The rise in internet and electronic based systems for data organization in the business community has created an opportunity for data breaches and the loss of sensitive company information as a result of various types of cybercrime. ISO/IEC 27040 defines a data breach as: a compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed (ISO). The Washington Post reports that in 2013 there were over 3,000 businesses that fell victim to breaches from hacking (Bhattarai). That number is only increasing as new methods and technologies are developed for the illegal obtainment of private information. The Washington Post further explains that recent high profile cases include a data breach at Target that has cost the company over $146 million (Bhattarai). According to Travelers Insurance, several other large companies including Zappos, Global Payment Systems, LinkedIn, and Adobe have experienced such attacks (Thoma). Companies such as P.F. Chang’s have been frustrated by insurance companies that refuse coverage under traditional insurance policies as reported by Chad Hemenway, Managing Editor of Advisen News (Hemenway).
Many wrongly believe that these cyberattacks and data breaches are limited to large companies, and that their systems offer absolute protection from cyberattacks. Small businesses are in fact at greater risk for data breaches as Travelers Insurance reports that 31 percent of breaches occur in companies with 250 employees or fewer, and 50 percent of breaches occur in companies with 2,500 employees or fewer (Thoma). Travelers outlines some reasons why small businesses are often more vulnerable. First, small businesses often lack the infrastructure and security systems that may aid in protection from an attack (Thoma). However, these cybersecurity mechanisms do not ensure absolute safety as several large companies that spend millions on security have still fallen victim to hacks and other cybercrimes (Thoma). Some companies have attempted to transfer liability for cyber threats to third party data storage companies; however this often fails to eliminate grounds for legal action (Thoma).
The consequences of a data breach can be extremely costly for any firm. The financial risks associated with identity theft and sensitive financial information are important, but often more costly to companies is the liability to customers and clients resultant of a data breach. Several laws are now in place at the federal and state levels that can result in penalties to companies that suffer data breaches. Traveler’s estimates that costs usually come to about $200 for every record lost (Thoma). In situations with millions of records lost such as in the Target, Zappos, and Global Payment Systems cases, incredible sums can be lost. Various other costs exist, and even simple reactions to data breaches such as client notification of a breach can cost more than $500,000 (Bhattaria).
Several strategies are being developed to combat cyber threats such as internal evaluations of potential risks, new policies and procedures designed to better protect private information, and most importantly, cyber insurance plans. Cyber insurance is becoming increasingly more popular for businesses. A report by Advisen Insurance Intelligence in partnership with Zurich Insurance Company reports a 17 percent increase in companies that have purchased cyber insurance between 2011 and 2014 (Borowski). Furthermore, increasing numbers of executives report their intentions to buy cyber insurance in the future (Borowski). Many insurance agencies are doing their best to connect their clients with the best cyber security options. The Washington Post reports that now more than 50 companies offer cyber insurance (Bhattarai).
Various different areas of coverage for cyber insurance exist, and it is important that companies carefully select policies that will offer them the best protection for their specific concerns. Some of the most important areas of coverage include: forensic costs, credit monitoring, notification costs, website, social media, and copyright infringement, first and third party claims, regulatory fines and penalties, and business interruption (Thoma).
It is also important to note that insurance agencies, particularly independent insurance agencies should strongly consider purchasing their own cyber insurance policies. Independent Agent magazine argues three reasons why this is true. Insurance agencies collect a large amount of sensitive data from clients, and the databases that store this information are very attractive to hackers (Connelly). Furthermore, independent insurance agencies usually have fewer funds available to respond to a data breach (Connelly). Finally, independent agencies are heavily reliant on credibility and reputation. A data breach would more than likely be enough to permanently tarnish an independent agency’s reputation (Connelly).
Combatting the risk of cybercrime requires a variety of strategies. Businesses must take the first steps to limit their risk of a data breach. Andrea Wells of Insurance Journal claims that some of these steps include: outsourcing payment processing, diversification of passwords, employee education and training, encryption, and secure browsers, operating systems, routers, and data (Wells). However, like with traditional threats to businesses many consider the risks of data breaches to be a question of “when” rather than “if.” Proper insurance is advisable to all business owners.