Cyber liability: Why it matters to your SMB now more than ever
The cyber risks businesses face today are rapidly growing and evolving. The targets are changing, too.
Now more than ever attacks are targeting small and medium-sized businesses (SMBs). The increase has been particularly noticeable among businesses that manage and store sensitive and personally identifiable information (e.g., hedge funds, law firms, insurance providers, healthcare providers, etc).
Why is this? Why have cyber criminals changed their focus?
- SMBs are soft targets and more susceptible to attacks than large businesses with massive information security budgets. I.e., time is money and attackers can rapidly increase their ROI by targeting SMBs.
- SMBs act as backdoors to larger, more profitable targets. I.e., attackers penetrate SMBs, obtain sensitive client / customer information (which the SMBs themselves are liable for), and use it as means to penetrate larger, more lucrative targets.
For SMBs, breaches of this nature not only mean potential lawsuits, they could mean bankruptcy (e.g., 72% of businesses that suffer major data loss shut down within 24 months).
The following questions present themselves:
- What are SMBs liable for when it comes to cyber threats?
- What can SMBs with limited budgets do to protect themselves from cyber liabilities?
- Will SMBs eventually be forced to purchase cyber liability insurance as a matter of doing business?
- What problems currently exist with the cyber liability insurance market?
What are SMBs liable for when it comes to cyber threats?
Questions associated with cyber liability are complicated and complex. They vary across industries and are tied to esoteric regulatory issues. One thing is certain, though. In the event of a breach, victims will face an extensive assortment of burdensome costs.
The following cyber liability costs are what SMBs typically incur outside of their General Liability and Business Owner Policies:
First-party liability costs — First-party liabilities apply to the direct costs necessary to appropriately address a breach or security failure.
- Legal counsel: Receiving legal counsel and identifying the appropriate notifications and regulatory obligations that must be adhered to.
- Security Response: Ensuring the appropriate protocols are followed in response to a breach or failure (i.e., notifying customer and client victims, partners, investors, etc). On average, the cost per compromised record associated with a breach is $201. Note: This is the most expensive liability cost SMBs face following a breach or security failure.
- Privacy: Expenses associated with credit monitoring, and identity / credit repair following a breach or failure.
- Forensic investigation of a breach: Retroactively identifying and patching vulnerabilities that led to a breach or failure.
- Public relations expenses: Externally communicating the breach / failure to the public and its impact without divulging confidential information.
- Business interruption: Loss of profits and additional expenses incurred as a consequence of network downtime and unavailable services.
- Extortion: Costs necessary to investigate, negotiate and settle threats pertaining to cyber attacks.
Third-party liability costs — Third-party liabilities apply to costs associated with other companies or individuals suing / making claims, or regulators demanding information pertaining to a breach or security failure.
- Legal defense: Settling damages and judgements related to the breach or security failure.
- Banks: Costs associated with chargebacks and re-issuing credit cards
- Regulatory response: Fines and penalties for non-compliance (e.g., PCI DSS, HIPPA, etc) and actions brought forth by state or federal agencies to enforce privacy regulations.
- Media / content dissemination: Claims such as infringement of IP, copyright / trademark infringement, libel and slander.
What can SMBs with limited budgets do to protect themselves from cyber liabilities?
To address the growing cyber threat, many SMBs have begun soliciting protections through cyber insurance liability policies. Cyber coverage is still young, but the interest among SMBs has increased significantly in recent years.
Cyber liability insurance enables SMBs to cost-effectively transfer risk as one component of there overall risk management strategy. That said, insurance companies now require evidence of insurability from SMBs. This is necessary to hone in on premiums and payouts that appropriately correspond to a company’s underlying security posture.
Before soliciting cyber liability insurance, savvy SMBs can work with cost-effective security consultants to assess their underlying security postures, and institute IT security, risk management and compliance strategies. Along with providing evidence of insurability, security consultants can work with SMBs to identify the coverage that’s right for them and mitigate against paying for bloated policies.
Will SMBs eventually be forced to purchase cyber liability insurance as a matter of doing business?
It’s too early to tell, but as more high-profile cyber attacks take place, SMBs may be forced to purchase cyber liability insurance as a matter of doing business.
Take for instance the infamous Target hack of 2013 — the largest retail breach in U.S. history. The attack stemmed from another attack against a third-party HVAC contractor that Target did business with. Upon penetrating the HVAC contractor’s network, the attackers used it as a jumping off point to obtain the credentials necessary to invade Target’s network. After gaining access to Target’s network the attackers installed a piece of malicious software which ultimately stole every credit card number used at Target’s 1,797 U.S. stores.
Such scenarios continue to increase anxiety among large companies. Consequently, many large companies have begun evangelizing on behalf of cyber liability insurance and mandating it among third parties they do business with.
What problems currently exist with the cyber liability insurance market?
With cyber liability insurance still in its infancy, there are a handful of shortcomings associated with the market. In particular, the lack of publicly available data.
For instance, there’s currently no standard of practice to vet insurability among prospective customers. Each provider has their own approach.
Additionally, limited claims data has been shared throughout the industry. This coupled with a rapidly changing cyber security landscape makes it incredibly difficult for actuaries to identify consistent pricing models.
Lastly, prospective customers (e.g., SMBs), lack access to educational materials and resources. As a result, many companies incorrectly believe their General Liability and Business Owner Policies cover their cyber liabilities. They take on staggering risk without even knowing it.
These problems are not atypical among nascent stage insurance markets with new product offerings. Adept product offerings simply take time to form through a process of iteration and refinement.
In today’s digital landscape, SMBs face a growing assortment of security risks. They’re being targeted now more than ever, and the threats they face come with potentially devastating consequences. Managing these risks is tremendously challenging and there’s no silver bullet.
Cyber liability insurance is certainly a viable, cost-effective option. However, with its complexity and novelty comes risk. The good news is, much of the risk can be reduced through security consultation. I.e., security subject matter experts can address risk on both fronts:
- The risks providers encounter when measuring a business’s insurability, and
- The risks SMBs face when preparing to solicit and pursue appropriate coverage.
Regardless of whether or not experts believe SMBs should pursue cyber liability coverage, there’s no questioning the value of instituting security best practices and combating against a potentially lethal cyber event.
Interested in learning more about cyber liability insurance and the role it can play for your business? Sign up for “Cybersecurity: Why Your Small Business Has the Most to Lose”, June 16th 2016, 5:15pm, The Technology Garden, 235 Harrison Street, Syracuse, NY