In December 2010, Honda joined the list frequented by major financial institutions and retailers, suffering a breach of customer data thought to affect over 2 million Honda owners. Stories such as these send shockwaves through industry, and while they often don’t result in damages, the fear is justified. The mistake most small business owners make is that they assume such breaches are the realm of large companies. The reality is that the opposite is true, according to the chronology of data breaches available from privacyrights.org/data-breach. The evidence indicates that small businesses are a favorite target of cyber crooks because they often lack the resources to protect themselves from such crimes.
So how much could a data breach cost your firm? An average of $204 per customer record that is lost or stolen, according to the Ponemon Institute’s First Annual Cost of Cyber Crime Study, published in July 2010 and including both private and public enterprises. Fifteen percent of data breaches are inside jobs, perpetrated by employees or contractors with access to the system, according to Kroll, a London-based consultancy firm.
The crimes vary, sometimes resulting from a disgruntled employee and other times as a result of a widespread theft operation. The Ponemon study lists several common cyber crimes, including:
- Creating and distributing viruses
- Posting private company information in a public forum online
- Compromising online bank accounts
- Theft of intellectual property
- Identity theft.
The first step in combating such crimes is a formal risk management plan. Creating an effective plan takes tremendous resources, and it must be constant monitored. Large firms are more likely to have complex risk management tools and programs in place to identify and manage exposures. A smaller business is less likely to be able to afford the time and money needed for such a program.
Insuring Cyber Risk
Cyber crimes have been around for several years. Insurance companies have developed policies designed to cover many different exposures. Some policies are specifically designed to cover first-party exposures while others address third-party exposures. Some policies cover both.
Businesses must evaluate cyber risk from both a first-party and third-party perspective. First-party losses are costs that cover the company’s own expenses caused by a cyber crime. Examples of such costs may include notification and credit monitoring for compromised individuals (note that some policies consider notification costs as a third-party coverage), data restoration, system repair and lost income.
Traditional first-party insurance policies typically limit or exclude coverage for cyber crimes. For this reason, a cyber insurance policy that covers first-party costs should coordinate with other first-party insurance policies. Such policies may include equipment breakdown, crime and other property insurance. When a cyber crime occurs against the first party’s system or operations, third parties may be affected. Examples of third-party exposures include: infringement of copyright, invasion of privacy, unauthorized access to confidential information, software that causes the third party’s system to fail, and theft of identity, medical or other private data.
Third-party costs may include defense costs and judgments or settlements for lawsuits brought by customers, employees or others. Costs may also result from an investigation brought by a regulatory body. Traditional third-party insurance policies typically limit or exclude coverage for cyber crimes. For this reason, a cyber insurance policy that covers third-party costs should coordinate with other third-party insurance policies. Such policies may include professional and general liability, technology and other liability insurance.
When reviewing coverage for cyber crime, consider the following:
Is the liability coverage sufficient to assist with costs associated with defense, settlements and judgments that the business is legally obligated to pay?
Is the coverage for so-called “remediation” sufficient? Remediation refers to costs associated with a data breach. These costs may include the cost of investigation, consumer notification, credit monitoring and public relations and may be mandated by state law. Currently, 47 states have privacy and/or breach notice laws requiring businesses to make timely notifications to consumers when a breach has occurred, regardless if any damage is actually done. The laws differ by state. Many such laws require the first party to pay notification costs, such as mailings, setting up a website and providing a consumer hotline. These efforts cost an average of $9 per customer. Many businesses also offer affected customers access to credit-monitoring services that range from $10 to $60 annually per person.
Is the coverage for the cost to investigate and close the breach sufficient? Such costs may include hundreds of dollars per hour for computer forensics experts and attorneys and the cost of installing new systems.
Don’t Go It Alone
There is no “standard” cyber insurance policy. A thorough examination of the policy’s terms with your Trusted Choice® independent insurance agent is a necessary step to identify potential gaps in coverage. Your Trusted Choice® agent will help you determine your exposure and if there is an enhancement available to one of your firm’s existing policies. If such an enhancement is not available or proves insufficient, your agent will assist you in determining which policy will best protect your firm from costs associated with cyber crime.