Small & Midsize Businesses Feeling Impact of Cyber Attacks

Size doesn’t matter to cyber theives. According to a 2012 Verizon Data Breach Report, 72% of attacks were at businesses with less than 100 employees.

In addition to fraud, cyber theives can also steal a businesses identity. These types of thefts fall into the following activities:

• Stealing credit history
• Dumpster diving
• Hacking

HOW PREPARED IS YOUR BUSINESS TO HANDLE CYBER-ATTACKS?

Shockingly, despite these significant cyber-security exposures, 85 percent of small business owners believe their company is safe from hackers, viruses, malware or a data breach. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber-attacks. In reality, data thieves are simply looking for the path of least resistance. As more and more large companies get serious about data security, small businesses are becoming increasingly attractive targets—and the results are often devastating for small business owners.

In recent years, nearly 60 percent of the small businesses victimized by a cyber-attack closed permanently within six months. Many of these businesses put off making necessary improvements to their cyber-security protocols until it was too late because they feared the costs would be prohibitive. Don’t make the same mistake. Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber-attack.

When reviewing your insurance policies, be aware of how the following coverages can protect your business in the occurrence of a cyber-attack:

• CGL VS Cyber Liability Coverage
• Coverage B for Tangible Assets
• Specialized Cyber Liability Coverages
• Errors & Omissions (E&O)
• Directors’ & Officers’ (D&O)
• Claims Made vs. Occurrence Policies

Coverage for Cyber-Attacks: CGL Versus Specialized Cyber Liability Coverage

The only way to protect the assets of your business is to carry adequate Commercial General Liability (CGL) Insurance. A CGL policy protects your business from damages caused by bodily injury or property damage for which your business is found to be legally liable. CGL is usually triggered first in the event of a loss, so many business owners don’t feel an additional endorsement or stand-alone policy is necessary.

A typical CGL policy contains three coverages:

• Bodily Injury and Property Damage Liability (BI/PD) – the duty to indemnify and defend the insured for claims made due to bodily injury or property damage.
• Personal and Advertising Liability (AI/PI) – same framework as Coverage A, except it insures claims for personal injury and advertising injury.
• Medical Payments – insurer promises to pay emergency medical expenses for bodily injury for the uninsured or its employees as a result of an accident on the insured’s premises. It pays regardless of who is at fault.

Coverage B for Intangible Assets

If the threat exists that your company could be sued by a competitor for infringement or intellectual property theft, or you do not have the funds to cover legal fees associated with defending your patent or trademark, this coverage is vital. Defending infringement litigation can cost hundreds of thousands of dollars, not including the cost of damages and prejudgment interest. In patent infringement cases, attorney’s fees can easily top $1 million. Budgeting and planning for the protection of intellectual property rights may not only save your company a significant amount of capital, it may also help keep your business viable when legal bills accumulate rapidly.

Any act by the insured that somehow violates or infringes on the rights of others (referred to in the policy as an offense) is the subject of personal and advertising injury liability coverage, although only those acts that are specifically listed in the policy are covered. The coverage under the “advertising injury” provision is limited to those injuries that are directly related to the advertisement. Therefore, the policy covers debts owed by the insured party due to claims filed against it.

Coverage B policyholders are sometimes covered in cases relating to trademark infringement; however, copyright claims are only successful when directly related to advertising, and patent claims are rarely covered under the “advertising injury” provision. The cases that allow for coverage in a patent infringement suit are generally limited to instances in which a court finds contributory infringement or inducement to infringe through an advertising medium. Since the advertising injury provision in a standard CGL is limited, many businesses consider additional coverage to protect their intangible assets.

There are three important exclusions in the AI/PI coverage that outline the need for additional intangible asset coverage:

• Excludes AI/PI arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.
• Excludes AI/PI committed by an insured whose business is:
  
  • Advertising, broadcasting, publishing or telecasting
  • Designing or determining content of websites for others
  • An Internet search, access, content or service provider (ISP)
• Excludes AI/PI arising out of an electronic chat room or bulletin board the insured hosts, owns or exercises control.

There will be a large coverage gap in a traditional CGL policy if you are a media company, technology company or any other company that does business predominantly on the Internet.

Specialized Cyber Liability Coverages

Because of the increase in the number of intangible assets companies possess, and the number of companies doing business on the Internet, new types of liability coverages have emerged to meet specific needs.

Errors & Omissions (E&O)

E&O insurance, also known as professional liability insurance (PLI), helps fill gaps in traditional CGL policies by protecting professional advice- and service-providing companies from having to bear the full cost of defending against a negligence claim that a service the company provided did not have the expected or promised results.

An E&O policy can cover intellectual property losses due to copyright infringement and plagiarism while also protecting a business against a data breach or identity theft. For example, if an IT specialist at a company makes a mistake with the company firewall and allows malware to spread through the company’s network, an E&O policy would help cover the losses from the exposure.

An E&O policy can be customized with several other coverages, such as:

• Electronic Data Loss – A fire or virus could lead to a business losing all of its data. An Electronic Data Loss policy covers against this data loss and helps replace lost income due to the incident.
• Data Breach – This coverage is becoming more popular as the number of expensive data breaches increases around the globe. Data Breach coverage can help a business cover the costs of customer notifications and any associated defense costs.
• Media Liability – This coverage protects media-related firms from claims arising from defamation, invasion of privacy, plagiarism, copyright infringement, etc.

Directors’ & Officers’ (D&O)

A D&O policy insures upper management against claims of securities fraud, breach of fiduciary and other types of liability. For example, shareholders of a company could sue a company’s directors and officers for not putting the proper measures in place to stop a data breach.

Claims Made vs. Occurrence Policies

When purchasing CGL and cyber liability coverage, businesses have two primary policy types to choose from—claims made and occurrence. A claims made policy covers claims while the policy is in force, while an occurrence policy provides coverage for when the act occurred. Both types offer distinct advantages and disadvantages, so it is wise to do research to determine the best type of policy for your business.

• Cost – Claims made policies are generally cheaper than occurrence policies. Premiums for claims made policies start low but increase each year to reflect the increased likelihood for claims in the future. While occurrence policies are generally more expensive, there is only a one-time cost with no additional fees.
• Selecting coverage – With a claims made policy, coverage limits are easier to choose because they can be increased annually. You run the risk of being underinsured with an occurrence policy because the coverage you selected 10 years ago might not be able to cover expenses from a claim made today.
• Pre- and post-coverage options – You will need to purchase “nose” and “tail” coverage with a claims made policy because if you are sued in 2006 for services provided in 2004, you will only be covered if your policy has an Extended Reporting Period (ERP), or “tail” coverage. Tail coverage can be expensive, but it is often included for free if you have been insured with the same company for a certain amount of time or it can also be offered as an incentive for switching to another company. Similarly, a “prior acts” endorsement, or “nose” coverage is needed when switching insurers to cover claims that occurred before the new policy was purchased. With an occurrence policy, no nose or tail is needed.It is easier to change insurance companies with an occurrence policy because no pre- or post-coverage endorsements are necessary.
• Long-term protection – An occurrence policy will give you better long-term protection because you are insured from a claim no matter how long after the event the claim was made. For example, if a software company was sued for a security problem in one of its programs that led to a customer suffering a data breach 5 years after the product was released, the software company would be covered by the occurrence policy in place at the time of the breach.