Blog

Cyber Insurance for Small Businesses

by Henry Glickel

Posted on May 07, 2020 at 07:31:50 AM




Introduction:

You are at the potential risk of a data breach if your company has valuable assets such as customers’ database, intellectual property, or corporate data. Regardless of whether you're a Fortune 500 firm or a small retail outlet —cybercriminals are always hunting for their next target. Believing that small scale businesses are impervious to cyber crooks is a naive misconception. In fact, according to Verizon, 43% of cyber-crimes are targeted at small firms. [1] No company, organization, firm, or corporation of any size is entirely safe and secure from a potential data breach.

What is cyber-insurance?

Cyber insurance is an integrated and comprehensive insurance policy that covers your business’ liability for a data breach involving personally identifiable information (P.I.I.). It includes information related to Social Security numbers (S.S.N.), credit card and debit card details, bank account numbers, driver’s license details, and medical records and history.

Why does YOUR firm need a dedicated, comprehensive and proactive cybersecurity insurance policy?

When you run a business or an organization, you come across various technical difficulties. Some of these hurdles are not immediately visible to even the most trained computer whiz. Malicious and illicit practices meant to compromise your company's data are known as cyber-attacks.

Cyber-attacks are quite common in today’s technologically advanced world. These attacks are not aimed at big data companies only but are also adversely affecting small to medium-size enterprises.

The following statistics shed some more light on this ever-prevalent issue:
  • There is a high-level cyber-attack every 39 seconds. According to a research study conducted by the University of Maryland, there is a malware attack every 39 seconds. [2] Such attacks adversely affect one in three Americans per year. Unprotected usernames and passwords provide easy access to the hackers to infiltrate the database and cause losses ranging from a few thousand to million dollars.
  • As more and more businesses integrate and the world shapes into a global village, Juniper Research suggests that malicious cyber-attacks will cost companies more than $2 trillion total in 2020. [3]
  • According to Cisco annual report, there are 8 connected devices per person in the United States and that number will grow to 13.6 by 2022. [4] Therefore, the risk of cyber-attacks will continue unabated.

So, do you think that your business has enough funds for a rainy day? Or perhaps you want to save yourself from unprecedented circumstances that you simply cannot predict? Then a cyber-insurance policy is necessary for your firm to help mitigate these unforeseen risks.

The insurance plan will help you:

  • Save for a rainy day as data breaches may cost you significantly more without insurance. The average cost of a data breach in 2019 in the U.S was $8.19 million. [5]
  • Cover costs related to data recovery, legal fees, equipment damages, business disruption, and revenue loss that might hit your bottom line.
  • Preserve your confidential database system from being transmitted, compromised, or stolen.
  • Protect your business reputation. According to a RIMS cybersecurity survey, 74% of organizations are planning to buy cyber liability insurance because any potential data breach can negatively impact their reputation. [6] Subsequently, their market share and bottom-line are dented.

Why are recruiting and staffing agencies in dire need of a cyber security insurance policy?

Recruiting and staffing firms are at the highest potential of a cyber-attack. For instance, the personally identifiable information (P.I.I.) of 711,000 potentially unemployed jobseekers was compromised when a hacker accessed a server at Michael Page, a recruitment agency based out of the United Kingdom. When a third party contacted an I.T. expert, only then did the recruitment agency find out their information had been stolen. [7]

So, these four reasons will demonstrate why recruiting and staffing agencies require cyber-insurance coverage:

1. Confidential databases

Staffing and recruiting companies accumulate substantial amounts of classified information on jobseekers, employees, and businesses. A recruiting database can include personally identifiable information and financial data. So, hackers target recruiting agencies with W2 scams every year to get hold of the confidential information.

2. Costs associated with notifications, legal, and forensics:

If there is a data breach, it is legally binding upon a recruitment agency to inform individuals whose personal data has been compromised. For this to take place, first, a forensic analyst would charge you heavily to determine the scope of the breach. Then, a law firm will be required to notify individuals. Once these individuals are told, there’s a higher probability of a lawsuit, which can adversely affect your agency’s reputation.

