InsuranceRescue Publications

Should a Small Business Purchase Cyber Liability Insurance?

back to Publications Summary

Cyber liability. Cyber risk. Data privacy. Data breach. Personal information. Hackers. Malware. Denial of Service (DoS). Phishing. Cyber extortion. Ransomware. And so much more…

Should a business owner should be concerned about these cyber liability exposures. The answer is an unequivocal “YES!”  If your business is not properly prepared and protected, then as stated in the 1986 horror film The Fly, “Be afraid; be very afraid.”

A brief stop at the Privacy Rights Clearinghouse (www.privacyrights.org) shows that for the years 2013 through early 2016 there were 1,236 recorded data breaches with over 290 MILLION records affected. To put this number in perspective, as of July 2015, the population of the United States was 321 million people.

It is estimated that cyber-crime alone costs the global economy approximately $445 BILLION a year with the world’s largest economies accounting for around half of this.1

For readers, you as individuals should do everything possible to protect your identity. This is done by the use of better passwords, two step authorization/authentication, carefully reviewing your credit card and debit card bills each month, etc.

For small business owners who use and/or maintain consumer/client records (bank account information; credit card details for recurring payments; social security numbers, etc.), you have a very real and frightening exposure! If you don’t believe me, ask some of the senior executives at Target, eBay, Home Depot, Kmart, Adobe and a host of other major U.S. corporations – all of which have had horrendous data breaches and all of the accompanying bad press.

And cyber liability concerns are not new. In 2014 a study by the Property Casualty Insurers Association of America (PCIAA) revealed that the majority of executives see cyber terrorism as being a critical risk management concern.

“The threat of terrorism continues to grow. In addition to traditional terrorism, cyber terrorism is also a high level threat to our country’s national security,” said Marguerite Tortorello, PCIAA’s senior vice president, public affairs. “Our research shows an overwhelming majority of the executives surveyed agreed that a large-scale cyber attack against the country could have catastrophic or significant consequences to their companies’ business operations as well as the national economy. The risk managers and executives also agree that a plan is an essential part of their company’s risk management strategy.

As a business owner, what are some reasons you might need cyber liability insurance coverage? Here are two:

  • Network security breach
  • Customer privacy protection

Network Security Breaches.

This is an area that continues to expand. Hackers and cyber criminals are developing increasingly sophisticated techniques for sneaking into your business. Did you know you can purchase hacker tools such as DoS and ransomware on the Dark Web?  All of the experts agree that these types of extortion attacks will endure for years to come. And phishing emails remain a favorite, because if you send enough of them, someone most certainly  WILL click the attachment!

Many of us assume that the majority of network security breaches occur from outside the company. But we have been wrong. A 2015 IBM Security Services analysis showed that 45% of the attacks came from the outside. The remainder came from within your organization; 31.5% from malicious insiders and 23.5% from inadvertent employee actions - such as clicking that file embedded in an email.

Customer Privacy Protection

Here is the beginning of a list that can be nearly infinite, depending from which company data was hacked and the types of confidential and financial data stored. Some primary data types include:

  • Name
  • Address
  • Social Security number
  • Date of birth
  • Email address
  • Telephone numbers (cell; home; work)
  • Passwords
  • Security questions and answers
  • Health information
  • Tax ID
  • Credit card information
  • Banking information (checking; savings; debit accounts; CDs; etc.)

And remember that breached data doesn’t only mean computer security failures. Much less nefarious examples include:

  • Putting customer files/data into the garbage
  • A lost computer or misplaced USB flash drive
  • Confidential client information emailed to the wrong person

So Mr. and Ms. Business Owner, do you use, keep or transmit customer information? Do you store any confidential information that shouldn’t be shared?

What happens if your network is hacked? What is the reputational harm if customer data is stolen from you? What are the costs to “fix” these types of problems? If you don’t have proper insurance coverage, could your company even survive such a catastrophic event?

You already purchase property insurance to protect your business building and belongings. You already carry business liability insurance to protect from “normal” liability exposures (slip & fall; car accidents). So why wouldn’t you purchase an equally essential cyber liability insurance package based on your business’ cyber exposures?

Cyber liability insurance can cover many different needs in the event of a claim / loss.  Some of the examples include:

  • Client notification services
  • Available specialists to help with the claim investigation and responses to/for:
    • Clients
    • Regulators
    • Authorities
  • Additional actions
    • Forensic audits that may be required by governmental agencies or the payment card industry
    • Costs of future credit monitoring for affected clients
    • Support alleviating malware or a virus affecting your company’s systems
  • Legal defense and/or actual/alleged damages to a client who suffered
because of a data breach
  • Business interruption coverage
  • Settlements, damages and judgments related to the breach
  • Liability to banks for needing to re-issue credit cards

The topics of cyber risk and cyber insurance coverages are highly technical and are evolving daily. In order to find, select and purchase appropriately robust insurance policies offering first-party and third-party coverages, you truly need to consult with an experienced agent or broker who has dealt with this topic and who can support assess your company’s coverage needs and limits. These experts can help with:

  • Incident response planning and best practices (documented policies)
  • Audits and network assessments
  • Comparison of various cyber products and coverages
  • Employee education

If you develop a good plan and purchase the proper insurance, then perhaps you won’t need to be very afraid.

  1. Allianz Reports: A Guide to Cyber Risk. 2016

Jonathan Farris is a retired insurance executive and president of InsuranceRescue Services, LLC, a property & casualty insurance consulting firm based in Madison, Wisconsin.  Mr. Farris can be reached at jon@insurancerescue.com.