Join our Waitlist for Expert Advice!

Cyber Insurance Offers More Than Just Protection Against External Cyber Attacks Think the Targets of this world are the only ones being hacked? Think again.

By Travis Wall Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Massive data breaches have become so prevalent that they are no longer big news. The cyber attacks that do grab headlines typically involve banks or large retailers, in which tens or hundreds of millions of records may have been stolen.

Related: 5 Tips to Protect Your Business From Hackers

Because most businesses do not maintain confidential information on that scale, the chances seem slim that smaller firms would be the target of hackers. This may be one reason many businesses don't buy cyber insurance. But that decision misunderstands the cyber risks smaller firms do face.

In fact, most claims under cyber-insurance policies don't involve Target- or Sony-style attacks, but more mundane events. These might include employee or contractor mistakes in handling information, a lost or stolen laptop, the failure to change a dismissed employee's network permissions, or the unfortunate practice of leaving system data exposed.

Clearly, then, small businesses are not immune from external attacks. They also have less sophisticated data-security protections, making them an attractive target: Only one employee has to fall for a phishing email or click a link that imports a worm or malware before the network is compromised, leading to costs that can severely impact a company's reputation and financial well-being.

An example: In 2013, the owner of a specialty t-shirt store, 80sTees, received notices from banks about suspicious credit card charges. Upon learning of the problem, the company stopped accepting credit cards, recoded the company's website so that it no longer stored credit card information and notified approximately 3,500 customers that their personal information may possibly have been compromised.

The company assumed it was the victim of computer hackers. But the more likely culprit turned out to be a former high-level employee who had set up an unauthorized email account that captured information about credit card transactions.

Despite the relatively small size of the breach, the response costs were substantial. According to published reports, the breach caused $200,000 in damages, not including lost sales during the period the company was not accepting credit cards.

80sTees survived its breach. But not all firms do. In a 2012 study, the National Cyber Security Alliance concluded that 60 percent of small firms go out of business within six months of a breach. To mitigate the risk from these events, then, and protect a firm's bottom line, companies should take some basic remedial steps.

1. Businesses of any size must recognize that data security is not just an IT problem but an enterprise risk-management issue.

Data-breach risks come from multiple sources, not just external threats. Because data security should be administered on a companywide level, senior management, not IT personnel, should set the company's policies for data management and protection, with IT's input, of course.

Related: 4 Ways Your Small Business Can Better Prevent Cyber Crime

2. As with any major business risk, insurance should be an integral part of the equation.

At least once a year, companies should survey their insurance to ensure adequate protection against cyber-related risks.

3. Businesses should not expect traditional insurance to cover this type of loss.

Traditional products -- such as commercial general liability policies or property policies -- are designed to cover bodily injury or damage to tangible property. Data breaches and other cyber events, on the other hand, involve damage to intangible assets such as information or computer software. For protection against that risk, companies need cyber insurance.

Third-party cyber-risk policies protect against liability and other costs arising from data breaches. These costs may include breach-notification costs, free credit-monitoring for potentially affected customers, liability and defense costs for civil lawsuits and costs to respond to regulatory inquiries.

First-party cyber insurance protects the policyholder against business interruption losses or costs to repair or restore lost data or software. In the case of a breach, a forensic team probably will have to scour the company's system to identify and fix any problems -- and that process can be expensive.

Cyber policies tend to offer targeted coverages for discrete harms, with each coverage having a separate premium. One coverage part might apply only to data breach notification costs and claims arising from civil lawsuits; another coverage part might apply only to forensic costs to identify or fix a breach; a third part might apply to the cost to respond to regulatory proceedings.

Because cyber-related coverages tend to be compartmentalized, firms should scrutinize the risks they face and ensure that their cyber policies actually cover those potential losses.

Related: Why Your Password is Hackerbait (Infographic)

Travis Wall

Partner, Hinshaw & Culbertson LLP

Travis Wall is a partner at Hinshaw & Culbertson LLP, where he devotes a significant portion of his practice to the defense of insurance companies in coverage disputes involving property and casualty insurance, reinsurance, life insurance and ERISA and non-ERISA disability claims. Wall has substantial knowledge in the area of cyber risks, and advises his clients on policy and coverage matters involving data breaches and the risks associated with the use of technology and social media.

 

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Money & Finance

The Government Is Forcing Business Owners to Share Personal Data or Get Fined $10,000 — So Why Don't More People Know About It?

The Treasury Department wants to know who owns your business, and the smaller your business, the more attention you should pay.

Growing a Business

How to Effectively Manage Intangible Assets for Long-Term Business Success

Intangible assets, unlike physical ones, may evolve to a point where the business objective no longer has the capacity to utilize them effectively. This evolution triggers the need for transformation, potentially turning an intangible asset into a product for sale.

Starting a Business

'One Size Does Not Fit All:' The Supplement Myth That This CEO Wants to Shatter

Vadim Fedotov, CEO of Bioniq, aims to personalize the supplement market by creating custom pharmaceutical-grade products.

Franchise

International Franchise Association Pushes Back on Franchise Regulation

The IFA has formally called on the Federal Trade Commission to shift its focus away from increased regulation of the franchise business model, arguing that the commission's recent actions exceed its authority.

Growing a Business

How to Reclaim Your Time and Start Focusing on Your Business's Big Picture

You can always get more money, but you can never get more time.

Business Solutions

Simplify Complex Projects and Keep Teams Aligned With Microsoft Project for $18

Stay on track, on budget, and on time with powerful project management software.