The phrases “data breach” and “cyber attack” routinely make headlines, typically in reference to a large corporation that has been afflicted with one of the aforementioned ills. While cyber attacks on high-profile companies are often newsworthy for the scale and breadth of the breach, studies have shown that smaller businesses are actually at greater risk of a data breach than their larger counterparts.
If your business has a website, accepts credit or debit cards, stores information on a server or in any other electronic information repository, it is a target for cyber criminals. Cyber criminals can obtain customers’ social security numbers, credit card numbers and other personal identifying information. In addition, they may also gain access to sensitive business information, such as bank account numbers or intellectual property.
Recovering from a data breach can cost a business thousands of dollars as well as reputational harm. Despite this, small businesses may be unaware of the risks presented by cyber attacks or they may simply not have the resources to ensure that their data is properly secured.
Whatever the reason, the one step that small and medium-sized businesses can take to guard against the financial hardships that can result from a data breach is to purchase cyber-liability insurance.
Regardless of size, essentially every organization that uses technology to conduct its business faces cyber risks. Under Connecticut’s new data security laws, effective Oct. 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached.
Of note, the law also requires the provision of at least 12 months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
Cyber liability insurance is designed to cover the first and third-party risks associated with doing business in the technological age. Coverage provided by a cyber liability policy may include:
• Reimbursement for expenses incurred by your business in responding to a covered event;
• Notification costs to notify customers and other individuals impacted by a covered event;
• Costs of credit monitoring and credit restoration services provided to impacted individuals;
• Public relations consultation expenses in the event of a covered event;
• Loss of business income; and
• Defense costs in the event that legal action is taken, including fines and penalties.
When purchasing cyber-liability insurance, an important consideration is whether the policy has “pay on behalf of” or “reimbursement” wording. A “pay on behalf of” policy requires the insurer to pay covered expenses directly, as opposed to having the insured pay and submit those expenses to the carrier for reimbursement. A “pay on behalf of” policy is generally preferable, albeit more expensive, as it does not require a business to pay for costs up front out of its own pocket and puts the onus on the insurer to manage the breach response process.
Recovering from a data breach or other cyber attack can result in financial hardship to any business. According to a 2013 National Small Business Association survey, 44 percent of small business respondents suffered at least one cyber attack and lost an average of $8,699 in the process.
In 2014, the number of small business respondents who suffered a cyber attack grew to 50 percent and associated losses more than doubled to $20,752.
These incidents have become an expensive reality and, unfortunately, are not going away anytime soon. It is, therefore, imperative that small businesses take the necessary steps to mitigate these risks.
Cybersecurity & Data Privacy