Recent headlines are rife with reports of hackers wreaking havoc on U.S. companies and small businesses. One important step that’s particularly critical for small businesses to take is to invest in cyber-insurance, also known as cybersecurity insurance.
The U.S. government’s Cybersecurity & Infrastructure Security Agency describes the purpose of cybersecurity insurance as “designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.” Cyber-insurance can protect small businesses, just as it protects larger ones, from those who would try to illicitly gain access to personal identifying information that the company stores.
Small Companies More Vulnerable to Attack
While as a small business you may not have had cyber-insurance on your radar screen until recently, the reality is that a rapidly increasing number of small and mid-sized businesses will experience a cyber-attack or data breach in the coming years. The reason for this is straightforward and disturbing: These cybercriminals know perfectly well that most small businesses lack the resources that large companies have to protect their data, which leaves them more vulnerable.
As an example of what can happen, consider the recent Kaseya ransomware attack that occurred on July 2, 2021, and targeted managed service providers (MSPs) that offer various tech services to small and mid-size businesses. Kaseya’s software helps MSPs manage their clients’ IT systems. In this particular case, the hackers were able to get into Kaseya’s virtual system administrator that sends SW updates to all MSP clients.
The hackers then dropped in their ransomware SW as an “SW update” to all the MSP clients’ infrastructure. It is estimated that as many as 1,500 small to mid-sized businesses may have had their data compromised through this breach – and those organizations that had protection from the worst outcomes by having cyber-insurance would have emerged from the crisis in much better shape than those that didn’t.
Two Types of Data Breach Coverage
There are some common misconceptions about cyber-insurance – specifically about what it does and does not cover – that small-business owners should be aware of. As they say, the devil is in the details, so be sure to read the fine print and do your homework.
Some areas that cyber-insurance generally does not cover include profits you may potentially lose in the future, costs of bettering internal tech systems (like software upgrades), and if your intellectual property is stolen, any loss in value in value that is an outcome of the theft.
What does cyber-insurance cover? There are two primary types of coverage, depending on the carrier: data breach insurance and cyber liability insurance.
Data breach coverage can generally help you pay for or cover the following:
- Alerting customers or employees that they have been the victim of a data breach
- Hiring a PR firm
- Offering credit monitoring services to those who have become victims of data breaches
- Helping replace lost income related to data breaches with business income and extra expense coverage
- Helping to cover the amount your business paid if someone takes business data and demands a ransom – this is known as extortion coverage
Cyber liability insurance typically covers:
- Alerting data breach customers that their sensitive information has been compromised
- Providing legal services to assist a business’s compliance with state and federal regulations
- Paying the extortion money to regain access to files that were locked in a ransomware attack
- Providing income that a business loses as a result of a network outage
- Paying for lawsuits related to the privacy and security of customers or employees
- Paying state and federal agencies’ regulatory fines
Small businesses that seek a cyber-insurance policy and provider should seek one with experience dealing with cyber-related claims, a transparent pricing structure, and an understanding of your business. But aside from investing in insurance, my number-one tip for small and mid-sized businesses that want to protect themselves from cyber risks is to ensure they have multiple levels of protection.
The only real defense is to include in your strategy not only network security and identity management but also a decentralized data protection strategy with multiple copies of your data, plus a data recovery strategy that can help your business get up and running quickly after an attack. Sometimes if the latter is done appropriately, your business won’t have to pay the ransom – which is the best outcome you can hope for in the event of foul play with your data.