Does your business need cyber insurance?

By Kevin Rankin, Senior Underwriter, Chubb North America

What you need to know before purchasing cyber insurance.

With data breaches at large firms making headlines daily, it seems clear that cyber insurance is an important tool for major companies to consider. But many don’t realize that even small and medium-size businesses can be at risk of a cyberattack or data breach and can help protect their businesses by purchasing cyber insurance.

According to the 2014 Cyber Claims Study by NetDiligence, 24 percent of companies with revenues from $50 million to $300 million experienced cybercrime incidents. The average cost for forensics, notification, legal advice and other crisis services was $366,484, and the average cyber insurance claim payout was $733,109.

Indeed, cyberattacks on small and medium-size businesses are on the rise. Consequently, there are several things that smaller companies should consider when it comes to buying this type of insurance:

  • Understand your business’s unique risks. Your company’s risks depend on its size and the type and amount of data it manages. Retailers and health-related companies hold or process large amounts of personal information (in the form of credit card numbers or health records, for example), so they are particular targets. Companies in other sectors have valuable intellectual property or sensitive information about employees, clients or vendors. Additionally, businesses also should review how that data is handled and stored to identify where potential breaches can occur.
  • Consider a rider to your crime insurance policy to protect against social engineering fraud. In 2014, the FBI reported an increase in social engineering scams, in which fraudsters gain the confidence of an employee to induce him or her to part with money or securities. Social engineering fraud and scams are increasingly common. Smaller organizations often are more vulnerable to fraud because they may lack financial or wire transfer controls that larger organizations routinely employ.
  • Implement an incident response plan and talk to an agent about stand-alone cyber policies. Once private information is lost or stolen, the damages and containment costs can quickly add up. An organization with an updated and tested incident response plan is generally able to respond to a breach event quickly and efficiently and in a cost-effective manner. To transfer some of the risk of a cyber incident, consider adding a stand-alone cyber policy to your company’s risk management program. Different cyber insurance policies can cover a variety of areas, so it’s important to have an agent outline available options and their costs. Finding an agent — and an insurance company — that is readily available after a cyber event occurs also can be invaluable.
  • Research first-party and third-party cyber coverage and pay only for what you need. According to the buyer’s guide to cyber insurance from the law firm McGuireWoods, insurers offer coverage for losses to the policyholder’s own data and lost income (first-party coverage) and losses suffered by customers, clients and governmental entities (third-party coverage). First-party coverage may include theft and fraud, forensic investigation, business interruption, extortion, and computer data loss and restoration. Third-party coverage may include litigation and regulatory penalties, regulatory response, notification costs, crisis management, credit monitoring, public relations and liability for breach of privacy.
  • Read the fine print. Cyber insurance policies can be complex, so be sure to read the details to learn about exclusions that could leave your business with less protection than you thought you had. In particular, does the policy require that your business have procedures and controls in place to protect its data — and keep them updated? A policy also may require you to maintain security patches on systems and enhance risk controls, so be sure to ask your agent, or the insurer directly, what your role is in preventing or limiting a cyberattack.

While it may seem that the biggest impact of cyberattacks is on the country’s largest companies, they also have the deepest resources for recovering. For small and mid-size businesses, having cyber insurance — or purchasing a rider to an existing business policy — can bring similar protection and peace of mind.