Every small business owner is exposed to data breach and cyber risks in different ways. Before buying a policy, take the time to analyze your security risks so you know your financial exposure and can pick the policy that best protects you. This cyber insurance coverage checklist walks you through that process to get the right coverage.
You want to make sure you have a small business insurance provider that has a methodical process of assessing and covering your company’s cyber and data breach risk. The Hartford is an industry leader when it comes to helping small business owners fight back against cybercrimes.
What Cyber Insurance Is
Cyber insurance refers to a specialized insurance rider or standalone policy that protects business owners against financial losses and third-party damage from digital data breaches and cybercrimes. Policies often cover hackers installing malware, funneling customer order payments away from the business, stealing identities, and hijacking websites for ransom.
Determining Your Cyber Insurance Needs
Cyber insurance as a standalone policy can be anywhere from $1,000 to $7,500 or more annually depending on your business’ exposure. Before paying huge premiums, determine your small business cyber insurance needs first and talk to a top insurance company that will walk you through the risk and protection process in relation to other business insurance policies.
Here is your cyber insurance coverage checklist:
1. Define Data Breach and Cyber Risk for Your Company
When shopping for cyber insurance, you often hear two terms: data breach insurance and cyber risk insurance. These terms are often used interchangeably but have different meanings that should be reviewed before you evaluate your risks. Not every policy covers both, or covers both in the same way; therefore, understanding the difference is critical.
Cyber vs Data Breach Risks Insurance
Data breach risk entails all potential risks that lead to those who shouldn’t have information about your consumers might end up in the wrong hands. These risks could be as innocent as your employee leaving a medical file open on a receptionist’s desk or as nefarious as computer hackers trying to get money or data to steal identities.
Cyber risks are always related to incidents involving compromised digital data. While the cyber breach often happens through remote digital channels, it could also happen when an employee loses a company-issued laptop or tablet.
2. Evaluate Your Cyber Risks
Evaluating your cyber and data breach risk means taking a look at where consumer data is held and what could potentially lead to a breach. There are three levels of threats you need to address: malicious, negligent, and accidental. As a small business owner, you have the most control over accidental and negligent incidents leading to data breaches.
Accidental and negligent acts of data breach are often best remedied with employee training and protocol. Malicious attacks require trained employees plus levels of security such as firewalls and anti-virus software programs to reduce the chances of an attack. Understanding the internal and external problems are critical when completing your cyber insurance coverage checklist.
Common Data Breach and Cybersecurity Scenarios
Credit card payments
Hacker filters and steals website payments
Employee leaves credit card information in file left open for next customer to see
Employee loses mobile processing unit with login information at a community event
Hijacker shuts down website operations, demanding ransom
Business fails to update anti-virus software leaving database at risk
Hacker uses radio wave keystroke capture to record passwords and private data
Hacker uses radio wave keystroke capture to record passwords and private data
Remote workers uses company laptop for personal internet searches on unsecured network
Outside sales representative loses flash drive with consumer contract PDFs
Nefarious party mimics company server to phish for data or opportunity to plant malware
New employee accidentally emails private data to the wrong client
Customer service representative responds to email that had credit card information in it
3. Know What Information You Need to Protect
Every company has different types of information to protect; each information category might have different requirements to properly secure the information. Compare the food truck owner who may only need to keep his hot spot payment gateway secure so hackers don’t steal consumer credit card information to the medical office that must keep payment records, personal data, and private medical records secure whether they are digital or in paper files.
Personal Information vs Private Information
Small business owners are mandated to protect all consumer data as best they can, but there is a regulatory difference between personal and private data. Personal data is the first layer of information thieves need to steal a person’s identity. It includes a person’s name, address, date of birth, and Social Security Number. It can also include IP addresses or other digital identifiers that help a hacker confirm a person’s location.
