There are plenty of horror stories out there about hacking, malware and data breaches costing companies million of dollars. Ponemon Institute found that the average cost of a data breach was $3.8 million. DDoS attacks alone cost businesses an average of $2.5 million, according to a Neustar survey of 1,000 enterprise firms.
But it’s not just corporations like Wendy’s and Home Depot suffering from costly hacks and a tarnished reputation: over 43% of cyber attacks affect small businesses specifically because they are easy targets. And the damage isn’t just expensive, it’s often fatal. 60% of small businesses that are hacked ultimately go out of business.
Take SaaS provider Code Spaces. The company suffered a fatal hack after being attacked through a vulnerability in its Amazon Elastic Compute Cloud control panel. Hackers quickly erased their data, backups, and even their offsite backups. The hackers then demanded a hefty ransom to release the files.
Code Spaces tried to step in and regain access, but quickly realized the hackers had already created backup logins and had completely infiltrated their systems with little resolution. Code Spaces eventually shut down and acknowledged the hack had irrevocably damaged their business.
But there are ways to protect your business from hacking that go beyond the standard site security tools and audits. Just like automobile insurance helps drivers recoup costs in the case of an accident, damage or loss, cyber insurance can help protect businesses and restore their assets after a hacking incident.
With the right cyber insurance policy in place, Code Spaces could have recouped financial damages associated with data loss, equipment failure and backup restoration – and stayed in business.
But despite the high odds and ultimate costs of being hacked, most companies aren’t ready to deal with even small-scale hacking. One insurer’s Cyber Readiness Report found that 53% of companies surveyed were novices when it came to cyber attacks – and that leaves these businesses completely vulnerable.
Some companies may assume their current insurance covers hacking, but that’s typically not true. Traditional commercial general liability doesn’t cover cyber or data breaches. Companies are left to deal with those issues on their own. However, specific cyber insurance policies, also called cyber risk insurance or cyber liability insurance coverage, can help offset costs associated with recovery after a security breach.
Although cyber insurance for both small businesses and corporations has been around for awhile, it didn’t really catch on until around 2005, and is still a relatively young industry. Today, forecasted premiums are expected to reach $7.5 billion by 2020. Yet despite the potential protection cyber insurance offers, Advisen found that over 97% of small businesses don’t have such coverage to deal with a data breach.
Not sure where to start with cyber insurance or if you even need it? Companies trying to weigh the pros and cons of cyber insurance and what it means for their business can dig deeper to identify where cyber insurance helps and where it doesn’t.
Hacking universally causes damage to businesses of all sizes, but the attack techniques differ. Here are three ways hackers can hurt your business, and how cyber insurance can help restore your operations.
In ransomware attacks, hackers take over systems and destroy your data or leak it to the public if their demands aren’t met. The practice has become so widespread that more businesses are buying cryptocurrency like bitcoin to pay off hackers in case their files and sensitive information are held for ransom. For example, the Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom to computer hackers to regain access to files and were ultimately offline for a week.
Paying off hackers could provide a short-term, immediate solution, but it can still be costly and irrevocably damage your business’s reputation. Paying out on ransomware could also perpetuate the hacking cycle by signaling that you’re a victim willing to pay up.
A cyber insurance policy with cyber extortion coverage can help cover the costs of ransomware. Deductibles could be as high as $5 million depending on the size of the company and policy.
Hackers who steal your customers’ identities (including information such as social security numbers) can put your company at risk for professional liability. The expenses involved in restoring your business could include a forensic investigation, legal fees, and restoration services.
Hacking can also take businesses down for weeks, if not indefinitely. The costs associated with shutdowns and PR fallout are high. Cyber insurance policies can help cover the costs involved and keep your company up and running.
Data breaches usually include credit card skimming in order to rack up fraudulent charges before the activity is discovered and shut down. A business’s costs could include paying back customers and investors, as well as paying a premium for third-party security services, tools, and resources to help fix vulnerabilities in order to stop the hacking and prevent it from happening again.
Some cyber insurance policies may require the use of encrypted devices or other safeguards before paying out for damages but can help mitigate the costs involved in public communications associated with addressing the breach.
Just because cyber insurance can help businesses doesn’t mean it’s foolproof. Like any other type of insurance, a cyber insurance policy also comes with a list of pros and cons to weigh before taking next steps.
