Next Cyberattack Could Cost as Much as Superstorm Sandy
A major cyber attach could cost billions of dollars and, unlike extreme weather, comes without warning.
The total cost of a worldwide cyberattack could be as high as $53 billion, according to a report issued by Lloyd’s of London in July 2017. That’s almost as much as the cost of Superstorm Sandy ($50-$70 billion), the second costliest disaster in U.S. history. But worldwide cyberattacks aren’t the only risk for small businesses. 43 percent of cyberattacks target small businesses, according to Small Business Trends.
Cyber-attacks can come from anywhere: nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Their motivation may be to gain political, military or economic advantage. Where businesses are concerned, though, they steal money or data they can turn into money, such as credit card numbers, health records, personal identification information and tax returns — or they set up a ransom situation that locks the company’s access to its data until the ransom is paid.
The National Association of Insurance Commissioners (NAIC) has identified the main cyber risks as:
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including such data as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license numbers, birth dates and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms and other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
Cyber Risk Management
The primary defense against cyber security loss is a well-designed and conscientiously maintained risk management program. The first step in such a program is to identify the firm’s vulnerabilities, including systems, procedures, programming and personnel. The next step is to control those vulnerabilities as much as possible. Here is a short, practical checklist:
- Make sure all company computers have the latest security software, web browsers and operating systems to protect against viruses, malware and other online threats.
- Turn on automatic software updates, if that’s an option. Many updates specifically address known security risks.
- Scan all new devices, including USB devices, before they are attached to the network.
- Use a firewall to keep criminals out and sensitive data in.
- Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at businesses.
- Know what Personally Identifiable Information (PII) you’re storing on your customers, including where you store it, how you use it, who can access it, and how you protect it. Delete any unneeded information.
No matter what firewalls, software and authentication protocols you’ve installed, your cyber security system is vulnerable if you’re not educating your employees on avoiding risky behavior online. The Workplace Security Risk Calculator, available free at https://staysafeonline.org/stay-safe-online/resources/workplace-security-risk-calculator, lets your employees gauge the level of risk their online behaviors pose. You can get more good advice here: https://staysafeonline.org/business-safe-online/implement-a-cybersecurity-plan.
Cyber Liability Insurance Policies
Even with a cyber security plan in place, your business still needs a fail-safe to protect it against cyber risk.
Currently most standard commercial lines policies do not provide insurance for cyber risks. You need a special cyber liability policy. Due to the lack of actuarial data, however, it’s difficult to price. Insurers deal with this by evaluating each risk according its risk management procedures and risk culture. As a result, cyber risk coverages are more customized and, therefore, more costly.
The type and cost of cyber liability coverage offered by insurers is based on the type of business, its size and geographical scope, the number of customers it serves, its web presence, the type of data it collects and stores and other factors, including its risk management and disaster response plan.
Cyber liability policies might include one or more of the following types of coverage, according to the NAIC:
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating or replacing business assets stored electronically.
- Business interruption and extra expense related to a security or privacy breach.
- Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
- Expenses related to cyber extortion or cyber terrorism.
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
For more information about cyber security insurance, please contact us.
[return to top]
In this issue:
This Just In...
Next Cyberattack Could Cost as Much as Superstorm Sandy
Is Distracted Driving Driving Up Your Auto Insurance Costs?
Why Almost Every Business Needs Additional Insured Coverage
What is subrogation and how does it apply to insurance?