A salesperson, working from a café while on the road, sends proprietary client information over an unsecured Wi-Fi connection. A project manager for a management consulting firm loses a computer tablet, which had no password protection or encryption. An online company collecting email addresses of its customers is hit with a breach that compromises over 300 records.
Many small and mid-sized businesses, even those without a heavy online presence, are not adequately protected against a cyber breach or attack. In many cases, businesses are going without, assuming they don’t need it or their errors & omissions policy will cover whatever issue may occur.
Such thinking could prove devastating, particularly for small businesses. Of all the cyber-attacks in 2017, according to , 61 percent targeted small businesses.. Even companies that store a minimum amount of customer data – emails, phone numbers, or addresses – still have a vulnerability that can cost both money and reputation. .. The cost to recover for small businesses – an estimated $690,000; for mid-sized companies, .
An Evolving Risk
Fifteen years ago, cyber liability was not a concern for every business. Many companies were operating without an online presence, and cyber thieves were not yet a common occurrence. Even after the 1988 Morris worm -- the first recognized denial-of-service attack (DDoS) – and the increase in denial of service attacks, small and mid-sized businesses were not quite on the radar of cyber thieves. While attacks occurred, typically they were perpetrated by lesser-experienced hackers, and most often did not target smaller businesses.
Today, cyber attacks have morphed from such attacks as MafiaBoy (unleashed by a 15 year-old Canadian high school student, the DDoS attack hit the likes of Amazon, eBay, and CNN, costing an estimated $12 billion in damages) to sophisticated attacks intent of bringing down specific targets, such as global banks or foreign governments. One such attack – the Petya attack in June 2017 – held for ransom the websites of banks, newspapers, electricity providers, foreign ministries in Ukraine, with similar attacks taking place in Australia, France, Germany, Italy, Poland, Russia, United Kingdom, and the US.
While most small to mid-sized businesses are not targeted in these large-scale attacks, there are plenty of cyber thieves who see the value in targeting smaller entities for faster payoff. That’s because many smaller companies do not have the sophisticated level of security and response that larger companies put in place.
Cybersecurity: Not in the Budget
The reason for the lack of adequate security is simple: cybersecurity, particularly at the level many companies should have, is expensive. While larger corporations with arguably more significant exposures cannot afford to go without top-level security, many smaller entities cannot afford to pay for a comprehensive cybersecurity program.
Also, there is often a disconnect between need and perceived need. Smaller companies may not be taking cyber risk seriously, or may believe that their protocols for handling customer data are straightforward enough to allow them to avoid exposure.
Another reason many smaller companies opt out of cybersecurity protection: they believe their industry is not appealing to cyber thieves. However, nearly every industry has been targeted – financial, insurance, real estate, retail, legal, and more. A survey of small and mid-sized businesses revealed that an estimated 22 percent of those companies were cyberattack victims in just a two-year period: in one case, .
There is another risk that comes with cyberattack – how the public will respond to the breach. The adverse publicity that surrounds such breaches morphs the cyberattack into a privacy issue, a reputation issue, and a public perception issue. Add to that the cost to notify customers that their information may have been compromised, remediate the damage, and launch a forensics investigation and cybersecurity becomes too much for some companies to afford.
Cyber endorsements are an affordable option that allows businesses to protect themselves against the cost of cyberattacks.
Affordable Cyber Protection
It often does come down to cost. No matter what the risk, if cybersecurity is not in the budget, few companies will be convinced of its efficacy. Traditional cyber insurance products, which tend to cover the scope and breadth of a large-scale cyberattack, may often be too expensive to make sense to a smaller business.
Yet going without coverage, is a serious gamble. – the average cost to these same businesses due to business interruption: $1,207,965.
Fortunately, there are options for small to mid-sized businesses. Small to mid-sized businesses do not need to forgo cyber liability coverage entirely. Cyber endorsements are an affordable option that allows businesses to protect themselves against the cost of cyberattacks. XL Catlin’s cyber liability endorsement is an add-on to many other coverage forms such as errors and omissions, architects and engineers and others. Or maybe just other specialty lines of coverage, and offers up to $1 million as a sublimit to the E&O policy limits.
Such coverage is not as broad as a standalone cyber liability policy, but it is designed for smaller entities that may have an incidental cyber liability need rather than a primary one. For instance, a company that collects emails only will not have a large cyber exposure as a company collecting Social Security numbers would. The endorsement gives the company some protection and the ability to remediate.
When looking for a cyber liability endorsement, of paramount importance is coverage for third party liability, loss of business income and extra expenses, costs to conduct a forensics investigation, notification and credit monitoring, cyber-extortion and ransomware coverage as well as data recovery. Also, look for an endorsement that provides some form of mitigation preparation.
Prevention Strategies
Even small entities can put cybersecurity measures in place that can reduce the risks of cyberattack. Some easy, effective steps include:
- Create data handling policies: Limit how many employees are allowed to handle customer data, and limit who can access the data repository. Educate employees on how they should handle any sensitive data and how to dispose of data safely.
- Use the latest antivirus software: make sure all devices, including cell phones (whether company-owned or not), have the latest antivirus and antispyware programs, and regularly update the software.
- Use firewalls: Make it harder for thieves to reach your networks. Put password protections on all Wi-Fi networks. Encrypt all data.
- Train staff to identify potential threats: And require strong passwords that are changed frequently. Data show that 60 percent of employees use the same password for multiple sites and accounts, and .
Small to mid-sized businesses with insufficient cyber liability protection do have options. Even those companies without a large online exposure have a level of cyber risk that could be devastating to the business. Doing without any coverage is unsafe. Simple and consistent cybersecurity measures, along with a cyber liability endorsement to an E&O (or other) policy, can give these businesses peace of mind, and make doing business online much less risky.
About the author
Kevin Kiernan is a senior underwriter in XL Catlin’s Cyber and Miscellaneous Professional Liability businesses. He can be reached at kevin.kiernan@xlcatlin.com.
