COLUMBUS, OHIO – Despite frequent media reports of hacking, cybercrime, security breaches and related events in all parts of the U.S., many middle market companies continue to underestimate their exposure to these attacks along with their need for focused risk management measures, which may include the purchase of specialized cyber insurance.
A new report from Assurex Global, the world’s largest privately held commercial insurance, risk management and employee benefits brokerage group, identifies four misconceptions about cyber risks, predominantly among mid-sized and small businesses; the notion that cyber events primarily affect larger businesses tops the list.
“Even though you may not hear about breaches at $50 million or $100 million manufacturers, they’re happening,” says Mike Richmond, a risk advisory executive at the Horton Group, an Assurex Global Partner. “Sometimes that’s because the cyber protection at smaller companies isn’t as sophisticated, so hackers consider them an easy target.”
The second biggest misconception: “My type of business isn’t a target.”
“As the growing number of victimized companies attest, that misconception is being debunked nearly every day,” Mr. Richmond observes. “There’s no question that every enterprise is now a potential target for a cyber-attack – public, private or nonprofit, you still may be vulnerable.”
The report cites Symantec’s list of the top sectors breached in 2015 by number of incidents: services; finance, insurance and real estate; retail trade; public administration; and wholesale trade.
The third leading misconception: you can self-insure against a data breach. In fact, the high cost of cyber-attacks makes this a perilous option, especially for small and mid-sized companies. The average cost of a data breach for 350 companies participating in the Poneman Institute’s 2015 Cost of Data Breach Study was $3.79 million, up 23 percent from 2013.
“If a data breach occurs today, businesses are almost certain to be subject to defense costs even if customers have yet to suffer any immediate or identifiable loss from the data breach,” says Mr. Richmond. “Once there’s a breach, costs can mount rapidly.”
The fourth misconception: many firms believe they’re insulated from financial consequences of cyber events because they outsource their network security, data management, and payment transactions. Yet, according to the report, as the original data owner, a company sustaining an attack will likely be named in third-party lawsuits and be held liable in most jurisdictions.
While a vendor agreement may contain indemnification provisions, there may be caps on indemnification amounts and exclusions for certain types of data breaches. Further, the vendor may become insolvent, bankrupt, or simply not honor the agreement.
Protecting against cyber exposures
“We’re working with customers now to continuously improve their front-end protection; then, adding insurance to make sure that if something slips through the cracks, the company has insurance to pay for it,” Mr. Richmond says.
With respect to insurance, Mr. Richmond recommends companies consider two primary types of coverage for cybercrimes: a cyber liability/data breach policy and a commercial crime policy.
Cyber liability/data breach policies can include third-party coverage, first-party coverage, and media liability. Meanwhile, many commercial crime policies can be structured to address certain cyber-related risks otherwise not covered under a cyber liability policy, such as those involving certain phishing scams and corporate account takeover.
Although many firms opt to structure cyber coverage as an endorsement to their package policy rather than purchasing standalone cyber insurance, Mr. Richmond says standalone policies usually have higher limits, fewer exclusions, and are more comprehensive. In choosing insurance he suggests working with an insurance agent, getting support from the company’s C-level executives, and taking steps to identify the firm’s risk and critical protection needs.
Mr. Richmond adds: “Start with the question: If a data breach happens, how would your company pay for the damages? This should impel businesses to assess their risks, shore up their risk management, and investigate and purchase cyber liability insurance.”
For a complimentary copy of the Assurex Global report, Exposed, Targeted and Breached: The Risk of Cyber Crime, visit the Assurex Global Content Library.