The damage inflicted on small business by security breaches can be costly, up to $50,000 or more for each incident. Many companies mistakenly assume their commercial insurance product will protect them in the wake of a breach. But that’s most likely not the case. In the scramble to respond, suddenly finding out that your business is further exposed due to a lack of proper insurance can be disheartening. That’s why small businesses must ensure they have the insurance and resources in place to respond. This coverage and support can no longer be pushed down the priority list.
Rising attacks against small business can overwhelm
According to the 2017 Internet Security Threat Report by Symantec, small businesses are now the most likely target of malware and phishing campaigns. Every day 400 businesses face incoming spear-phishing emails sent to financial staff or upper management in more and more sophisticated and targeted ways. FBI estimates indicate that more than $3 billion may have been lost to due to these types of scams in the past three years, with more than 22,000 victims worldwide. All employees are subject to making a mistake. It could be an attached invoice with malware imbedded, or an outside web link that appears to be shared by a trusted source.
With a successful ransomware attack, a business may lose access to its computers and data unless a fee is paid. A loss of just a day or two of business can be devastating to many companies. A spear phishing attack may expose highly sensitive personal information that requires notification to everyone impacted. Small retailers or restaurants conducting point-of-sale transactions involving credit card data can be particularly vulnerable to an attack. The only way to fight these attacks is with preparation, education and the insurance needed to adequately respond in the wake of a damaging leak.
When a breach happens, a small business must juggle multiple issues simultaneously. The series of regulatory and reputational responses required can overwhelm a small company that is simply not knowledgeable enough to respond adequately. It must identify the origin of the breach, restore systems and close the security loophole, respond as required by law to regulatory authorities, properly notify customers of the potential impact, and finally begin rebuilding its reputation. With so many steps required in the immediate aftermath, many small businesses don’t even know where to start.
New cyber insurance products aim to also prevent and respond
In response to demand for better protection, insurance companies are adding and improving cyber insurance products that not only provide financial security but technical and logistical support. Insurers are now partnering with outside experts to provide more comprehensive coverage options. For example, Arbella Insurance recently aligned with CyberScout, an expert in cyber prevention and incident remediation. As part of improved, more holistic coverage options, clients can receive tips for employee education and advice regarding cyber-attack prevention, as well as have a team of experts on stand-by in the event of a hack. The support includes writing and distributing notification letters to customers and government agencies in the wake of a breach, as well as performing a full forensic investigation to close any security loopholes. This is in addition to financial reimbursement for direct losses associated with the breach.
Small businesses have an obligation to their customers to protect their personal data and to be prepared in the event of an attack. Owners should ask their insurance agents about data breach coverage and holistic, preventative solutions. The annual cost may be far less than expected. With an increasing number of highly sophisticated attacks each year, it’s less a question of whether a small business is compromised but how prepared they are to fully respond and mitigate the damage.
Jeffrey Witt, Assistant Vice President, Commercial Lines Research and Development, Arbella Insurance Group
