Could You Survive a Cyberattack?
The lawsuits that often follow a cyberattack can be just as devastating as the attack itself. Cyberrisk insurance could help.
In December 2011, computer hackers broke into the network of Stratfor, an Austin-based company that provides global intelligence services to individuals and businesses. The damage was staggering. The hackers stole information related to 90,000 credit card accounts. Five million email messages were stolen and subsequently published by WikiLeaks. The attack also destroyed four of the company's servers.
In a surprisingly forthcoming video message to the company's customers, Stratfor founder and CEO George Friedman explained in great detail the particulars of the attack. He said, "We knew our reputation would be damaged, all the more so because we had not encrypted the credit card files. This was a failure on our part. As CEO of Stratfor, I take responsibility. This failure created hardship for our customers, and I deeply regret that it took place."
Apparently, that apology wasn't enough. Stratfor was hit with a class-action suit from its customers for more than $50 million in damages.
Stratfor's case demonstrates the unfortunate fact that if your company is hacked or fails to protect privacy data, you should not expect sympathy from your customers. In fact, you should brace for a lawsuit.
One way companies can prepare is by buying cyberrisk insurance. Though it has been around since the mid-'90s, cyberinsurance has only recently started to work its way into the mainstream and is now offered by companies such as the Hartford Financial Services Group and Travelers.
The insurance protects organizations from the fallout that often results from the inadvertent disclosure of their customers' confidential information, such as Social Security numbers or bank account information. It can cover you for damages and loss, as well as court costs, should your customers or employees decide to file suit against you in the event their information is leaked.
"We have seen more demand for [cyberinsurance] across all industries and business sizes," says Tim Francis, enterprise cyberlead for Travelers. "More and more people are aware of their exposure and have really started thinking about what is the right insurance for that."
The high costs of dealing with security breaches have helped fuel demand for cyberrisk insurance. The average cost of dealing with a single security breach was $3.7 million, according to a 2012 study performed by NetDiligence, a cyberrisk-management firm. The biggest component of that cost was legal fees, which averaged $582,000 per incident.
Cyberattacks against large corporations may get the media attention, but small businesses aren't immune from hackers. Nearly 40 percent of all targeted cyberattacks take aim at businesses with fewer than 250 employees, according to a June 2012 study conducted by cybersecurity firm Symantec. That rate has doubled from a year ago.
If your business is attacked, your customers have more recourse than they once did. Forty-six states and the District of Columbia now have breach notification laws requiring businesses that store personal customer information to notify customers when their information has been compromised. A handful of states are more stringent, requiring businesses to have a written security policy and specific kinds of security controls in place.