Cyber insurance, either through a standalone policy or as a rider to a business owner’s policy (BOP), protects the business owner who doesn’t have the resources to stop cyber breaches and pay restitution to clients.
Private information is confidential information that a consumer should be able to reasonably expect is kept from public viewing. Private data might be financial records, medical history, performance, or communications with others. Private data becomes a very big cybersecurity issue for companies that have extensive client intake forms and communications such as law offices, financial services companies, medical providers, and insurance companies.
4. Review All Cybersecurity Measures in Place
Prevention is the No. 1 way to deal with cyber risks. Even with insurance in place, you may have deductibles to pay or increased premiums after a claim so preventing data breaches is an important part of keeping costs down. Take a look at what employee procedures are in place to prevent data breaches, what software and IT solutions you have or could easily implement to fight intrusions, and who has physical access to data under what circumstances.
Employee Procedures for Data Protection
If you haven’t told your employees how to protect data, you are at an increased risk for cybercrimes and data breach. In 2016, Hilary Clinton’s campaign manager John Podesta opened a phishing email. When he responded, he gave the scammers his password information and confirmation data to “reset” the account creating one of the biggest phishing scandals seen to date.
A few employee procedures you can easily implement to protect data include:
- Requiring complex passwords to log in to company systems
- Prohibiting employees from writing down credit card information when taking payments
- Teaching employees to recognize email phishing campaigns
- Requiring computers to be locked even when grabbing a quick cup of coffee
- Using computer screen privacy filters on all publicly visible workstations
It isn’t enough to train employees on privacy policies and procedures once. You must conduct regular sessions where employees review privacy policies, learn best practices, and role play.
IT Solutions to Stop Attacks Infiltrating Data
Every small business owner knows they should have anti-virus software, but there are many options at various price points. Review any off-the-shelf solutions you have installed such as Norton or McAfee software. Make sure they are up-to-date to protect against evolving risks and define what those covered risks are.
Common functions of anti-virus software include:
- Determining the health of your computer systems and servers
- Scanning files and directors to look for signs of malicious code
- Quarantining and removing any detected malicious code found
- Warning about web searches and emails that could be potential threats
Customized solutions created by an IT professional may be more specific to protecting larger or more complex company digital systems.
“I’ve noticed a lot of security administrators not taking advantage of something DNS offers for free—a Sender Policy Framework (SPF) record. SPF records are a special type of DNS record that identifies which mail servers are allowed to send email on behalf of your company’s domain. Using SPF records prevents spammers and phishers from sending email from unauthorized servers that look like they’re coming from your domain. In today’s world where phishing is becoming more targeted, the more authentic an email looks, the likelihood increases of someone in your company unsuspectingly clicking on it. Forging the sender domain to appear as if it’s coming from your domain is a smooth tactic to add to the phishing messages authenticity. A properly configured SPF record will stop that.”
—Steve Tcherchian, CISSP, Chief Product Officer, XYPRO
Ways to Monitor Access Points and Reduce Opportunity Risk
Anyone with physical access could potentially install a program on your server or hard drive that is accessed from an outside-the-network computer. Third-party contractors who are able to access physical hardware increase your chances of a cyberattack. Employees should monitor anyone on-premises with access to servers.
A cyberattack doesn’t always come from a person in a remote country. Many are carried out by people who appear legitimate. For example, a subcontractor hired to upgrade the internal wiring for the company’s computers may behave unethically. A common scam is for a person in a phone company uniform to show up at the office saying they need to check the lines. Make sure employees are trained to photocopy identification, call to confirm any open work orders, and watch any unexpected workers.
5. Assess Your Response Plan
A small business needs a response plan to quickly deal with a data breach of any sort. Consumers and prospects, old and new, must be notified with any relevant consumer credit monitoring offered. A legal team and press team must tackle any claims and bad press, both in print and social media coverage. There may be ransoms to pay or expenses associated with restoring data. All of this is expensive but is part of what is covered in a cyber insurance policy.
