Why Do I Need Cyber Security Insurance?
Cyber security risks are becoming more relevant every year. According to CNBC1, about half of small businesses in the U.S. have experienced at least one data breach, and half of those have experienced more than one. According to the 2017 Ponemon Institute Cost of Data Breach Study2 the average consolidated total cost of a data breach is $3.62 million. The U.S. has the highest costs, both per record and per incident, and the average size of data breaches has increased 1.8 percent over the last year.
Cyber-crime is real and can hit anywhere. While only the big hacks make it to the news, it’s the small businesses that should be most concerned. Small businesses are particularly susceptible to attack since they often operate without IT departments. Hackers, or anyone trying to steal confidential data from a private database, start small with the intention of gaining access to larger databases. In the case of Target’s data breach in 20133, their data was accessed through a much smaller business partner who was hacked first, giving them access to the parent company’s databases. Target’s data breach holds the record for highest settlement costs resulting from data breach—$18.5 million! Along with affecting 41 million customer payment accounts, the breach affected contact information for more than 60 million Target customers. This was a historic event as it set new industry standards for companies that process payment and maintain confidential data for their customers.
If you aren’t protecting your data, backing up your data and insuring your equipment then you are leaving a large exposure in your risk management plan. It only takes one attack for your customers to lose faith in your cyber security. If credit card information is stolen from your computer server they are not likely to provide credit card payments in the future. This is also known as reputation management, having a good cyber liability plan makes you feel secure, but it makes you look secure to your customers as well. There can also be legal repercussions if you are collecting private data and not securing and insuring it. The Wyndham hotel chain was sued by the federal government in 2012 after being hacked three times in two years. Sensitive customer files including credit card numbers and personal information were stolen by Russian hackers who racked up more than $10.6 million in fraudulent charges4. That is a pretty big bill to pay if you’re not insured, not to mention the clean-up and recovery responsibilities such as notifying customers and providing credit monitoring.
The bottom line is if your business electronically handles customer payment, medical information, private customer data, such as social security or driver’s license numbers, or customer profile information, such as addresses and phone numbers, then your business needs some form of cyber liability insurance. Let The Insurance Shop specialists help you determine which type of coverage and how much you need. We are well versed in cyber security and up to date on this quickly evolving line of insurance.
1As reported by CNBC, April 5, 2017.
2The Ponemon Institute’s Cost of Data Breach Study is an annual study sponsored by IBM.
3As reported by USA Today, May 23, 2017.
4As reported by CNN, June 26, 2012.
What Does Cyber Security Insurance Cost?
Since cyber security is still a rapidly growing facet of the insurance industry there are many companies that are not interested in writing cyber policies. Simply put, they don’t know enough about it and how to predict risks and costs, making it a very risky and expensive exposure to insure. While premiums may be steep, higher rates outweigh the cost of self-insuring. According to the 2017 Ponemon Institute Cost of Data Breach Study1 the average cost per-record is $141. The costs don’t stop there though, there are forensic examinations which cost typically $20,000 to $50,000 and Payment Card Industry (PCI) fines which can range from $5,000 to $50,000. Other expenses include replacement credit cards, credit monitoring services, public relations services and any necessary additional labor. Many states have strict data breach notification laws as well, if you aren’t aware of regulations you will be fine and penalized, even sued in some cases. The actual cost of the notification may be onerous when many clients are affected.
When working with your agent make sure to discuss all the preventative measures in place at your business. Insurance companies like to see risk mitigation and often give discounts for extra steps taken by policyholders to reduce risk. Like most insurance coverages, packaging always helps discount! Try rolling cyber liability into your business owners policy or commercial package policy.
1The Ponemon Institute’s Cost of Data Breach Study is an annual study sponsored by IBM.
What are Common Cyber Security Claims?
There are seven incidents that commonly lead to data breach.
- Lost or stolen devices.
- Phishing emails.
- Hardware/software failure.
- Human error.
If you believe your business has been a victim of a data breach or other cyber-crime, stop what you’re doing and follow the following steps:
- Cease all online activity.
- Call your insurance agent (they often have similar lists like this one that might be more detailed or suited better for your industry).
- Contact your IT administrator, if you have one.
- Attempt to quarantine affected hardware, such as disconnecting infected computers from the network.
- Contact your bank and disable online access to accounts.
- Notify any business partners or other stakeholders.
- Notify your insurance carrier.
- File a report with the police department.
Depending on the amount of coverage in your cyber liability policy, you’ll get some help with a few of these steps, such as notifications.
How Can I Reduce my Risk?
There are a number of ways to reduce your risk of data breach. Many small businesses use contractors or third-parties to administer their websites and IT networks. If this is the case for you, then start with your administrator to find out what steps he/she is taking to prevent loss and monitor fraudulent activity. Here are some sample questions to get your conversation started:
- Do we have a virus protection program? Used both on internal and external servers.
- Do we use standard or custom configurations for firewalls, routers and operating systems?
- What is our process for managing client accounts? Including removal of inactive or outdated accounts.
- Are they any physical security systems in place controlling access to our systems?
- Is there anyone specific responsible for information security and compliance?
Essentially your business needs safeguards, and the more you do to prevent data breach incidents, the better rate you will get on a cyber liability policy. Set standard and processes for proper data management by implementing the following steps:
- Use encryption on all sensitive data.
- Decide what information you will store and for how long.
- Require strong passwords from both clients and employees accessing company networks.
- Protect hardware by keeping PCs updated and loaded with monitoring software like anti-virus and anti-spam programs.
- Assure your email system is secure or switch to a more secure system.
- Limit employee access to the internet by excluding any non-work-related websites.
- Obtain secure website capability. Such as a firewall that includes anti-virus, anti-spyware and anti-spam services along with content filtering and intrusion prevention. It can also provide detention and real-time reporting.
- Assure you have policies in place for working with third-party vendors (i.e. banks, shredding services, credit card processing services).
- Make sure to update your policies often, providing training for employees when needed.
- BACK-UP YOUR SYSTEM! Having a regularly scheduled back-up off-site will come in handy on more occasions than just data breaches.
Preventative measures work really well, but unfortunately, hacker technology is evolving just as fast as the protection against it, thus the need for an incident response plan. Some businesses even have incident response teams, either in-house or through a third-party. The 2017 Ponemon Institute Cost of a Data Breach Study1 reports the average cost per-record lost was $141 in 2016. It continues to prove that those businesses with predetermined response teams and plans shaved off about $19.30 per record. A small hair salon could have 30 to 100 customers per day, meaning their total customer records could be in the thousands, if not more. If 1,000 customer records were compromised that would be $141,000 in recovery costs. However, with a good response plan or team in place, that salon could save $19,300!
Frequently Asked Questions
- What is the difference between cyber liability insurance, data breach coverage and technology errors and omissions insurance?
Cyber liability will insure your third-party data, while data breach covers policyholder’s data. Technology E&O applies to services rendered or products designed, such as websites and software.
- Does cyber liability cover my computer or any electronic equipment?
Not usually, a general liability policy may cover computer equipment damage and loss.
- Is cyber liability insurance required by law?
There are many state and federal, as well as industry-specific, regulations regarding how you secure customer information. Whether or not you wish to insure against the risk of data breach is up to you, however.
- Is there more than one name for cyber liability insurance
Yes, since this type of coverage is relatively new to the marketplace the standards are still be determined and thus different insurance companies may use various terms. Some terms that are synonymous with cyber liability insurance are cyber risk insurance, information security insurance, privacy insurance and media liability insurance.