They’ll also likely need the services of a company that can help fix security issues, scan web applications, and offer around-the clock-monitoring for malicious activity. This is a good thing, but it does add to costs.
As this insurance type becomes more mainstream like a car or house insurance, we think there will be an opportunity for cyber insurance policy providers to also be key promoters of using preventive best practices in security, instead of just providing liability coverage, even providing incentives to do so. Just as a house insurance policy cost goes down if you have a burglar alarm, so might your identity theft insurance policy cost go down if you already have two-factor authentication in place. Taking it a step further, insurance companies may also provide guidelines and preventive measure audits from their own recommended list of vendors as part of their insurance services.
The media is saturated with stories of big-name companies getting hacked and dealing with the multi-million dollar fallout, like the examples below. But small businesses are hit so hard by hacking that it’s not unusual for them to go out of business completely. Learn from these large companies, and make sure your business is covered appropriately at scale.
Corporations like Target are already using cybersecurity policies to restore operations after large-scale hacks. According to Cyber Security Law, Target had $100 million in cyber insurance coverage during its massive data breach, with a $10 million deductible. Their policy also included a $50 million suit for settlements with payment card networks.
It’s still important to have robust cybersecurity tools in place, as cyber insurance typically doesn’t cover things like lost sales due to reputation damage.
Sony also used cyber insurance to help mitigate the costs of a disastrous data breach when its PlayStation network was hacked. Unfortunately, the company has suffered through several hacks, including a 2011 hack that compromised over 77 million personal accounts and totaled an estimated $170 million in damages. However, Sony’s cyber policy was estimated to cover most, if not all, of their $100 million in losses. The company indicated they did not expect the damages to be disruptive to their budget.
More recently a Sony PlayStation hack resulted in 2.5 million PlayStation and Xbox players’ details being stolen in a major breach. An updated policy could again offset most of those costs, or at least keep the company up and running as they work through the damage.
According to Business Insurance, Home Depot reportedly held a $105 million cyber insurance policy at the time of their widespread data breach. Although Home Depot declined to comment on its cyber insurance and policies, it is estimated that their coverage was robust enough to deal with the 2014 breach that affected thousands of customer credit cards and debit cards.
No insurance policies or providers are created equally. In the same way you would shop around for homeowner’s insurance or commercial insurance for your business, you need to look closely at the companies that are providing cyber insurance policies and what they actually cover. Here’s what to look out for.
It’s only logical a smaller business with fewer assets and customers would need a smaller cyber insurance policy than a juggernaut corporation. Look at your cyber insurance deductibles to figure out how issues like ransomware are handled, and what your associated costs would be. You may find the high price won’t offset your damages, and you can ultimately choose a less expensive policy.
Companies still need to practice online safety when running a business, even with cyber insurance in place. In fact, your cyber insurance may require you to use third-party tools and a company like Indusface that can help fix and monitor security issues to prevent and combat hacking tactics, including malware and ransomware.
It’s possible your cyber insurance will not be liable to pay out on any damages without these measures in place. Find out what your cyber insurance company considers to be adequate security before purchasing a policy.
Find out more about the manpower behind your cyber insurance policy. Are they experts in their field and well-versed on issues of hacking, ransomware, malware and other hacker-related damage? If not, keep looking. Part of the value behind your cyber insurance is the ability to call on experts in the field to guide you through the process after a hack.
Even a business owner with years of experience using cyber insurance should always read the fine print and anticipate exclusions. The cyber insurance industry is still relatively new, and that lack of business history can mean the data and exclusions will vary widely.
Lean on your legal team, trusted peers in your industry, and risk managers to help talk you through whether cyber insurance is right for your business or not, and what it will actually cover. Buying a cyber insurance policy on blind faith could leave you holding the liability bag after a hacking incident, with a cyber insurance policy that doesn’t actually cover you for much of anything. You may find your policy has so much fine print and so many exclusions that it’s not going to offer you much unless you have adequate preventative measures in place first.
Balancing an insurance policy with preventative security measures is essential for protecting your company’s security and assets against an attack. Speak to Indusface today to find a cyber protection solution that best complements your cyber insurance policy.
Do you have experience with leaning on cyber insurance after a hack? Let us know by leaving a comment below.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.