Take a look at the common costs associated with a small cyber insurance claim. Expenses can add up fast, not to mention your business could be halted if the attack has shut down websites or central digital operations. Cyberattacks can happen at any time of day or night, meaning you could close shop at 6 p.m. and come back at 8 a.m. to angry customer calls, inaccessible servers, and even a hijacked company website.
“Well prepared and forward-thinking businesses should have a disaster recovery plan ready to go in the event of a cybersecurity threat. If all of your business’s data is stored with a cloud service provider, have autonomous and complete backups of that data somewhere else. This can be done by paying either a third party vendor to back up your data or your staff to create the backups internally. These backups and the corresponding recovery plan should be tested in disaster simulation exercises.” —Brian Gill, Co-Founder, Gillware
Typical Costs After a Cyberattack
Post cyberattack Responsibilities
$1,000 to $10,000*
$20,000 to $50,000
$1,000 to $3,000*
$3 to $10 per customer
$5,000 to $15,000*
$10,000 to $100,000*
$5,000 to $100,000
$5,000 to $50,000*
Experts anticipate cybercrimes will account for more than $5 trillion in business expenses by 2021. Moreover, malicious attackers focus on small businesses where budgets don’t always allow for extensive security measures. If you don’t have the assets to cover the financial risks your company faces from cybercrimes, it is time to consider cyber insurance.
If a cyberattack resulted in a HIPAA violation, the penalties could be as high as $50,000 per incident. A business without these assets is suddenly in financial turmoil from one incident, accidental or not. Find reasonable cyber insurance that meets your needs through CoverWallet.
5 Tips When Applying for Cyber Insurance
Once you have determined that you do need cyber insurance, your next step is buying it. The following tips are designed to help you ask your insurance agent the right questions so you get the appropriate policy for your cyber exposures.
Here are five tips to get the right cyber insurance coverage for your small business:
1. Choose a Company With Crisis Containment
Crisis containment is an added service that steps in to help deal with an attack as it is happening or just after. Because cybercrimes can happen at any time, it is imperative to have a company that offers 24/7 crisis containment.
“Most insurers offer an expert communication channel to customers and stakeholders, as well as a 24/7 press office that will manage the developing situation with timely external communications. This could be vital for damage limitation and may provide additional comfort for affected customers.”
—Adnan Raja, Vice President, Atlantic.net
2. Request Business Interruption Insurance on Cyber Policies
Not every cyber insurance policy or data breach policy covers expenses and lost income due to business interruption resulting from cybercrimes. This is a first-party coverage (meaning it covers damage to your business) needed if you are concerned about not being open for business for any period of time after a data breach.
“It is becoming evident that many cyber insurance policies do not cover costs associated with loss of operational downtime and business transactions. This can be a major challenge for a small business that doesn’t have backup resources or functions in place to resume work while the cyber incident is being managed. Ensure your cyber insurance policy includes a dynamic range of financial coverages that protect your business and brand for the long term.”
—Linda Hamilton, Compliance Officer and Cyber Operations Manager, Proven Data
3. Be Selective About First-Party Coverage vs Third-Party Coverage
Don’t just look at overall dollar limits of coverage when reviewing a cyber insurance policy. Consider what you need for first-party coverage issues and third-party coverage claims.
First-party coverage covers costs directly affecting the business’s exposure. Third-party coverage is the liability portion that covers another entity’s financial injury from the data breach.
First-party data breach coverage includes:
- Offering and providing credit monitoring
- Notices to affected consumers
- Reputation management
- Data recovery and restoration
Third-party data breach coverage includes:
- Regulatory fines
- Legal defense costs
- Consumer settlements and judgments
Get the right amount of coverage for each type of risk but don’t over-insure and spend more than you need to.
