Cybersecurity incidents are occurring on a daily basis and at an increasingly growing rate. Yet, many small businesses still have not obtained adequate (or any) cyber insurance to address these risks and the costly impacts to the business that will result. In a recent study completed by the Insurance Information Institute1, only about a third of all small businesses polled responded that they have cyber insurance in place, with 70% of respondents replying that they have no plans to purchase a cyber insurance policy in the next 12 months. Most of the businesses indicated that they do not believe they have any need for cyber insurance, yet almost half of those same companies stated they are unprepared to handle cyber threats. A main reason for not purchasing cyber insurance was a lack of understanding about this type of insurance and coverages available.
The Risks for Small Businesses
These statistics are alarming considering that the average cost of a cyber-related loss for a small business has increased 250% in the past two years, and now totals $188,400. In determining whether insurance coverage should be purchased, companies typically assess the perceived risks to the company, the likelihood of such risks occurring, as well as any costs or expenses that may result. For example, most companies regularly obtain a property policy to cover a fire or other casualty that may damage its business location even though such an event is unlikely or unexpected. Yet, cyber incidents are just as likely, if not more likely to occur, and the impacts to a company in the event of an incident are far worse. Many incidents result in a complete suspension of the daily operations of the company for several days or longer.
In addition to financial loss, companies may face the following as a result of a cyber incident:
- Theft, breach or loss of information and data;
- Damage to the company's reputation, brand or image; and
- Regulatory, governance and legal issues.
- How Cyber Insurance can Help
Cyber insurance policies can be obtained to address the losses related to a data breach and may include costs for investigating a breach, notifying people affected by a breach of personally identifiable information, managing the potential damage to reputation and other crisis-management expenses, recovering lost or corrupted data, and related legal expenses. More importantly, well-drafted policies can afford coverage for business interruption losses; i.e. those expenses and lost revenue resulting from a breached system and a company's inability to continue its usual operations. Coverage may also be obtained for "cyber extortion", which covers costs resulting from an extortion event such as ransomware or fraudulent wire transfers.
It is important to keep in mind that cyber insurance is only one component to consider when developing and implementing an overall risk management strategy to prevent cyber incidents. However, taking into account the exposure to a company if and when a cyber incident occurs, it is highly advisable to have this coverage in place.
1Insurance Information Institute, "Small business, big risk: Lack of cyber insurance is a serious threat," October 2018.
Jeff Dennis is the head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at firstname.lastname@example.org.
Heather Whitehead is a Partner in the firm's Privacy & Data Security practice. Heather also practices insurance coverage matters for commercial, retail, industrial, mixed-use, multi-family and residential projects. For more information on how Heather can help, contact her at email@example.com.