Cyber Liability Insurance: Don't Run a Business Without It

While new data breaches seem to be hitting the news weekly, there are many more attacks happening each day to smaller companies that are not making the headlines. Many businesses simply don’t understand just how high the stakes can be. Aside from general statistics, small business owners do not have much data on the costs associated with a breach in security. This is partly because many insureds are reluctant to publicize just how much they are spending on breaches in security and what is being covered by their insurance policies.

It is critical to examine what is covered and what is not covered by your existing policies. Many businesses may assume their general liability policy covers everything. However, a privacy breach may not be one of them. Zurich is fighting to deny coverage to Sony for their recent security breaches, because lawsuits resulting from data breaches are not covered under their general policy but rather their stand alone cyber policy, which Sony did not purchase.

Insurance carriers are not the only ones shying away from responsibility for data breaches. As hackers are increasingly targeting small companies that maintain large commercial bank accounts at smaller regional banks, many banks are refusing to accept responsibility for stolen money from hacked accounts. According to the Verizon 2011 Data Breach Investigations report, in conjunction with the U.S. Secret Service, many cybercriminals are now focusing their efforts on repeated attacks to smaller targets that are more vulnerable, such as local and regional banks. It is estimated that $1 billion a year is stolen from small and mid-sized bank accounts in the U.S. and Europe.

The good news is that new cyber and privacy policies, which cover a business or organization in the event of a data breach involving lost or stolen information, whether it’s paper or electronic, are now more affordable for small to mid-sized companies. A typical $100,000 policy for a small business costs between $350 and $1,500 annually.  That is a small price to pay, especially compared to what a successful lawsuit could cost, not only in damages, but also in time, stress, lost business, and tarnished reputation.

Stand alone privacy/cyber policies are more sophisticated than ever for very reasonable premiums and should include the following:

• Notification to all individuals whose private information may have been lost, stolen, or accessed without proper authorization. This is required by 46 states currently. A single letter can cost from $1 to $5 per person.
• Associated costs for those individuals electing credit monitoring in the event their information was lost, stolen, or accessed without proper authorization. These costs can be very expensive, ranging between $20 to $30 per person, per year.
• Third party financial claims and legal costs in the event of a suit, and defense and penalty costs in the event of a regulatory claim (data breaches may be subject to state and federal penalties).
• Public relation expenses to protect and restore a company or organization’s brand and public image.
• Expenses to retain a data forensics expert to determine why the breach occurred and how to avoid one in the future.

As the level of attacks on one’s privacy increase at alarming rates, your business may be more vulnerable than you think to breaches in privacy and private data. It’s important to continually examine your security systems for new vulnerabilities. Chances are, if you are leaving your security up to Norton or McAfee antivirus software, you have left yourself too vulnerable for comfort in today's cyber business world. The cloud, with all its risks and rewards, is here to stay, and it brings with it the moral and legal responsibility to safeguard your company and client information.