Looking to purchase cyber insurance can feel overwhelming for small and mid-sized businesses. Many assume that their size lowers their overall risk, thus making insurance seem like a cost without a benefit. However, the Insurance Services Office (ISO) noted that small to mid-size businesses comprise 64% of cyber breach victims (PDF). Being a small enterprise requires focusing on increasing your client base and keeping profits above losses. Unfortunately, as businesses become mired in day-to-day operations, they become easier targets for malicious actors.
Employees accidentally leave organizations open to risk. According to Symantec's Internet Security Threat Reports, attacks against Internet of Things devices increased by 600%, and spear-phishing emails constituted the number one attack method. Employee awareness training can be one of the most effective protections against a cyber attack. Unfortunately, malicious attackers continuously update their social engineering methodologies. Your employee awareness training may be effective in that moment, but what happens when hackers switch gears and use something new?
Cyber liability insurance fills in the gap that Comprehensive General Liability policies (CGL) leave behind. CGL policies cover traditional bodily injury and property damage arising during the course of everyday business. For example, in a grocery store, an employee drops a bottle of juice leaving a puddle. While the person goes to grab a mop, someone slips on the puddle and gets hurt. In many cases, the CGL policy covers that accident.
Unfortunately, courts have held that CGL policies do not cover data breaches, whether accidental or purposeful. These coverage determinations create a coverage gap that opens companies up to new and challenging areas of risk. Cyber liability insurance acts as gap insurance. It fills the space between the damages associated with a cyber attack and traditional CGL coverage. Cyber insurance policies should include first-party coverage and third-party coverage. These policies can be stand-alone, commercial package policies, or additional coverages added to existing policies.
Traditionally, small and mid-sized organizations felt coverage for cyber risks was too expensive. However, since 2015, the insurance industry expanded its cyber insurance offerings to meet these companies' needs.
Cyber risk insurance can be purchased through a broker or directly from an insurance company. For example, most large insurance companies such as Chubb, The Hartford, Travelers, and AIG sell solutions that fill the CGL/Cyber Liability gap for large enterprises. Large companies can more efficiently make their cyber liability decisions based on best premium offered and the coverage requested by the IT and Information Security team. Small businesses without dedicated technical staff, however, may need someone who understands their specific needs.\nWhat should small businesses look for from companies who sell cyber insurance?
You need someone who understands the risks associated with your type of business and the cyber risks associated with your market. Different risks apply to different industries which means finding a cyber insurance seller who can assess those risks effectively saves money. That grocery store juice aisle presents a greater risk for someone to slip and fall than a book store’s nonfiction aisle. Cyber risks work similarly.
For example, malicious actors target some industries more than others. On the dark web, A complete healthcare record retails for $20-$50. Meanwhile, bank records that provide access to the balance cost approximately 1/10 of that balance, but ones that stealthily transfer money are worth much more on the black market online. Whether you are local doctor’s office or small community bank, you need an insurance policy focused on your industry’s risk.
The term enterprise risk management incorporates a holistic view of your business’ overall information security risk. Thinking about IT enterprise risk management works similarly to traditional risk. A grocery store needs to examine risks arising out of employee negligence as well as potential listeria from the deli meats. Enterprise risk management within that context means taking a holistic view of your business. IT enterprise risk uses the same model, but it focuses on information and data vulnerabilities.
Large companies easily align their information to risk based on complicated mathematical models and expensive tools. Small and medium-sized businesses may not be able to align the number of records to risk if the information contained is more valuable. Additionally, if smaller organizations are not clear on the risks within their industry, they cannot correctly assess their IT environment. Smaller organizations often lack Chief Information Security officers or CISOs. They choose to transfer risk to vendors rather than manage it themselves. This decision leaves them open to additional risk since they may be unaware of a software partner’s own vulnerability or exploit.
A good cyber insurance seller will offer a holistic view of your risk as well as suggestions for mitigating risks efficiently to lower the cost of that insurance.
Small and mid-sized businesses need a cyber insurance seller who understands their security decisions. One example would be when a company chooses to work with an IT outsourcer. When a company engages with a vendor, that the vendor also poses a liability. Small businesses need an agent who can provide insights into the weaknesses in their vendor ecosystem. In the same way that a sloppy cleaning service can pose a risk to a grocery store by leaving a puddle on the floor overnight, a sloppy IT vendor poses a cyber risk to their upstream customers.
The appropriate cyber insurance plan will incorporate everything from CGL to Directors and Officers liability insurance. Companies need to think of cyber risk as part of enterprise risk management not as a single type of threat.
Traditional cyber insurance policies incorporate a variety of protections. When evaluating cyber insurance policies, small and mid-sized businesses may want to review which ones they need most. To analyze this appropriately, you need to know about the eight primary coverages areas.
Security Breach Expense: legal defense and liability arising out of a data breach.
Extortion Threats: coverage for costs if a malicious actor threatens your data.
Replacement/Restoration of Electronic Data: costs associated with lost or compromised electronic data and business interruption.
Business Income & Extra Expense: lost net income, including payroll processing costs, and additional expenses incurred while restoring business operations.
Public Relations Expense: cost to reassure the public of a company's data protections post-breach, one of the most substantial costs associated with an event.
Data Breach or Security Breach Liability: losses that come when a data security breach occurs but often require that the insurance provider do a security audit.
Web Site Publishing Liability/Media Liability: costs associated with information published on a corporate website including misstatements, private information, or copyright infringement.
Programming E&O Liability: financial damage arising out of faulty software coding.\n\n
A cyber insurance seller who understands your business can help you tailor your coverage to match your needs. For example, a general practitioner, as a healthcare provider, probably does not need Programming E&O Liability. However, as evidenced by continued ransomware attacks on the healthcare industry, Extortion Threat Coverage is likely to be important.
When working with a cyber insurance seller, small and mid-sized enterprises should ask:
What are the biggest cyber risks facing my industry?
What are the biggest cyber risks facing my business specifically?
What types of cyber insurance coverage are most important to protect my company from liability?
What information security environment risks do you see in my company’s operations? In my software?
How will you value my overall information security enterprise risk?
Do I need a standalone policy or do you think a roll-on coverage would be best?
Under what coverages - D&O for example - do I need to incorporate cyber liability insurance?
Zeguro understands the need to incorporate cyber risk as part of enterprise risk management. The SaaS platform enables organizations to track their cyber health. This tracking provides the needed insight not only to mitigate risks before a data breach can occur but to craft the best mix of coverage for the business. . As more small and medium-sized businesses automate and digitize operational functions, they will need to invest in more cybersecurity initiatives.
Hiring a single person dedicated to cybersecurity may be imperative but not cost effective. With Zeguro’s Virtual Cybersecurity Officer, organizations can assess, manage, and mitigate risk to keep their data protected.