What is cyber insurance?
Cyber insurance is no longer a niche product for a select group of businesses. If you have data to protect, you need cyber insurance.
You don’t need to be a bank or a hospital to hold sensitive information. If you hold personnel files, credit card information, or even user credentials, you carry a certain responsibility to protect that information from being compromised.
It doesn’t take a lot for a cyber breach to happen. In fact, cyber attacks are on the rise, and small business owners, in particular, are an easy target.
Cyber insurance covers the cost of fixing the breach, notifications, credit monitoring, legal fees, and potential lawsuits or regulatory fines all out of pocket. Getting hacked is awful and dealing with the aftermath is a nightmare. Cyber insurance minimizes the financial and emotional devastation.
Which risks does cyber insurance protect you against?
Addressing a cyber attack pulls a business in multiple directions. In other words, it’s expensive. A well-rounded cyber insurance policy protects you from the risk of bankruptcy while dealing with different elements of a cyber attack.
|Cyber Insurance Aftermath Coverage||What Exactly This Coverage Includes|
|Damage Assessment & Repair||● Getting the system back online
● Kicking hackers out of the system
● Assessing the extent of the infiltration
● Determining what information was compromised
|Customer Notifications||● Alerting affected customers on the situation and next steps|
|Credit Monitoring||● Monitoring credit files of customers whose financial data was compromised
● Alerting customers to suspicious financial activity
|Reputation Management||● Hiring a PR or crisis management firm|
|Business Interruption||● Covering revenue lost while your business went offline|
|Legal Fees & Settlements||● Cost of defending your business
● Any settlements your company has to pay due to the breach
|Regulatory Fines||● Regulatory fines your company is ordered to pay|
Table: How Cyber Insurance Helps Your Company After a Breach
How does cyber insurance protect you?
Cyber insurance protects you by minimizing the costs of dealing with a cyber attack, thereby preventing your business from going under. It isn’t an exaggeration to say that the weeks following a cyber attack are very, very expensive.
Each time you complete one aspect of the aftermath of a cyber attack, there’s a new issue or obligation that needs to be addressed. Consider the following breakdown of the costs of a cyber attack and how much each cost.
Assessment and Repair
Without question, you’ll need an outside expert or consultant to help you with a cyber breach. This professional will assess the extent of the damage, determine how much information was compromised, ensure the attacker is actually out of the system, and patch up any vulnerabilities.
As you would expect, this doesn’t come cheap. This help costs about $200 to $400 per hour. The amount of help (i.e. billable hours) you’ll need depends on the extent of the damage and the industry that you’re in.
If your business is in a regulated industry, you’ll have to prepare detailed reports for regulators and doing so correctly will require additional assistance from consultants.
A cyber insurance policy helps pays for the costs associated with assessing and repairing a cyber breach.
Credit Monitoring for Affected Customers
If your company holds credit card information or social security numbers and a cyber attacker accessed them, your business is now responsible for protecting the identity of those customers.
This means that you’ll need to cover the cost of credit monitoring for all those customers so that they are alerted if there’s suspicious activity in their name.
Credit monitoring typically costs $100 to $150 a year. Multiply that by the number of customers whose information was compromised and you’re looking at a huge expense. If you planned ahead, you’d have cyber insurance to carry the brunt of the cost.
Companies notify customers either because they’re legally obligated to or because they want to maintain a culture of transparency.
In any case, making notifications is expensive work.
You’ll have to hire additional staff to handle calls or take employees away from core business operations. Either way, you’ll need to invest time into training employees, so they have the necessary information to help customers. According to the Ponemon Institute’s Cost of a Data Breach Study, the average notification cost for U.S. companies in 2016 was $0.59 million.
This cost hits you twice. There’s the decrease in business – and therefore revenue – once news of a cyber breach gets out. Then there’s the cost of bringing in a pricey PR or crisis management firm to make sure the rest of your customers don’t leave and the ones who did come back.
Companies who wish to hire such help in the event of a data breach should check that it’s part of their cyber insurance policy, since it may not be automatically included.
If the thought of losing all your customers weren’t bad enough, there’s also the possibility of those customers suing you. A lawsuit, especially one with a large settlement for multiple customers, can devastate your business.
Regulators will also come sniffing around to see if you weren’t a responsible caretaker of sensitive data.
While larger companies can stomach the blow of big fines, small- to medium-sized businesses can’t.
Finally, there are the legal fees themselves. In any conflict, the only people who really win are the lawyers.
If you get lucky and dodge the bullets from regulators and angry customers, you’re still going to have to pay the lawyers who helped you do so.
A good lawyer can cost over $500 per hour. Most cyber insurance plans include coverage for legal fees, settlements, and fines.
Business Interruption Insurance
Think about how much your business brings in every day. Now imagine if all work ground to a halt for a couple of days. Keep in mind that you’d still be spending money on your staff while you try to resume operations. While shopping around for cyber insurance, remember to include business interruption coverage.
A cyber insurance plan that covers assessments, repairs, legal fees, and credit monitoring is great, but that coverage doesn’t help you recoup the money you’ve lost addressing the breach. Business interruption coverage can help you (almost) pick up where you left off before the breach.
How much does cyber insurance cost?
The cost of cyber insurance is typically driven by the number of customer records that have to be protected, and a system’s existing security protocols. Cyber insurance starts at $200 for most companies, but companies holding financial data or healthcare information can expect to spend about $1000.
How much should your business prioritize cyber insurance?
Image: Credit monitoring company Equifax suffered a huge breach in 2017. (Toronto Star)
Cyber insurance is no longer a niche product. It’s a necessary component of a business’s risk management plan. The events of the past couple years should serve as enough proof that cyber attacks are the new normal.
- November 2017: Uber reveals a cyber breach the previous year compromised the data of 57 million riders and drivers
- September 2017: Equifax announces that a cyber breach affected millions of Americans. In November, the company issues a statement saying that over 19,000 Canadians have been affected as well.
- September 2016: Yahoo confirms that 500 million user accounts have been compromised.
- December 2013: Target announces details of a hack that affected the credit and debit card information of 40 million accounts.
This is just a sampling of some of the big name cyber breaches that happened over the past few years. Does this mean that only big companies need to worry about cyber attacks and therefore, cyber insurance?
Hardly. What it means is that it’s only hacked on big brands that bring national or international headlines. Cyber attacks on small business do happen. They don’t attract much attention individually, but they can be catastrophic for that business owner.
Hackers target small businesses specifically because they don’t have the resources of big companies to implement extensive cybersecurity measures. This also means that small business owners have significantly fewer resources for responding to a cyber attack.
The question of cyber insurance can make or break a company in the aftermath of a cyber attack.
Not only do large companies have the money to respond to a cyber attack, you’d better believe they have cyber insurance to minimize their costs as well.
The moral of the story: Everyone from e-commerce companies to construction companies should have cyber insurance.