Cyber insurance can help small businesses recover from a data breach – but finding the right policy for your business can be challenging. These tips will help you find the right cyber insurance policy.
Cybersecurity firm 4iQ recently released a report studying 2018 data breaches. According to the report, an average of 217,000 pieces of consumer data were compromised during the typical data breach last year – that’s down 4.7 percent from 2017. While this might seem like good news, it’s actually a sign that smaller businesses are increasingly becoming the victims of data breaches.
“If you are a small business and collect and store credit card information or even if you just transmit information by email, you run the risk that this information will end up in the hands of the wrong person,” said Dave Stanard, representative for THREE by Berkshire Hathaway, a provider of insurance for small businesses. “Most small businesses are at risk of a data breach.”
Smaller businesses face an even greater risk because they often lack the money to invest in the software and IT infrastructure to keep hackers at bay. And when a data breach hits, they don’t have the resources to cover the costs of restoring their computer systems or surviving any business losses they suffer because of the attack.
That’s why small-business owners should consider investing in a cyber insurance policy. This insurance protects businesses if they suffer a data breach, covering the costs of restoring damaged computer systems, paying out to help business owners defend themselves in lawsuits and reimbursing these owners if they must shut down their businesses while recovering.
The challenge? Choosing a cyber insurance policy isn’t an easy task. Business owners must research policies to determine if they provide enough coverage. They must look at their own companies, too, to determine how much protection they need.
How to choose a cyber insurance policy
Why you should consider a cyber insurance policy
Stanard said small-business owners need to take a series of steps in the wake of a data breach, including:
- Determine how much data has been compromised and what personal or financial information from customers has been leaked.
- Make sure to follow all state and federal regulations governing the notifications and actions small businesses must take after a breach.
- Consider launching a public relations effort to defend themselves from critics following a breach.
- Restore operating systems and recover stolen data.
- Seek legal advice. Customers might sue small businesses for exposing their personal and financial information. Defending against these lawsuits can prove expensive.
All of these steps can add up. Businesses without cyber insurance to help cover these costs might struggle to remain open.
Sara Jodka, a cybersecurity attorney for the law firm Dickinson Wright, said the cost of a cyber insurance policy needs to be included in any small business’s budget.
“The market is growing and small businesses have been taking steps to protect themselves,” said Stanard. “But this [cyber insurance] is still a very young product. The policies can be complicated. It’s hard to distinguish what one might cover and what another won’t.”
What to consider in a cyber insurance policy
David Dufour, a Boston-based expert on cyber insurance and vice president of engineering for Webroot, a cybersecurity provider, said small business owners need to consider several factors when determining if they need a cyber insurance policy.
- Look at what data you handle. Does your business collect your customers’ Social Security numbers, addresses, birth dates and email addresses? Do you collect their insurance information or credit card numbers?
- Look at what possible legal ramifications you and your customers might face if this data was stolen and sold on online marketplaces on the dark web.
All businesses today should install security software to help keep malware and viruses away from their computers. They should also invest in training their employees to recognize and avoid online phishing attempts and other scams.
However, even the most expensive security tools might not be enough to prevent a data breach.
A cyber insurance policy can help, for example, pay for restoring a business’ operating systems after an attack.
Businesses that handle sensitive data from customers also need to take extra care to protect their information and make sure they are not violating any state or federal regulations.
A cyber insurance policy that provides protection can help in case businesses are sued by angry customers after a data breach.
Cyber insurance: Read the fine print
You can find cyber insurance from traditional insurance companies such as Nationwide, Travelers, The Hartford and AIG, all of which offer their own policies.
Donna Grindle, founder of Kardon, a Tucker, Georgia-based HIPPA consultant, said she and her staffers regularly advise small-business owners on the importance of cyber insurance policies. She said many of these policies start with $50,000 of coverage – which often isn’t enough.
“That can be blown through in a day because you have multiple lawyers, digital forensics, consultants, PR, tech staff, hardware or software expenses and much more to deal with on day one,” Grindle said.
When considering a policy, Grindle recommends businesses consider the type of data they store, the federal and state regulations that apply to that data and the importance of protecting their reputation.
The challenge lies in finding the right cyber insurance policy, Jodka said.
- Some policies don’t offer enough protection, while others are marked with loopholes that could leave small businesses without the payouts they need to survive a breach.
- Some policies might label cyberattacks that originate from foreign countries as a form of terrorism, Jodka said. These same policies might state that they don’t cover acts of terrorism.
- This could leave a small business without the financial support it needs if the data breach hitting its company originated overseas.
- Other cyber insurance policies will cover terrorism if business owners request this as a rider to their basic plan.
- This addition might boost the annual premium of a policy, but it does offer the additional protection that business owners need.
Remediation: Why you need it
Remediation is another important part of a solid cyber insurance policy, Jodka said.
- After an attack, businesses will have to pay security experts to remove viruses and malware from their computers.
- They’ll also have to pay these experts to restore their infected computers and build a stronger security network to reduce the odds of another cyberattack.
“You want remediation to be included” in your cyber insurance policy, Jodka said. “It’s not just about patching the breach. It’s about putting in and paying for a cybersecurity infrastructure to make your system better than it was prior to the breach.”
Business continuity coverage
This coverage will reimburse small-business owners for the losses they suffer if their business goes down, even briefly, after an attack. It should also be a part of any cyber insurance policy, Jodka said.
- A small business might provide electronic health records. After a breach, its computers might be down for several days.
- During this time, this business won’t earn any revenue. Business continuity coverage will pay out to help ease this financial strain.
More cyber insurance fine print
Another issue for business owners: Cyber insurance policies often contain a list of steps owners must take to protect their data and operating systems.
- A policy might state, for example, that business owners must properly back up their data and must install current anti-virus software.
- Other policies might require regular cybersecurity audits.
“If business owners are not following these rules, their policy is void,” Dufour said. “A lot of people think they just buy a policy and they are automatically covered. That’s not necessarily true.”
Jodka said cyber insurance has become a necessity for all businesses today.
Your business might be protected by the top security software available. But that doesn’t mean an employee in your human resource department won’t accidentally click on an infected link that floods your computer system with malware, or that a manager won’t accidentally send your clients’ personal and financial information to a hacker.
“You can pump all the dollars you want in building out a security framework and infrastructure,” Jodka said. “But something can still happen. Human error could be involved. You need insurance to catch you when it happens.”