4. Take Preventative Action with Data Security
Preventive actions will not only minimize the likelihood of data breaches, but can also keep cyber insurance and data breach insurance costs down. Old technology is more susceptible to attacks than new technology so make sure electronic devices used for business have the latest operating systems. You should also regularly update IT solutions and anti-virus software programs as well.
Other examples of preventive actions you can take to reduce cyber risk include:
- Processes and Procedures: Set company rules to not allow personal phones at workstations where an incidental picture could capture someone’s personal data on a computer screen.
- Business Use Only: Limit online searches by employees to work-related searches only.
- Public Network Security: Make sure traveling employees have secure ways to log in to public networks, often using virtual private networks (VPN) encrypted solutions.
Teach employees about smart email policies such as explaining to customers that they shouldn’t send payment details in an email. If customers do so anyway, employees should be disciplined to not reply with the same data going back and forth through cyberspace increasing the risk.
“Ensure there is a system of PAM (Privileged Access Management) in place at your small business which can help oversee who has access to which information and important business data. This can help control and limit the exposure of data as your business grows over time (and hires new employees).”
– Linda Hamilton, Compliance Officer and Cyber Operations Manager, Proven Data
5. Shop Insurance Companies Coverage and Rates
Don’t buy a cyber insurance policy simply because it is the cheapest you can find. No matter how inexpensive a policy is, it still needs to cover your specific risks. Make sure the insurance provider takes the time to understand your company, how it operates, what type of information it collects, and then creates a solution to protect against it.
The best commercial insurance brokers take all relevant information about your company and then shop rates among top carriers that meet your business needs. Using a broker is a great way to save time and money when buying business insurance policies, including cyber insurance. Online brokers such as CoverWallet have a fast, easy online application with access to the top insurance carriers for cyber insurance.
Cyber Insurance Frequently Asked Questions (FAQs)
Cyber insurance and data breach insurance are complicated and ever-changing policies. The following are some of our most common questions.
What is a confidentiality condition?
A confidentiality condition is a requirement cyber insurance companies put on small business owners to keep information about a cyber insurance policy secret. Publicly broadcasting cyber coverage or disclosing this information during a potential attack is reason to deny the claim if the confidentiality condition is part of the policy terms and conditions.
“An exclusion that all small businesses need to know about is the existence of a confidentiality condition in some cyber insurance policies. In the event of a cyberattack, a company must do everything in its power to not disclose the existence of a cyber insurance policy to the hacker. Revealing the existence of a cyber policy would be grounds for an insurance company to deny a claim.”
—Austin Landes, Risk Advisor, LandesBlosch
How does data breach usually occur?
Data breach is usually something that happens from employee error or negligence rather than a hacker infiltrating systems to get information. They often occur when employees fail to lock their computers when not at their desks, accidentally send an email to the wrong person, or forget to shred documents according to company policies.
“A data breach typically means that some data of yours, which is either protected under a statute (HIPAA, for example) or is highly confidential, was either accessed or transferred by an unauthorized individual. That individual could be an employee or a hacker and could be purposeful or accidental.”
-Greg Kelley, EnCE, DFCP, Vestige Digital Investigations
What if I am unsure about whether there was a breach or not?
Whenever there is a possibility of a breach, data or cyber, it is imperative to have a forensic analysis done to determine if there is an attack or if data was accidentally released to unintended parties. If you are unable to determine that a breach didn’t occur, you need to proceed as if one did because you cannot definitively express to consumers that one didn’t happen.
Every small business owner should look at all the ways that his company can be held liable for data breaches and cybercrimes. Some of the best solutions to avert breaches and alleviate the associated costs include employee training and digital security solutions coupled with smart cyber insurance policies. No company should be left to clean up a data breach without expert help.
The Hartford not only makes cyber insurance convenient and affordable with Business Owner’s Policy (BOP) riders, it backs this up with 24/7 crisis management support. No matter when a breach occurs, The Hartford is there to help mitigate it quickly and let you get back to running your business. Get a free, no-obligation cyber insurance quote today.