Cyber Risk Insurance is the misunderstood adolescent of small-business insurance. Recent studies from both private organizations and government bureaus have found widespread confusion regarding cyber risk and its potential impact on the tech industry. These misconceptions pose a significant threat to your business.
In one recent report issued by the U.S. Department of Homeland Security, the agency found tremendous misunderstanding among small tech firms when it came to cyber threats and insurance. Many firms failed to appreciate the level of potential losses, or the ramifications of their position of direct and / or indirect responsibility. In regard to comprehending the role of Cyber Insurance, the report stated that too many businesses just don't get it.
If you don't understand the risk, you can't protect yourself against it. Exposing the truth behind a few of the prevailing myths, as discussed below, may help clear up the confusion surrounding cyber liability and insurance.
Myth No. 1: I Don’t Need Cyber Risk Insurance Because I’m Already Covered.
Standard business insurance doesn't begin to cover the specialized losses associated with cyber risk issues. (For more on cyber risk, see "Cyber Risk Reminder: Your Data Is NOT Property.") That's exactly why Cyber Insurance was created. You may already have a number of policies in place to protect your small business, and for good reason. Policies for Directors & Officers, Errors & Omissions, and General Liability are standard coverage for today's technology firms. However, they fall short when it comes to protecting you against the specific threats and losses associated with cyber risk.
Some of the leading cyber risks include…
- Invasion of privacy.
- Data tampering.
- Business interruption.
- Data or systems loss.
- PR and crisis management.
- Cyber terrorism or extortion.
- Regulatory compliance.
- Libel/slander suits arising from digital content.
- The introduction of damaging code.
- Lost and/or corrupted data.
- Lost laptops and backup media.
- Stolen equipment.
Cyber Risk Insurance is designed to provide coverage for risks that go well beyond those of basic insurance policies. Coverage can be tailored to fit the individual needs of your company, and it can address any or all of those scenarios mentioned. An insurance agent experienced in your industry can help assess the level of coverage that will protect your firm.
Myth No. 2: A Data Breach Will Never Happen to Me.
Too many organizations know those famous last words. Just ask Yahoo!. Just ask LinkedIn or Zappos. Twitter and The New York Times can also fill you in about the reality of cyber attacks.
According to statistics compiled by the Privacy Rights Clearninghouse, more than 533 million data records of U.S. residents have been compromised due to data breaches since 2005. The findings acknowledge that more and more high-profile companies are targeted, but this audit also demonstrates that small business attacks are on the rise.
These days, having Cyber Risk Insurance isn't so much about if an incident occurs, but rather when it occurs. Walgreens, JP Morgan, Chase, Target, Best Buy – these enormously successful companies are all members of the cyber victims club. That's the kind of membership your business doesn't need, but probably can't avoid. What you can do is to manage the threat with appropriate coverage.
Myth No 3: I’ll Have to Cover the Damages of a Data Breach Myself.
The losses from just one security breach can ruin a small business. Consider this range of potential costs:
- Regulatory: Data breach notification laws are on the books in no less than 46 states. Compliance costs involve a slew of regulations and a legal team to sort them out.
- Notification/monitoring: Studies estimate that the cost per record for a data breach averages $214. Alerting victims of compromised data accounts for a big chunk of this price tag. (Read more about how widespread data breaches have become: "Death and Taxes... and Data Breaches?")
- Business interruption: what would it cost your operation to be down for a day? How about a week? Can you also pay for third-party business interruption?
- Cyber extortion: How would you respond to a ransom demand from a hacker who stole your company's private data? What if the data belonged to a third party?
- Legal defense for third party lawsuits: On the big biz side, TD Ameritrade received a data breach knock of more $6 million. On the small business end, Briar Group's price tag for inadequately securing third-party data ran into the hundreds of thousands of dollars. That's the price range at stake for your technology business – how much of that can you cover out of your pockets?
There's more at stake than the measurable assets of dollars and data. Data breach studies conclude that companies are hit hardest by lost productivity and damaged reputations. Just as difficult to measure are lost clients and the cost of obtaining new ones. Reports have shown that many tech companies can take up to a year to recover from a cyber incident.
The typical costs associated with cyber-related losses are simply well beyond what the average small technology business can afford.
Myth No. 4: I've Increased Security Measures So I Don’t Need Data Breach Insurance.
Cyber security and cyber risk management go hand in hand; they are not mutually exclusive investments. When it comes to cyber security, best practices are an absolute requirement for your technology firm. You owe to yourself and your customers every possible safeguard you can employ. Even so, the likelihood of a cyber event striking your firm grows every day.
A recent Ponemon Institute study revealed that 60 percent of those surveyed experienced at least one data breach in the previous 12 months. Add to that the findings of DataMotion's "Data Security Survey:"
- More than 84% of respondents claimed that company employees violated security and compliance practices.
- Only 45% its respondents felt that employees understood data security policies. That's one heck of a catch – security measures are only as effective as the people responsible for them.
Establishing Best Practices for Data Security
There is no simple, one-size-fits-all cure when determining cyber security practices and coverage. This bottom line is confirmed by the U.S. Department of Homeland Security in last 2012’s Cybersecurity Insurance Workshop Readout Report: small businesses need to find a custom fit when it comes to security policy, training, and insurance.
Protecting your tech firm comes down to assessing and managing risk. A coordinated approach of best practices, training, and insurance is a crucial to survival in this age of cyber threats. Working closely with your insurance agent can help you achieve that.
Writtten by Brenna Lemieux - check her out at Google+ or Twitter