What is Cyber Insurance & Why do You Need it?
Every single business with a website and Internet connection – from the non-tech mom-and-pop to the largest Fortune 500 – faces cyber exposure. Attacks can come through untargeted or targeted ransomware, phishing, malware or ¨drive-by¨ infections. Sometimes, too, infections come from external agents connected with your business.
The story of a cyber attack
One 2015 holiday season, Rokenbok Education, a small, California-based toy company of seven employees was forced to its feet by an unexpected malware attack. For Rokenbok Education, this couldn’t have come at a worst time. The company was packed to the rafters with orders and had year-round looked forward to Christmas as the time to recoup its expenses. Instead, ransom malware had infected its database, forcing Rokenbok to disrupt its business while it spent the next four days halting and repairing the damage. Rokenbok lost thousands of dollars in sales in two days. The FBI failed to find the culprits.
For Rokenbok, it could have been worse; experts say most small businesses close after attacks similar to theirs. All the same, that’s a lesson in cybersecurity they’ll not long forget.
Why do you need cyber insurance?
Think if you’re a small business, you don’t need cyber insurance? Wrong!
Almost 30% of data breaches effected small businesses last year, while more than 60% closed their doors within six months after being hacked. For phishers, small businesses are particularly appealing with their one to 10 employees and with no dedicated IT department. Most small business owners don’t know how to handle their own IT, which makes them even more vulnerable to attacks.
Cyberattacks are difficult to anticipate and to ward off. That’s partly because the most common attacks come from those closest to you – disgruntled ex-employee, vengeful acquaintances, wronged family members.
On top of that, you could be affected by innocent external agents, like your suppliers or clients, who have had their IT system infected.
Is cyber liability insurance worth it?
Rokenbok Education got off relatively easy. Larger companies, or companies that deal with particularly sensitive information – think hospitals, banks, government – could suffer far more.
Repercussions of cyber attacks
Legislation penalties. You can be fined by:
- The federal government for breaking any one of its jumble of data protection Acts, such as the most recent 2020 Federal Trade Commission Act, the Children’s Online Privacy Protection Act or the Video Privacy Protection Act.
- State government – Many states have their own data privacy laws. Of these, the most well-known is California’s 2018 Consumer Privacy Act (CCPA), New York´s SHIELD Act, the costly Biometric Information Privacy Act of Illinois, and an ongoing series of privacy bills released by Massachusetts.
- Private regulatory bodies – The HIPAA comes to mind with its strict requirements on protecting patient information. There’s the Children’s Online Privacy Protection Act of 1998 (COPPA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and the California Online Privacy Protection Act (OPPA) of 2003. The Do Not Track legislations and the Right to Know Act are in the offing.
- You’re going to have to notify your clients and stakeholders.
- Clients or stakeholders may sue you because you’ve lost, or revealed, their private information.
- Larger companies may have to wrangle intense media scrutiny.
- You’ll need to hire costly IT professionals and security consultants to fix the network and prevent such fiascos from reoccurring.
- You may need to hire an attorney to navigate your legal issues.
- Business losses from loss of clients and business interruption.
- If you’re a large company, you could experience a fall in your stock price.
- Are you a healthcare company that lost patient information? That can cost you up to $50k per lost record.
- If you’re a business that accepts credit cards, you can be fined up to half a million dollars. That’s before you pay the fraud and card reissuance costs.
- You’ll need to pay for credit monitoring, where specialists monitor your credit history to track suspicious activity or changes.
- Business interruption, where your company has to stop its work for weeks, if not months, because they’re locked-out from their computers. On top of that you may have lost crucial data due to a virus or data breach.
- The Feds shut your operation due to sensitive data leaks.
- Malware and virus infections (for example) damage your infrastructure.
- Embarrassment and maybe depression caused by scams like social engineering, infringement or theft of intellectual property and cyber extortion.
- If the cyberattack was serious, a possible drop in employee morale.
Researchers from the University of Oxford and Kent’s School of Computing list 57 negative outcomes of cyberattacks.
Is cyber insurance worthwhile?
Here are the numbers to confirm it is:
- A single data breach can cost over $100,000
- Nearly 1 in 5 businesses have been hacked in the last 2 years
- Almost 50% of small business owners believe their business is vulnerable to a cyberattack.
- Ransomware attacks have accelerated 400-500% since the start of the pandemic.
The most common ways you can get hacked
Look out for these situations:
- Denial of service attack (DDOs) – Where the hacker bombards your website with traffic, preventing legit customers from accessing it.
- ¨Drive-by¨ infections – No need to click on an infected URL to become infected. Nowadays, you just need to visit, or open, a compromised website, and your computer’s a goner.
- Viruses or malware infections on your system. Of the last, hackers infect your IT with software that uploads your personal information to their systems.
- Ransomware attacks, where the hacker holds your files hostage for a ransom.
According to Bryan Mahon of Keller Stonebraker Insurance, your two top threats are ransomware attacks and phishing.
So how does cyber liability work?
Most underwriters give you two tiers:
- First-party coverage that usually covers the cost of forensics and cyber security protection, as well as your legal costs.
- Third-party coverage that covers defense costs for unjustified claims from a third party, such as when a client sues you for losing, or revealing their sensitive information. Third-party coverage also gives you media liability that covers your reputation damages along with fines incurred by violating data privacy regulations.
Cyber insurance does not protect you from at-fault incidents, such as if you used public Wi-Fi when working on sensitive documents.
How do you decide which insurance to buy?
No two policies are the same. In essence, you’ll want to consider items like the size of your business, the dependence of your business on technology, your business needs, your client demographics, and how much you use email and internet in your business.
This article spoke about non-tech small business that are exceptionally vulnerable to cyberattacks, but actually the more you go from medium to large businesses, their information becomes more sensitive and sophisticated, while their IT system is more complex. If every, any one of their endpoints was breached, they could lose millions of dollars and/ or become bankrupt. Larger companies, too, face harsh regulatory requirements and penalties for violations.
So is it expensive to become hacked without having insurance? Yes. And you become bankrupt. That’s something you want to avoid!