The cost of a data breach can be devastating for a business.
Consider these stats: Hackers target small businesses 43% of the time, and only 14% of those businesses are prepared to protect themselves, according to a recent Accenture study. The average cost of a cyberattack to a small business in the U.S. hovers around $25,612 a year, and 23% of the country's small businesses suffered at least one cyberattack during the past year, according to a report by Hiscox.
Sean Pechan, risk management practice leader at BOK Financial Insurance®, warns that businesses of every size have cyber-related exposure.
"It's not just multi-million dollar companies that are at risk of being targeted by hackers and cybercriminals," he warned.
The cost of attack
Without a protective insurance policy in place, the cost of a data breach can be enough to shutter a small business.
"There are numerous categories and potentials for cost," said Todd McLean, president of BOK Financial Insurance. "These include notification costs, credit monitoring, credit card replacement, ransom and third-party lawsuits. In the case of healthcare companies, it can include HIPAA-related fines and penalties. Expenses can also include public relations costs, specialized cyber attorneys, forensic fees and more."
Above and beyond those costs, McLean said businesses could expect to see lost income due to business interruption, damaged hardware and damage to their reputation.
Human error is the most common form of breach and cyber-related crime. "Social engineering attacks seek to engage your employees in order to allow the bad actors access to your systems," said Pechan.
Those attacks commonly target this kind of data:
- Personally identifiable information: Social Security numbers, driver's license numbers, bank account information and online passwords
- Protected health information: health status information and healthcare payment information
- Payment card information: debit and credit card information like account names, numbers and expiration dates
- Confidential company information: private information entrusted by third parties, often subject to non-disclosures or confidentiality agreements
Tactics include data loss and extortion, social engineering, invoice manipulation and business interruption.
"If your company was protecting information for a third party and that information was hacked, you could be in breach of a confidentiality agreement," McLean said. "When a company experiences a data breach, a cyber forensics team is brought in to determine what specific data was compromised including any potential breach of confidentiality agreement in relation to confidential information the company stores for their clients."
Small businesses unprotected
Some 88% of small business owners feel their business is vulnerable to attack but fail to put protective measures in place because they think they lack the information, budget or expertise to do anything, according to the Small Business Administration.
Pechan said a cyber liability insurance policy is a proactive tactic that can be tailored to fit any business.
Cybersecurity coverage can include:
- Breach costs: covers the forensic costs to identify/confirm the breach, send out notifications, crisis management and public relations
- Privacy and network security: covers defense costs, judgments, settlements, and regulatory fines and penalties
- Cyber extortion: covers the response costs and financial payments associated with network-based ransom demands
- Cyber business interruption: covers financial loss, such as business income, when network-dependent revenue is interrupted
- Data restoration: covers the cost to recreate or repair damaged or destroyed data, systems and programs
- Multimedia liability: covers the cost to defend and resolve claims related to online content, like copyright/trademark infringement
"For businesses that already have a cyber liability policy in place, it's important to remember that it's not one and done," said Pechan. "Most of these policies are drafted for general purpose and may not include the coverages needed to address the reality of exposures businesses face today.
"Simply put, things change quickly and the cyber liability coverage you have might not account for the actual exposure you face."
He suggests regularly reviewing the policy, like any other insurance policy, and making updates or changes as necessary.
Pechan also suggests combining the insurance coverage with continued employee education to be more cyber-aware.
"Looking forward, we recognize some changes in the business environment could be open doors for cybersecurity issues," said McLean. "These changes include things like more remote employees, more unsecured environments, continued web and video conferencing, and more fake websites and apps threatening your business."
Pechan said, ultimately, success in the cyber liability realm is often measured not by what has happened, but by what hasn't.