenarios is growing: In June, The Betterley Report, an independent guide to specialty insurance products, pegged the cyber-liability market at $1.3 billion for 2013, up from $1 billion a year earlier. (Sutherland estimates small businesses with cyber coverage still only account for 3 percent of that market.)
Jared Kaplan, senior vice president of products at Chicago-based Insureon, says he’s seen a two- to three-fold increase in demand, particularly as doctors and other health-care firms summon technology to adapt to HIPAA privacy protections and navigate the Affordable Care Act (known by some as ObamaCare). “We’re seeing real-world examples of hacking every day now,” he says. “The whole world is digitizing and it affects everything. The key is to manage the risks appropriately.”
But if you’re still in denial about the threat to your small business, don’t think you won’t be held responsible if the unthinkable occurs. Letting customers know their private data may have been stolen isn’t just the right thing to do; it’s also the law in a majority of U.S. states. There’s no one single federal law and rules differ from state to state, with varying mandates on how to alert clients (in writing or via email) and even in the definitions of what constitutes “personal information.” (Here’s an interesting guide to the requirements.) Some states require that the state attorney general’s office be informed.
Sutherland estimates the cost of a data breach for even small companies totals around $100,000. Other industry observers put the average at as high as $250,000. Even at the lower price, it’s enough of a surprise expense that could break the bank for most small enterprises. Sutherland says he dealt with a West Coast small business that had an intruder steal a laptop from their front counter—not for the data inside but for the perceived value of the machine, police said. Still, the computer contained stored customer information, and the theft triggered a chain of costly mandatory notifications and procedures that led the firm’s owners to decide to sell the business.
How does cyber-liability coverage work? It can be an add-on to a basic policy or a separate, custom product. Depending on how it’s written and a business’s specific needs, there’s coverage for post-attack forensics, malware and ransomware damage, crisis management services and marketing, as well as legal settlements and penalties, and even actions by rogue employees.
Policies are generally designed to cover two tiers, known in the industry as first and third parties. First party coverage applies to a business’s losses incurred by the breach and its aftermath; third party refers to expenses sought by clients, including class action lawsuits, claims from vendors or customers, or penalties.
The price of a policy varies, depending on the size of the firm and the operating that needs protection. Sutherland says annual coverage for the smallest businesses can be in the ballpark of $2,000; for enterprise firms with 100 or so employees, expect to spend around $15,000 per year.
Where to begin? Look first at your main policy, Kaplan says. A standard BOP—or business owner’s policy—may cover general liability for items like theft or physical damage, while data breaches could require an optional add-on.
Then think about what needs protecting. Are all documents shredded? Where are paper files stored and who has access? What if an employee’s portable device, thumb drive, or smartphone with customer data went missing? What if a vendor was negligent with your private information?
“It seems exponential in the ways to cause damage now,” Kaplan says. “We’ve had to do our own effort to keep things protected. There are still lots of things people can do to mitigate the universe of computers.”