You can't pick up the paper or tune in to the news without hearing about the latest cyberattack against a prominent business. Most notably, there's Target, whose CEO, Gregg Steinhafel, was forced to step down last month following one of the biggest hack attacks ever logged.
The average cost to a small company for a hack attack in 2013 was $3.5 million, according to Ponemon Institute's 2014 data breach study, an increase of 15 percent compared with 2012. And as the attacks get bigger, more sophisticated, and more expensive, your potential to get coverage keeps diminishing. As The New York Times reported Monday:
Total cyberinsurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses.
The most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars' worth of coverage available in property insurance.
Even Target, which has big resources at its command, may fall far short of its $1 billion needs stemming from the breach. Its quarterly filing from last month says it will recover only $52 million worth of $88 million in expenses so far from its insurance policy.
Although most smaller companies are not likely to need $300 million worth of coverage, here are some key things to keep in mind when considering how to insure yourself:
- First, understand what kind of coverage you need. There are two different types of cyberinsurance--first- and third-party insurance. First-party coverage will insure your businesses against the direct costs you could incur following an attack. Third-party coverage is, just as its name implies, liability coverage that protects you in the event of customer lawsuits.
- Your biggest cost in the event is likely to be from lawsuits, which can average $600,000 per incident, according to a 2012 study by cybersecurity company NetDiligence.
- Forty-six states plus Washington, D.C., have data breach notification laws, which means you must proactively inform your customers in the event of a breach involving their information.
- At least 50 insurers, including top brands such as Hartford Property, Farmers, and Travelers, all offer cyberinsurance.
So, shop around. And if you need to cobble together multiple plans to insure for greater risk, you at least can take comfort from knowing that there are dozens of companies that might be interested in doing business with you.