Target. Sony. Premera. It seems almost every week we hear the news of yet another large company that's been hit with a data security breach and the inevitable flood of lawsuits that follows.
If you're a small business owner, incidents like these might make you wonder: What would you do if something like this happened in your company? How could you protect yourself? Do you need cyber-liability insurance? Or is that something only large companies can get?
We put those questions and more to Matt Cullina, CEO of IDT911, which helps customers avoid identity theft and other data exposure risks. Some his answers might not be what you'd expect:
1. Yes, you need cyber-liability insurance.
Once they've talked through all the risks and possibilities, most small business owners realize that they do need cyber-liability insurance, Cullina says. How much you need is dependent on the size of your business and the type and amount of data your company manages. If you're a retailer and process credit card transactions, then that credit card information is sensitive data that can present cyber-liability risk. Even if you don't, you likely have intellectual property and personal information about your employees and perhaps your customers and/or vendors. If your business is in health care or another field where data use is highly regulated, there are additional liabilities and risks.
"When we talk to an average business, we help them paint the picture of their potential data risk," Cullina says. "How many customers do you have? What kind of data do you handle? How do you store it?" When they go through this exercise, most businesses of any size realize they do indeed have some risk.
2. But probably not a cyber-liability policy.
"The average small business these days can get a rider on a standard insurance policy," Cullina says. That is generally sufficient for a company with less than $10 million in annual revenues, providing it does not process or store a large amount of sensitive information. But if your company is larger or you work with lots of sensitive data--in a medical practice for instance--then you may need a stand-alone policy.
3. You need less coverage than you think.
Reading news stories about the huge data breaches at big brands and the subsequent fallout might leave you thinking that you need huge amounts of protection because in case of a breach, the risk is nearly limitless. Not so, Cullina says. "Some policies start off as low as $10,000 in cyber-liability coverage and $25,000 is standard. Or you could get $50,000 and that's adequate in most situations for a truly small company." It may not be adequate, he adds, for a slightly larger company or one that handles lots of sensitive information.
What does that coverage actually buy you? "It pays for the business out-of-pocket expenses after a breach to bring in forensic experts and investigate, remediation costs, cost to mail letters to impacted people, to offer credit monitoring to those impacted so there can be early detection of any problems that result from that breach," he says. "It covers identity theft resolution services if they do have a theft. It can also cover public relations. Those are primarily what that insurance is used for, but there's also liability coverage if the business were to be sued."
But that's unlikely to happen to small business, he says. "The Targets and the Sonys are the ones being sued in class actions. You're not seeing that with small businesses. The most you'll have is a local attorney general investigating your company and maybe issuing a fine. Or it could be that the PCI Security Standards Council [which oversees credit card processing agreements] makes you perform audits, and there may be fines or penalties as a result."
4. You'll pay less for it than you'd expect.
If all you need is simple coverage in a rider added to your existing business policy, then cyber-liability insurance can cost as little as $45 to $75 a year for $10,000 to $20,000 of coverage. Add items like business interruption coverage and network security liability coverage (which goes beyond data loss to add coverage for things like denial-of-service attacks) and a rider could cost in the low hundreds per year, Cullina says. "If you're buying a stand-alone policy, you're generally looking at premiums of at least $500, but more typically $750 and above," Cullina says. "And then it goes up for larger businesses, depending on the type of coverage you're getting."
5. Knowledge is more valuable than cash.
What should a small business owner look for in cyber-liability insurance? "It's not just the coverage limits and what's offered, but the addition of services and expertise that makes a difference," Cullina says. That's because--in the event of a breach--you will have to make many decisions quickly, and you may easily wind up spending much more than necessary. "A business that has a breach for the first time tends to pay a lot more than for the second or third time," he says.
So look for insurance that comes with expert advice and support services in case of a breach. And it's worth it to become knowledgeable yourself. Cyber-liability insurance is a relatively new area. Not all insurance agent and brokers are expert about it and there is wide variance among policies. It can seem daunting, Cullina says, but there are some good educational tools at some of the large carriers' websites.
"Do your research and ask questions," he advises. "You have to be a smart buyer."