Follow the Leaders
It’s no secret that cyber attacks are on the rise, and, like it or not, an attack could have devastating effects on your business. October is Cyber Security Awareness Month, so we wanted to ask: If all systems fail – if your security protocols don’t work and your worst day comes – do you have the right cyber security liability insurance in place to save your business?
Not all data is created equal when it comes to cyber security risk. Two forms are the most prized by hackers: PII, or Personally Identifiable Information – which includes things like customer names, social security numbers, banking or payment information, user IDs and passwords – and PHI, Protected Health Information – which includes information concerning patient health status, provision of health care and payment for health care.
If an employee opens an email and exposes an entire company to a phishing scam – or if a server on the cloud gets hacked and exposes millions of customer records to cyber criminals – it hurts everyone involved. For business owners, it can be especially painful.
According to one study, data breaches cost companies an average of $221 per compromised record – of which $145 is attributed to indirect costs, which include abnormal turnover or churn among customers – and $76 represents direct costs incurred to resolve the breach, such as investments in upgraded technology and legal fees.*
Winters-Oliver Insurance is a 71-year-old family business. Ben Winters, CIC, joined the company in 2010, and since then, he’s seen an increase in the need for cyber security liability coverage.
“Relative to the insurance industry, cyber security coverage is a fairly new product,” says Winters. “It came out in the late 90s, and we’ve seen maturation in the last 10 years in terms of coverage and response to the new information-sharing and technology-driven world we live in.”
“Many small business owners I speak to about cyber security insurance think, ‘I would never land on anyone’s radar.’ But most businesses, regardless of industry, are now regulated as far as how they protect their data, whether they know it or not.”
Winters says that if a business is found negligent in terms of causing a breach or allowing information to become compromised and fall into unauthorized hands, it is then required to respond. Federal – and sometimes state – guidelines apply.
In some cases, federal guidelines require the business to report the breach, notify (via U.S. mail) all those affected and provide credit reporting to those individuals for at least a year at the business’ expense. Additionally, federal guidelines require the business to create a website dedicated to handling notifications about the breach. The business must also set up a call center to further respond to inquiries that might result from notification.
“You can see how this can get pretty expensive pretty quickly,” says Winters. “The right cyber security liability policy will cover these kind of expenses.”
As expensive as it is to respond to cyber attacks, 2016 research reports that the biggest financial consequence to organizations that experience a data breach is lost business.*
Is your small business at risk?
We asked Chris Moschella, CPA, Risk Advisory Manager and leader of the Cyber Security team at Keiter. “Literally every company has PII – if not through their own clients, then through the employee information they have to gather each year for tax purposes,” he explained. “Does it mean everyone needs cyber security insurance? Maybe, maybe not. I would say that as the amount of data a company holds on behalf of its clients grows and the amount of sensitive information they house grows, then the need for cyber security insurance increases commensurately.”
Ben Winters agrees. “The more the information has to travel, the greater the risk or exposure.”
A thorough risk assessment is essential to understanding exactly the type of coverage your business may need. Coverage often includes a combination of four components: errors and omissions, media liability, network security, and privacy.
Network and privacy coverage can protect you from direct costs, like responding to a privacy breach or security failure (first-party coverage), and third-party claims against your business.
“A really good cyber security liability policy will have seven or eight coverage components, including options for communication or media liability coverage and third-party coverage,” adds Winters.
His process begins with an in-depth conversation with business owners. Winters works with them to jointly craft a policy after he learns about the type of data the company manages and distributes, how payments are processed, and what physical and social media security policies the company has in place.
Keiter’s Chris Moschella agrees with Winters’ approach.
“You want to make sure you’re working with a broker who really understands cyber security,” he says. “Look for brokers who have been a part of big claims and are active in the cyber insurance industry. They should ask you pertinent questions about the data you process. If your conversation with them is more consultative than ‘sales-y,’ you’re probably talking to a good broker.”
Should the worst happen, your insurance claims adjuster will be on your side to help you get through the disaster. “Most insurers have claims adjusters who are cyber liability experts,” explains Winters. “They will immediately go to work to determine if you were really breached and where it came from. They’ll help you set up the call center and website you’ll need and help you restore your data.”
Read more in this recent Virginia Business article.
Join Chris Moschella on October 20 as he presents “Cyber Security: Demystifying the Essentials for SMBs.” You’ll learn what all small and mid-size business owners should know about cyber security and how to start identifying your risks so that you’re able to develop a sound cyber security strategy, make informed investments, and ultimately minimize the likelihood and impact of a cyber attack.
*Source: “2016 Cost of Data Breach Study: United States.” Benchmark research sponsored by IBM, independently conducted by Ponemon Institute, LLC, June 2016.