Small-business owners are beginning to realize cybersecurity technology is a necessary evil—it’s evil in the sense there’s no guarantee company data and/or customer personally identifiable information (PII) will remain secure. Besides losing valuable data, there’s a real possibility that any cybersecurity event would hurt the victim company’s reputation, inhibit business, and decimate financial reserves.
If defensive technology in and of itself is not the answer, what are small-business owners supposed to do—just hope for the best?
SEE: SMB security pack: Policies to protect your business (Tech Pro Research)
The safe bet might be cyberinsurance
Insurance is not something business owners like to spend hard-earned money on; however, until a foolproof solution comes along, cyberinsurance appears to be the way to come close to ensuring a company’s survival during and after a cybersecurity event.
“Cyber insurance is a form of insurance for businesses and individuals against internet-based risks. The most common risk that is insured against is data breaches. Cyber insurance typically includes indemnification from lawsuits related to data breaches, such as errors and omissions. It also covers losses from network security breaches, theft of intellectual property and loss of privacy.”
That said, the axiom “buyer beware” is as true now as it has ever been. According to the Deloitte report, Demystifying cyber insurance coverage, underwriters and companies wanting insurance are still working out the bugs. “That may lead to uncertainty about what type of coverage and how much insurance [a company] might need, as well as the cost/benefit associated with transferring at least part of this burgeoning exposure to insurers.”
The report’s authors add that concern over potential coverage gaps seems to be a major reason why many businesses that want and need cyberinsurance are passing for now. “Given all the potential confusion surrounding which policies may cover which cyber risks … brokers we spoke with told us that many buyers remain leery about purchasing coverage; they are afraid they won’t realize what isn’t covered until after they file a claim. … [Companies] want to avoid buying coverage they don’t fully understand and whose language may still be subject to interpretation.”
The FTC’s cyberinsurance guidelines for small businesses
To help prevent gaps and find some common ground, the Federal Trade Commission (FTC) compiled and published a series of lists on its Cybersecurity for Small Businesses website that should help small-business owners decide what they need to protect. The FTC suggests cyberinsurance should include coverage for:
- Data breaches (such as incidents involving theft of personal information)
- Cyberattacks on your data held by vendors and other third parties
- Cyberattacks affecting the company’s digital infrastructure
- Cyberattacks occurring anywhere in the world that might impact the business
- Terrorist acts that could affect the business
The FTC website puts a finer point on what the above terms mean by differentiating between first-party coverage (benefits provided to the insured) and third-party coverage (benefits provided to someone, other than the insured, who has been affected by the cyber incident).
First-party coverage typically includes business costs related to:
- Legal counsel to determine company notification and regulatory obligations
- Recovery and replacement of lost or stolen data
- Customer notification and call-center services
- Lost income due to business interruption
- Crisis management and public relations
- Cyber extortion and fraud
- Forensic services to investigate the breach
- Fees, ﬁnes, and penalties related to the cyber incident
Third-party coverage protects the company from liability claims including:
- Payments to consumers affected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Losses related to defamation and copyright or trademark infringement
- Costs for litigation and responding to regulatory inquiries
- Other settlements, damages, and judgments
- Accounting costs
The FTC suggests adding the following provisions:
- Defending the insured in a lawsuit or regulatory investigation
- Providing coverage in excess of other applicable insurance
- Offering a breach hotline that is available at all times
Are you still unsure about cyberinsurance?
Dan Smith, president, co-founder, and COO of Zeguro, a cybersecurity company that has grabbed the attention of investors, admits in this PYMNTS article the company came under a spear-phishing attack recently. It was unsuccessful, but it pointed out a very real need.
Most small businesses do not think they need cyberinsurance (only 4% in the US currently have it) or do not know it’s available. Smith adds that another problem area is that brokers providing the insurance are not spending enough time explaining it or may not understand it themselves.
To fix the situation, Smith, in the PYMNTS article, announced that Zeguro will be partnering with the QBE Insurance Group to offer tailored cyberinsurance solutions. According to Smith, the idea is to use the company’s expertise and acquired cybersecurity intelligence to craft the appropriate cyberinsurance solution for each client.
Insurance on any level is a complicated subject, and then add the complexity of trying to secure a digital infrastructure from cybercriminals—using a partnership like Zeguro and QBE Insurance Group seems like good business.