Cyber liability: Not just for technology businesses anymore

Our IT manager recently ran a list of attempted hacking breaches on our server. The results astonished me: a 60-page, single-spaced report listing all of the attempts … just in a 24-hour period!

Up until recently, the most significant risks that a business faced were related to bodily injury or property damage. For many businesses, all the data about employees, vendors, customers, and operations has created an even larger loss exposure.

Unfortunately, because of the size of their businesses, many business owners do not believe they are targets for cyber-criminals — when just the opposite is true. While many larger businesses have improved their network security systems, many small and medium-sized businesses are unaware of their vulnerability and have not taken the steps to properly protect themselves. In fact, from 2011 to 2012, the share of cyber attacks on employers with fewer than 250 employees increased by nearly 200% (moving from 18% of all attacks in 2011 to 31% in 2012), according to the 2013 Symantec Internet Security Threat Report.

Regardless of industry, every business is required to protect personal information, and it’s difficult to think of any business that doesn’t have some sort of personal information saved. For some organizations, such as health care providers, financial institutions, and educational institutions, the duty of care can increase. In its most basic sense, personal information is a person’s first and last name — or a first initial and last name — combined with any one or more of the following:

  • Social Security number
  • Driver’s license number
  • Financial account number
  • Biometric indicator

To examine how even a small business can have significant exposure, let’s consider a local sandwich shop that completes 300 credit card transactions per week. Now imagine that a cyber-criminal hacks into the shop’s computer system and steals a copy of every credit card transaction for the past year — about 15,000 records. How much exposure does the shop have?

According to the Ponemon Institute, the average cost of each compromised record is $214, so the sandwich shop would have a loss exposure of more than $3.2 million. By the way, the Ponemon Institute only includes the costs of notification and lost goodwill to the business — not any resulting damages/losses experienced by the compromised individuals.

(Continued)

 

Some of you may be wondering about third-party credit card processing services, but many of these service agreements severely limit or completely transfer the risk for unauthorized access back onto the business itself. If you have one of these agreements, you should review it in detail.

The traditional insurance products this sandwich shop purchased — such as property, general liability, and crime — do not cover data breach or other cyber exposures. In fact, the Insurance Services Organization, which authors the majority of policy language for traditional insurance carriers’ products, is introducing revised policy language to further clarify that the policies do not provide coverage for cyber exposures.

To address this — and pay for the notification costs and potential lost goodwill resulting from a cyber attack — some form of “cyber liability” coverage should be purchased. Something to be aware of is that unlike traditional insurance products, cyber insurance products have neither standardized policy form wordings nor definitions, meaning not all policies are created equal. A knowledgeable insurance agent/broker can help identify the exposures faced by your business and craft a policy to address the gaps/concerns.

Steve Squires is the president of Hausmann-Johnson Insurance, one of the area’s largest insurance agencies. He has spent a lifetime counseling businesses and individuals about minimizing risk and maximizing peace of mind.

Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.