The recent Target and Neiman Marcus credit card breaches are just the tip of the iceberg in a series of cyber-attacks that are posing an increasingly serious threat to the business world, experts say.
In those instances, hackers were able to steal more than 40 million credit and debit card records from company servers and then sell the data on the black market for up to $100 per card.
"The common perception is that the typical cybercriminal is somebody who works on their own, is a computer geek in a bedroom or garage, and tries to provoke havoc. In actual fact, because it's such a lucrative business, (cybercrime) has attracted organized crime across the globe," says Conor Madden, global sales director for WebTitan, a web filtering solution provided by SpamTitan Technologies, a global email and internet security company.
In a lot of cases, cyber criminals can be as well-organized and funded as the best and brightest tech startups, Madden says.
And small to medium-size businesses should not consider themselves immune to cybercrime. "It's not luxury coverage," says Bob Childress, CEO of Largo, Fla.-based Solace Insurance. "If a company has any type of database where people can get a hold of customer information, they need coverage." This is just another reason small business insurance coverage can come in handy more than you might initially realize.
What is cyber risk insurance?
In response, a number of insurance companies are offering cyber insurance to businesses to help lessen the financial and reputational losses caused by cyber-attacks. Amid a rising number of high-profile cyber-attacks that have led to increased calls for legislation and regulation, a growing number of businesses are purchasing cyber risk insurance, according to the Insurance Information Institute.
Specialized cyber risk coverage is available primarily as a standalone policy. Each policy is tailored to the specific needs of a company, depending on the technology being used and the level of risk involved.
Childress says many companies underestimate the potentially catastrophic consequences cybercrime can have on a business. According to Childress, these consequences include:
- A small- or medium-sized business, even one in existence for 50 to 100 years, could be financially devastated and forced to close its doors.
- A business could suffer nearly irreparable harm to its reputation – requiring the assistance of a public relations firm to help reestablish its good name and customer confidence.
- A company may have to pay fines for violating consumer protection laws as a result of not protecting consumer data.
So how exactly does cyber risk business insurance protect against these risks?
Why should a business have cyber risk insurance?
Although cyber-attacks such as those suffered by Target are top concerns for 85 percent of businesses, less than 20 percent of companies purchase cyber insurance as a means of protection, Childress says.
As companies have increasingly come to rely on the Internet to conduct business, Childress says even small- and medium-sized businesses need to protect themselves against cyber theft.
A recent report by the Ponemon Institute, a Traverse City, Mich.-based company that conducts independent research on privacy, data protection and information security policy, found the average annual cost of cyber-attacks among 56 businesses was $8.9 million per year. The average time to resolve a cyber-attack was 24 days, with an average cost of $591,780.
Currently, cyber liability insurance policies cost anywhere from $750 a year for a small business to $300,000 to $400,000 annually for a large company, says Matt Prevost, the assistant vice president of the management liability division at Philadelphia Insurance Companies.
A number of companies offer the policies, including Travelers Insurance, Chubb Corp., American International Group, Hartford Insurance and CNA.
In the event of a security breach, Prevost says the policies offer a wide variety of coverage. This includes:
- The costs of forensics to determine who was affected by the security breach.
- The expense of notifying affected individuals.
- The legal costs of issuing a letter to customers and setting up a customer service hotline.
- Reimbursement for any damages customers suffer as a result of fraudulent charges and bank fees.
- The costs of restoring a customer’s credit rating.
Businesses rely on customer confidence and their reputations, and a security breach could result in customers deciding to take their business elsewhere, Childress says.
"For Target…they noticed a blip in credit card usage," Childress says. "Over time, they will recover from that. Small- and medium-sized businesses can't so easily recover from something like that."