The California Alarm Association’s winter convention, one of the foremost industry events in the electronic security arena, was held in San Francisco this past December. There I had the privilege of speaking about Cyber Liability and Cyber risks for Small to Mid-sized Businesses (SMBs) now on the increase, and what we’re seeing as effective treatments for these new threats. It turned into a lively discussion with a lot of participation from the audience, so here’s a couple of the most frequently asked questions, answered:
Q: I’m a Small-to-mid-sized business, I’m not big enough to be a target for any hacking groups or even be on anyone’s radar, why should I care about cyber threats?
A: Because your cyber-opponents have figured out that SMBs are often the easiest targets to penetrate that then get them access to bigger fish. For example, the penetration point for the large Target breach (>$290M) from 2013 was their HVAC subcontractor: because it had access to a Target facility’s Building Automation Systems, when it was breached that gave the hackers access to Target. What systems of your customers’ do you have access to? Would that be of interest to hacking groups?
These headlines have taught us that it’s not about what you’re worth, or how much business you do, that makes you a target for hackers; it’s who you work with, or have information on, that can make you a high-value target worth pursuit by cyber-criminals.
Q: Ok, I’ve upgraded my IT infrastructure and hired good people to manage it. We’ve implemented best-practices for Cyber Security and made sure we’re in compliance with all the new laws on Cyber and Customer Privacy. But what if something goes wrong? What kind of insurance policy can I get for that?
A: Cyber insurance is currently easy and inexpensive to get. But not all policies are alike. Here’s a short list of critical components to look for in a Cyber insurance policy:
- Cyber Liability: covers defense and indemnity obligations you have to third parties because of your control or ownership of their Personally Identifiable Information (PII)
- Coverage amount: how much liability coverage do you have on your other business policies? It’s recommended to carry at least as much here since claim costs are rarely under $100k
- Regulatory defense
- Regulatory fines (make sure your policy includes coverage for regulatory fines/penalties, not all do)
- PCI fines/penalties, assessments (important even if you outsource taking credit card payments to 3rd party)
- Forensics (what happened, who it affected, who needs to be notified)
- Notification costs (for alerting affected parties of a breach event as required by law)
- Credit monitoring for your customers affected by a breach
- Remediation coverage
- Cyber Business Interruption for your downtime if you suffer an attack
- Extortion & ransomware
- Network/equipment damage (cost to repair/rebuild)
- Cyber Crime coverage (voluntary parting w/funds, social engineering)
- Reputational harm
This should serve as a primer to give you an idea of what you can have. Coverage is fairly broad now, and relatively inexpensive compared to other liability coverages an SMB might carry, so now is a great time to secure quality coverage before the current influx of claims takes its toll on the insurance market and reduces that ready availability.
If you’d like to see what kind of options exist to protect your business from this emerging risk, give us a call and see just how easy and affordable this form of protection really can be.
About the Author
Larry St. John is a 20+ year veteran of insurance and risk management for the construction and electronic security industries.
He can be reached at LStJohn@eclipse-insurance.com