High-profile cyberattacks are becoming the norm. According to Property Casualty 360, a ransomware infection forced the San Francisco Municipal Transportation Agency to open all fare gates for two days, while a distributed denial of service (DDoS) attack on domain name system (DNS) infrastructure firm Dyn brought down high-profile sites like Twitter, Reddit and Netflix last October.
So it's no surprise that along with in-house and cloud-based IT safeguards, providers have also emerged to offer cyber insurance as protection against the possibility of malicious network compromise. But what does this mean for you as a small business owner? You may be convinced that your organization's size provides protection through invisibility — why would hackers target small-scale networks when large enterprises offer such tempting targets? But in fact, small and midsize businesses are quickly becoming the go-to starting point for hacker groups and malicious actors looking to "test out" new attack vectors.
The numbers aren't promising for small businesses. According to Forbes, 87 percent of SMBs don't have any type of official written internet policy in place. More worrisome is the fact that 60 percent of these businesses will likely close within six months of a cyberattack. But what's the likelihood of an attack actually happening? When thinking about this, remember the fundamental hacker mandate: Find the easiest way to take, disrupt or damage anything. As a result, cybercriminals may go after small businesses because these organizations typically spend far less on network security than enterprises and don't have the staff or in-house capability to handle large-scale attacks.
Data backs up this argument: According to CNBC, 87 percent of SBOs don't feel they're at risk of a cyberattack, yet recent statistics show that hackers have breached half of all small businesses in the United States. The most common threat vectors are phishing emails and fraudulent e-commerce transactions, which can lead to significant monetary loss or even operational shut down for weeks at a time. And for small businesses, this kind of loss isn't easy to absorb, putting them at risk of financial ruin.
The Insurance Evolution
To combat this growing cyber threat, new forms of insurance have emerged. Cyber-specific policies are now available from a variety of insurance providers to offset the cost of network downtime or data loss. Here's what you need to know:
- Policies are fairly broad. New policies often cover sales lost due to business interruption or the cost of notifying consumers of a breach. This provides cash-on-hand to continue business operations as network compromises are addressed and remediated.
- Policies have large coverage areas. From websites to applications, e-commerce stores and third-party technology services, cybersecurity insurance policies are typically designed to cover multiple avenues of attack.
- The claims process is familiar. As with an ordinary insurance claim, you must demonstrate that you've suffered harm as outlined in the provisions of your agreement and pay your deductible.
- There's third-party liability. Many SMBs assume that if a third party processes or handles their data, that party is responsible for obtaining their own insurance to cover against loss or theft. In fact, SMBs are defined as the "owner" of any personal or credit data provided by customers, regardless of how and where this data is handled. Cyberinsurance can ensure you're covered for any third-party mistakes that leave you liable.
- Cyber insurance is outside traditional coverage. Traditional business liability coverage does not include cyber protection. You need a specific cyber policy to ensure that digital assets are protected.
- Cyber insurance is relatively inexpensive. According to Small Biz Trends, your business can get $50,000 worth of coverage for around $200 per year.
So why opt for cybersecurity insurance? What's the direct benefit for your SMB?
Much like other types of business insurance, cyber policies offer a kind of buffer against potential negative events. But unlike regular policies covering capital losses or power outages, cyber policies protect against threats that are growing as SMBs shift their focus to e-commerce stores, app development and social media. In addition, insurance providers will typically work with existing IT teams to improve overall network defense, since it's in the best interest of both the SMB and the provider to limit the chance of a breach.
The most important benefit of cyber insurance, however, is consumer perception. As noted by Forbes, while consumers are getting better at protecting their information online, businesses are getting worse. Personal data used to create accounts or make purchases is getting snapped up by malicious actors, then exploited or sold on the darknet. The result is that customers have little patience for businesses that don't offer adequate protection for data and won't stay loyal if they feel their data is at risk.
Not all cybersecurity insurance providers are created equal. Some see opportunity in the market to make a quick profit, while others are committed to providing robust coverage and reliable service. For SMBs short on time and struggling with IT expectations, here are five tips for choosing well:
- Consider first- vs. third-party coverage. First-party policies cover the direct costs of responding to a security breach or data compromise, while third-party coverage comes into play if other agencies or individuals make a claim against your SMB. Not all policies include both.
- Know your limits. As noted by the Society for Human Resource Management, some providers will attempt to "cap" the amount paid for things like crisis management, breach notification or remediation. Always know the extent of any coverage limits.
- Learn the exclusions. Providers may also try to limit coverage based on exemptions. For example, some may not cover breaches that occur because of mobile device use, while others don't cover paper files that form part of a breach or acts of cyberterrorism that result in data loss.
- Look for hidden costs. Beyond the monthly premium, are there other hidden costs of purchasing cyber insurance? How much is the deductible, and what kind of rate increase will occur after a claimed breach? Ask these questions up front to avoid surprises later.
- Recognize reputation. Although the cybersecurity insurance market is just getting off the ground, word-of-mouth remains a powerful predictor of performance and service. Ask a potential provider for references and do some independent research before signing any contract.
Cyberrisks for SMBs are on the rise. While cloud security and automated IT processes can help address basic cybersecurity hygiene, there's no surefire way to prevent data compromise. This means that a robust and reliable cyber insurance policy is now imperative for small businesses to weather the storm.
Automatic Data Processing Insurance Agency, Inc. (ADPIA) is an affiliate of ADP, LLC. All insurance products will be offered and sold only through ADPIA, its licensed agents or its licensed insurance partners; 1 ADP Blvd. Roseland, NJ 07068. CA license #0D04044. Licensed in 50 states. All services may not be available in all states. This information is not intended as tax or legal advice. If you have any questions, contact a tax or legal professional.
SIGN UP FOR THE THRIVE NEWSLETTER