Telecommunications giant Verizon on Tuesday released its annual investigative report of data breaches, which found that small businesses are the number-one target of cyber-espionage attackers.
Almost half of the 621 confirmed data-breach incidents Verizon recorded in 2012 occurred at companies with fewer than 1,000 employees, including 193 incidents at those with fewer than 100 workers. Similarly, security company Symantec reported last week that cyber attacks on businesses with fewer than 250 employees leaped 31 percent in 2012, following an 18 percent climb in 2011. Both reports cited small businesses’ inadequate security infrastructure for protecting financial information, customer data and intellectual property.
As cyber threats become more pervasive, small businesses – particularly those in the high-technology, financial-services and health-care industries – are taking out insurance policies designed to bolster their protection from the potentially crippling costs that can accompany data breaches and other cyber attacks.
Ethan Miller, an attorney specializing in trade secrets at international law firm Hogan Lovells, has seen an increasing number of small businesses, especially start-up companies in Silicon Valley, approach insurance brokers about protecting their intellectual property. “Here in Silicon Valley, [a company’s] intellectual property is its lifeblood. Brokers not only issue property and general-liability policies, they also issue policies that specifically provide protection in the event of a hacking or security breach.”
Larger organizations – with 1,000 or more employees – typically have a risk manager that handles their risk and liability, along with a robust IT department that works to reduce the risk of a breach or attack with firewalls and antivirus software. But smaller companies, says Miller, are typically unsophisticated in their data-security methods. They may have only a CFO or chief operating officer that doubles as a risk manager. “They’re not going to have the expertise to put these protections in place up front, and that’s where a good policy can come into play,” he says.
Cyber-liability insurance policies generally cover costs incurred by the loss of trade secrets and intellectual property, known as first-party claims. They also cover damages a company must pay should a customer sue it for lost or compromised personal information, known as a third-party claim. Most policies include business-interruption coverage in the event of a denial-of-service attack, whereby the insurance company would provide payment reimbursement for expenses surrounding such an attack. Such costs, Miller says, “can sometimes be a life-or-death issue for smaller companies.”
Cyber insurance policies also cover the cost of a forensic IT examination of how the breach or data loss occurred. Some even pay for a public relations firm to mitigate negative publicity following a breach, as well as regulatory fines and penalties.
“Crisis management is really critical,” says Miller. “Again, a large corporation would typically have sophisticated crisis management or a consultant on retainer, but a smaller company won’t, and it might not know how to send appropriate notices to customers when there’s been a breach, which is required under law.”
He continues, “The insurance company will have to reduce its risk, so it’s going to consult with customers to make sure they have specific types of protections and policies in place that a risk-management department at a larger company would already be doing.”
Miller stresses that cyber policies are not meant to substitute for diligent, proactive management of cybersecurity risk, such as sound data-protection protocols and employee education. “And the insurance company is going to demand you take these protections as part of the application, so as a practical matter you can’t become complacent or you’ll violate the policy,” he says.
As with any insurance policy, cyber-liability insurance is primarily about peace of mind. “If you’re a closely held corporation where your founders are often running the company and have the largest financial stake in it, you’re going to want peace of mind that your largest investment is as protected as it can be.”
Smaller health-care providers, which handle massive amounts of personal customer data and must comply with the Health Insurance Portability and Accountability Act (HIPAA) and other regulatory requirements, are particularly vulnerable to cyber threats. A December 2012 study by independent research firm the Ponemon Institute found that 94 percent of health-care organizations surveyed suffered at least one data breach in 2011 and 2012, with 45 percent of the organizations experiencing more than five data breaches during that time. Ponemon estimated the breaches could be costing the U.S. health-care industry an average of $7 billion annually.
Miller urges such organizations, and others that value their data highly, to look into this type of risk transfer. “Any broker worth his salt will, depending on the nature of the business a customer is in, recommend such a policy. Then the company will conduct a cost-benefit analysis.”
He concludes, “More and more often, as security breaches continue to be all over the news, these analyses weigh heavily in favor of cyber insurance. Just as a business would insure a warehouse against fire loss, a lot of companies that do the cost-benefit analysis see that $2,000 to $4,000 per year can protect against a different kind of catastrophic loss.”