Sure, you can install anti-virus programs. You can even go a step further and encrypt your data and heavily protect your passwords. In fact, these are but a few of many steps business owners can take to prevent cybersecurity breaches and subsequent data theft.
But they aren’t foolproof, none of them, not even in combination.
Thus, after implementing all the appropriate measures to protect internal data, one expert says small business owners should also consider what would happen if those measures fail — specifically, whether their insurance policies would cover the losses and damages.
“Most small business packages don’t cover data breaches or really anything data related,” said Matt Cullina, chief executive of Identity Theft 911, a business and data risk management firm. “Many have an exclusion called the ‘intangible property exclusion,’ which basically says data is intangible. You can’t touch it, you can’t feel it, so if it’s damaged, there’s no way to calculate the cost to replace it later.”
Nevertheless, he says some vendors are slowly expanding their policies to include cybersecurity coverage, and it’s something most small business owners should at least consider when shopping for insurance. But how do you know whether your firm needs such coverage, or even which types of packages are available?
Here’s what Cullina and his team urge business owners to consider:
Have I already taken steps to protect my data?
Start by taking the appropriate preventative measures, not just because they’ll help protect your company’s private data, but because insurance companies will want to see due diligence on the business owners’ part before offering to cover them for cybersecurity breaches.
“You have to demonstrate that you understand your network structure and your vulnerabilities, use updated anti-virus software, and that you have some semblance of documentation,” said Brian McGinley, senior vice president for IDT 911 data risk management. “Those are the areas vendors are going to look at. They are relatively controllable, low-hanging fruit, but they show you recognize the threat and are doing something to mitigate that threat.”
Most providers won’t go beyond that initially, as they don’t want to lose potential clients by placing too many impediments between small businesses trying to secure coverage. However, for limits eclipsing around $50,000 in cybersecurity coverage, McGinley says vendors will start wanting to see tight password protection and sophisticated data encryption.
Does my type of firm need this type of coverage?
“Every business with either employees or customers has some sort of private information, whether its credit card numbers, Social Security numbers, driver’s license numbers, what have you,” said Eduard Goodman, chief privacy officer at IDT911. “The cost associated with those exposures is where business owners need to focus.”
Still, some companies are more susceptible than others. Goodman says independent retailers are especially vulnerable, as they often handle tons of credit card data on a day-to-day basis, but professional services firms should also take a long, hard look at cybersecurity coverage. Doctors, he says, are often aware of the risks because of strict federal regulations, but law firms, accounting firms and dentistry practices are often blindsided by massive data breaches.
For example, he says all but four states have laws requiring businesses to notify in writing every person affected by a loss of data, and his firm once worked with a group of CPAs that lost roughly 120,000 individuals’ private information.
“Each letter costs between a dollar and two dollars to print, package and deliver,” Goodman said. “That’s a bill for $200K, and that’s just to send out the mandatory notifications. So you can see how a small business wouldn’t see this as a major liability, something like a lost laptop happens, and they don’t even know if they can keep their doors open.”
What type of coverage is available?
Currently, most cybersecurity insurance policies are split into two levels of coverage. First-party coverage accounts for the costs that the business would have to lay out to respond to a loss of clients’ or employees’ private information. Typically, Cullina said, that would cover expenses like consulting services, which will help owners notify the right authorities, and credit-monitoring and fraud-resolution services, which owners can offer to victims to help them mend any problems stemming from the lost data.
“First-party coverage will also cover the costs of sending those notification letters, and sometimes it will cover some minor legal fees, like checking the content of those letters to see if they meet state requirements,” Goodman said.
Companies handling enormous amounts of private information may want to consider adding third-party coverage, Goodman said, which usually covers legal defense costs, including lawsuits filed by consumers and other businesses. Those policies may also cover fines and penalties, as well as computer forensic costs, which would come in awfully handy for those hoping to catch the cyber crooks who broke into their system.