3. Massive business interruption and system damage that may dent your firm’s image

There is an increasing dependency of recruitment firms on their software systems to hunt down leads, conduct interviews, manage contract agreements, prepare payrolls, etc. So, if there is a data breach, you will have to pay a company to recover assets and reconstruct your database management systems. In fact, in an industry as competitive as recruiting and staffing, it costs you heavily every second your systems are down.

4. The surge in the rate of cyber blackmailing and extortion

There is a higher probability that one of your employees may put the dignity of your organization at risk. For example, an employee may click on a link that is a “Crypto Locker” malware. Consequently, a cyber-attacker will gain access to your encrypted files. Then the hackers may contact the agency, extorting money to decrypt the files that are in their possession. It is the most common type of attack as it applies to every kind of industry. So, the decryption of data may cost you anywhere from a thousand dollars to a million dollars and beyond.

 

Critical analysis of the cybersecurity insurance plan: Step by Step procedure

We went through the top cyber security plans offered on the market to compare the key terms and caveats that you should keep in mind while choosing a plan.

Basic types of insured entities:

Principally, there are five types of covered entities in most policy declarations:

  1. An individual and spouse. However, there should be the sole owner of the business for such insurance to take effect.
  2. A partnership or a joint venture. Members, partners, and their spouses are insured. However, these insurances are limited to business operations only.
  3. A limited liability company. Managers are insured only to the extent of business operations.
  4. An organization. Executive officers and directors are insured.
  5. A trust and its trustees are insured.

Prerequisites of a valid data breach claim:

The following aspects are typical of considerations to be made before filing a data breach claim:

  • A data breach claim is valid if made within the policy period. The policy period is determined by the effective dates, as stated in the coverage part declaration.
  • All claims to data breach shall arise during the policy period. A claim is invalid if the insured person was conscious of data breach before the policy period.
  • A data breach claim is made when a notice is received by the insured or by the insurance company, whichever comes first.
  • A claim shall be reported to the insurance company within a given period such breach, usually 30 days. However, if the policy period had ended, the claim shall be made within thirty days after the policy period ends.
  • The data breach claim is valid if it includes the loss of personally identifiable information. This information includes social security number, credit or debit card information, bank account number, medical history, and other such information is subject to the law.

Steps to take in the event of a data breach:

Since Cyber-attacks are on the rise, it is advisable to take precautionary measures. However, if a data breach takes place, there are specific steps that need to be taken on an immediate basis. These steps are as follow:

1. If the insured entity believes that a data breach has occurred and the offense may account for a substantial data breach claim, then the entity may furnish a written notice to the insurance company.

2. Consequently, the insurance company will consider such a data breach claim to be valid, if made during the policy period. The following information shall be provided while filing such claim:

    • Data Breach Method.
    • Estimated Date and Time of data breach.
    • The number of files stolen or compromised.
    • A critical explanation of the type of information stolen.
    • Details regarding the encryption methodology of compromised information.
    • Any urgent notification made to the law enforcement agencies.
    • Complete details of the individuals whose personally identifiable information was compromised or hijacked.
    • Any suspect or presumption regarding any suspect who may have had received stolen information.
    • The data breach claim shall be made within thirty (30) days of discovery.
3. It is the utmost obligation of the insured entity to co-operate, coordinate, and assist the insurance company in enforcing the writ of law. It includes assistance against any person or organization that may have compromised the information.

4. The insured entity must take all the safety steps to protect personally identifiable information remaining in the insured person’s custody.

5. Provide access to the insurance company to gauge, determine, and inspect the evidence of data breach.

6. The insurance company may act as an investigator and may question the insured entity orally or in writing to bring more clarity to the data breach issue.

What are limits and deductibles and how do they affect a cyber insurance plan?

