Imagine: Your company’s security fails. You’ve been hacked. Credit cards, bank account numbers, addresses, and employee names are now in the hands of strangers, ready to be spread to the rest of the Internet or be sold to spambots.
What Do You Do?
Unless you have planned ahead, you’re panicking and gearing up for expensive damage control. But if you’ve properly prepared, your first step is to call your cyberinsurance provider.
What Is Cyberinsurance?
Cyberinsurance is a growing segment of the insurance market, and it helps companies avoid huge losses incurred from database security breaches. With so much money and personal information exchanged through and stored on the Internet every day, cybercrime cannot be ignored. Small businesses especially are considered by many organized criminal groups to be easy targets with low risk and high payoffs.
Wrap your head around these numbers: The median cost of managing cybercrime for companies per year has gone from $3.8 million in 2010 to $5.9 million this year, according to a recent study by the Ponemon Institute. Those costs included money spent on security investigations, loss of productivity, software upgrades, and the value of stolen intellectual property.
Individual information security is available from such providers as Chubb & Son and InsureTrust, potentially protecting you from such crimes as identity theft. However, the most high-profile and expensive cases of cyber attacks are directed toward companies, such as those recently perpetrated against Citigroup, Google, and Sony.
The PlayStation Effect
Following the well-publicized breaches of Sony’s PlayStation Network earlier this year, insurance carriers had a field day. Interest in information security skyrocketed, and for good reason. The attack on Sony revealed the information of more than 70 million user accounts and cost the company more than $2 billion.
Even your bank is a target. When the hacker group LulzSec broke into Citibank’s system, about 1 percent (200,000 accounts) of the company’s clients had account numbers and addresses exposed.
Aon, an insurance brokerage company, offers special customized coverage to many global corporations with increasing cyber exposures. In 2008, only about 1.5 out of every 10 of Aon’s clients was interested in or in the process of buying cyberinsurance, said Kevin Kalinich, glocal practice leader for cyber liability. This year, that number has jumped to 4.2 out of every 10. Interest spikes drastically after every major incident, Kalinich explains.
Most small businesses don’t have the resources to recover from a data security breach alone, and that’s where cyberinsurance kicks in.
What Is Covered
Many insurance companies have a good grasp on how to provide protection, but trying to figure out how to quantify losses incurred from a breach is an inexact science. Downtime, informing users of a security risk, protection against libel, and slander accusations all cost money, and not all companies—especially small businesses—have the income to cover it. Depending on the policy, most cyberinsurance should cover the following key areas.
- Privacy and security liability relates to writing notices and paying clients for any losses that might have been incurred.
- Companies are required to notify their customers of a data security breach in most states.
- Because of these regulations, every major security breach is a PR disaster. But by working closely with the company as well as its customers, an insurance provider can help to mitigate the damage. Spinning the news, containing the damage, and trying to repair it fall under crisis management.
- Data loss and network system damage coverage kicks in when systems have been compromised or damaged. Replacing hardware and recovering files and data can be expensive. Insurance would cover this.
- After a security breach, a database may be out of commission for a few days, and service to consumers will also be affected. Coverage for business interruption, including DDoS attacks, is useful for when a company loses income because of an incident.
- If someone threatens a site or systems and demands goods to back off, it becomes the insurance provider’s job to cover the settlement, and then hire a security specialist to track down the perpetrator. Cyber extortion has become a popular method by which hackers profit from small businesses.
- Unrelated to security lapses but equally important, a company can’t monitor everything that happens on its site. Users posting in forums or comments and banner ads can all be a source of potential lawsuits. Media/web content liability coverage should protect you from these types of threats. This kind of coverage also covers accusations of libel and copyright/trademark infringement.
Weighing the Costs
Standalone policies such as AIG’s netAdvantage and Chubb’s SafetyNet and CyberSecurity have an annual premium of about $3,500 per $1 million insured. Small business policies can run up to $5,000 to $25,000 per million, with deductibles of up to $25,000, according to Small Business Review.
The cost of a policy depends largely on what kind of protection a business already has in place, says Kalinich. For $5 million in coverage limits, a company may pay approximately $50,000 in premium, while a different company in the same business with the same revenue but weaker cybersecurity protections could pay more than $100,000.
Also keep in mind that you may already be covered. Speak to your insurance provider about information security to find out what exactly is covered to avoid shelling out for duplicate insurance. Experts recommend speaking to an experienced broker who can investigate your current policy and shopping around for the best deals on an information security plan to fill in the gaps.
The Fine Print
Having cyberinsurance doesn’t mean that you can put yourself at risk with no worries—most insurance companies will ask how your systems are already protected from viruses and hackers, and some will also do on-site audits. Clients are expected to understand the risks of a security breach and to recognize scams such as those that stem from phishing e-mails.
Many policies may also include several pages’ worth of exceptions. For instance, if an employee of an organization slips up and downloads a worm or a bug, you will probably not be covered, or the plan could become drastically more expensive.
Remember that businesses buy cyberinsurance to protect themselves first. They are required to disclose security breaches in 46 states, and the companies that do have cyberinsurance want to preserve their reputations as well as they can. Their clients’ information and data is secondary.
First and foremost, decide what kind of information you need to protect. Whose information and what kinds of data does your business store? Kalinich emphasizes that different businesses and industries have wildly varying cybersecurity needs. Retailers, for instance, are most at risk from hackers trying to obtain credit card information. Healthcare providers’ greatest concern is internal—what if an employee leaks confidential patient information? Financial institutions, such as banks, are working to educate clients about phishing and other identity theft scams.
Cybercrime is dynamic and constantly evolving, so staying in the know is the only way to truly protect yourself—and even that is enough. That’s why for businesses of any size, cyberinsurance is an investment that owners should seriously consider.