Battling Breaches at Your Business

Why small businesses should consider cyber insurance

BY RICHARD F. CORROON, CPCU

IMAGINE LOGGING IN to your company computer system on a Monday morning to blank computer screens and a demand for $300,000 ransomware to regain access to your lost business records. What would you do? Who would you call—your IT vendor, the police, the FBI?

The widespread use of email and its inherent vulnerability to breaches has led to increased hacking, manipulations, and the tricking of many businesses into wiring funds into hackers’ bank accounts—known in the insurance industry as social engineering.

According to Chubb Insurance's Cyber Center, “Hackers attack every 39 seconds, on average 2,244 times per day. In this environment, being prepared is critical to protecting business data, systems, and applications.”

One of the primary benefits of cyber insurance policies is the ability to call an incident response hotline for immediate access to a comprehensive list of cybersecurity experts, including data recovery specialists, ransomware experts, attorneys specializing in notification requirements, law enforcement, public relations firms, and other incident response resources.

Cyber insurance is now an established product in the insurance industry and should be considered by all companies, regardless of size, to cover costs for data recovery and legal, notification, and business interruption expenses following a breach.

In these uncertain times, all small business owners should include cyber insurance in their insurance program. Depending on the industry, cyber insurance can be affordable and easy to purchase.

These policies typically cover “First Party” costs such as network extortion, cyber incident response, notification costs, forensics, and digital data recovery. “Third Party” coverage includes privacy network and security liability, including legal costs related to suits by third parties alleging negligence in a business’ network security. An example would be an allegation of damage to your client’s network based on your lack of network security.

Hackers attack every 39 seconds, on average 2,244 times per day. In this environment, being prepared is critical to protecting business data, systems, and applications.

Other benefits of these policies include “non-insurance” features such as software vulnerability alerts; virus and malware monitoring and scans; endpoint security solutions; and education on security solutions. Your insurer’s tech expertise behind the scenes is critical—similar to an outsourced cyber security vendor.

The Evolving Cyber Insurance Market

Due to increased losses paid under cyber policies, the past two years have seen a retrenching of cyber insurers and a market in flux. In some cases, premiums increased dramatically, and available policy limits reduced as the insurance industry deals with the potential aggregation of risk arising out of widespread events to multiple clients. But for most business classes, cyber is available and affordable.

Insurers have recognized that cyber insurance should not be viewed as a replacement for strong security, and most have introduced minimum security requirements such as Multi-factor authentication (MFA); without this basic security measure, most companies will not offer a policy.

As part of the application process, some insurers use sophisticated technology to detect potential vulnerabilities so businesses can remediate the vulnerabilities even before they purchase the coverage. These proactive risk management tools and services can reduce the likelihood of loss.

Cyber claims adjusters have developed close contacts within the law enforcement community, including the FBI. There are many stories of successful recovery of ransomware funds that were paid to cyber criminals to recover business data.

The financial impact of a breach can be severe, and many small businesses do not recover from a hacking incident. Cyber insurance should not be overlooked. 

Richard F. Corroon, CPCU is president of Weymouth, Swayze & Corroon Insurance.