There are certain limitations and restrictions of cyber insurance programs concerning losses incurred. For instance, losses emanating from any civil award, legal fees, and other such damages, as prescribed in the coverage declaration, are not included in the insurance policy.

Whereas, a deductible is a fixed expense that the insured entity agrees to pay prior to the coverage payment kicking in. The deductible must be paid for every incident covered by your policy.

Therefore, the following aspects must be taken into consideration with regards to limitation and deductibles associated with any cyber insurance program:

  • The insurance company will not pay for the losses incurred that are beyond the coverage part declaration.
  • A claim is invalid if the loss incurred in a data breach is greater than the applicable deductible, as stated in the coverage part declaration or as mentioned in the data breach- defense and liability limit of insurance.
  • The insurance company will pay for any investigation and settlement issues before any deductible amount. However, the insured entity will have to reimburse the amount within sixty (60) days. Furthermore, the insurance company is entitled to recover any fees incurred while collecting the deductible amount from the insured entity.

What is excluded in the policy declarations of a cyber security insurance plan:

An insurance company policy may not cater to any loss that occurs through:

  • Any malicious, illicit, and intentional misconduct by the insured entity that may result in a significant loss.
  • By bodily injury and property damage. Bodily injury includes physical injury, sickness, or any disease. Whereas, property damage consists of any injury or loss to the tangible property.
  • A loss incurred as a result of a criminal investigation or by any unforeseen actions of the federal or state government. It includes:
    • Civil War
    • Rebellious movements
    • Revolutions, e.g., The Arab Spring
    • Any action was taken by the authorities to establish the writ of the government.
  • Fines and surcharges.
  • Any critical deficiencies in the technological system of the insured person. It includes data security, data storage, and other such security mechanisms that possess significant flaws.
  • Any shortcomings in the database management, Information Technology (I.T.), and software systems that the insured entity did not know before signing the insurance agreement.
  • Any data breach claim that violates the Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act of 2003, all amendments included.
  • Data breach expenses that an insured person was mindful of prior to the policy period.
  • Any statute, ordinance, or law related to information transmission.
  • A data breach claim that promotes or arises out of discriminatory practices of any kind.
  • Any claim that germinates out of intentional or deliberate violation of insurance policy.

Additionally, all data breaches resulting from SAME acts, omissions, and deficiencies shall be regarded as a SINGLE data breach claim.

Conclusion:

It is relatively cheaper to prevent a potential data breach by securing the information than it is to lose that information from a breach. A comprehensive data breach insurance policy can provide you peace of mind and allows you to manage resources to ensure that the data is safe and secure.

So, if your recruitment agency does not have a cyber insurance policy, it is highly recommended that you get one. You must reach out to the insurance company that is providing you with business insurance to see whether they can help you with cyber insurance policy. However, don't just accept the first cyber-insurance option you're shown.

Before signing the agreement, you must have valid information regarding what the plan would cover and, more importantly, what it will not cover. Naturally, the scale of coverage required by a firm hosting a plethora of sensitive information could be different from that of a restaurant.

In the cyber world, we have a few friends and many enemies. So, it is not the question of if… but when. Therefore, pro-activeness, preparedness, and far-sightedness will help you to combat the menace of cyber fraud effectively and efficiently.

 

Sources used:

  1. https://enterprise.verizon.com/resources/reports/dbir/
  2. https://www.securitymagazine.com/articles/87787-hackers-attack-every-39-seconds
  3. https://www.juniperresearch.com/press/press-releases/cybercrime-to-cost-global-business-over-8-trn
  4. https://www.cisco.com/c/en/us/solutions/executive-perspectives/annual-internet-report/air-highlights.html
  5. https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/
  6. https://www.rims.org/about-us/newsroom/rims-releases-cyber-survey-2015
  7. https://www.mirror.co.uk/news/uk-news/personal-details-700000-jobseekers-recruitment-9241022
Research for this article was performed by: Rida Hassan

Previous Page
Previous Page

Blog Search

Archive