Cyber insurance for small businesses

When most people think of cybersecurity and data breaches, large government agencies, financial institutions and retail entities typically come to mind. Since we tend to only hear of breaches with big-name entities, small businesses tune it out, thinking these are problems only larger organizations experience.

The reality is quite the opposite. Tens of thousands of breaches occur each year and based on available statistics, more than 75 percent of breaches occur at businesses with less than 200 employees. More alarming is that over 60 percent of those businesses shut their doors for good within six months of discovering a breach.

One of the main reasons companies go out of business is lack of proper insurance. Either the company doesn’t have enough coverage or, more often, they don’t have the right coverage. When it comes to insurance, many people don’t realize there are a lot of different aspects to consider. Educating yourself on the types of coverage you might find in your policy and what they mean may make the difference on whether your company survives, or becomes another statistic.

First thing to note is there are generally three components on the types of coverage that should be focused on with cyber insurance:

• First-party expenses and losses (the breached party)
• Third-party (customer liability — wrongful disclosure of protected health information, personal identifying information, confidential information)
• Regulatory proceedings (assessments, fines, penalties)

Some of the more common types of first-party coverage available include:

Theft and fraud: Addresses destruction or loss of data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.

Extortion threats: This coverage usually addresses ransomware and similar costs.  . Ransomware attacks are very common right now, and companies are highly susceptible to social engineering attacks. Whether ransomware is covered in this or in the replacement/restoration clause, your cyber insurance is not complete unless it covers ransomware and other extortion related threats.

Forensic investigation: Covers the forensic services necessary to determine whether a cyber-attack has occurred and to assess the cause and impact of the attack.

Business interruption: This type of insurance compensates the company in the event the network is down for any significant time. Down time may range from a few days to a few weeks depending on the nature of the breach and how prepared your company is so you probably want to have some coverage here.

Computer data replacement and restoration: Covers the costs of restoring your data in the event of a breach, which can be costly especially if you don’t have good backup and recovery procedures.

Common third-party coverages include:

Data breach liability: Covers the costs from civil lawsuits, judgments or settlements resulting from a data breach.

Privacy liability: Provides coverage for liability to employees or customers who have suffered a breach of privacy.

Regulatory response: This type of coverage addresses the services necessary in responding to governmental inquiries relating to a cyber-attack, including coverage for fines, penalties, investigations or other regulatory actions.

Notification costs: Covers costs to notify customers, employees or other parties affected by a cyber-attack, including notice required by regulation.

Credit monitoring: In the event of a breach, you will want to cover the costs of credit monitoring, fraud monitoring and other related services to those affected by a cyber event.

Crisis management: Covers public relations expenses incurred to educate affected parties regarding a cyber event.

Cyber insurance is relatively inexpensive right now, but as you see, there is a lot to consider when tailoring your policy. In addition to your insurance broker, consider working with legal counsel and a cybersecurity expert when considering your cyber related coverages.

It’s equally important to understand your insurance provisions and disclaimers. As more and more incidents are reported, carriers are continuously looking for reasons to limit claim amounts. Some policies have windows for notifying the insurance carrier of a breach (i.e. 45 days from discovery) to ensure the claim is fully covered.

Harvey Johnson, CPA, CGMA is an assurance partner with PBMares LLP, where he oversees the firm’s cybersecurity service offerings, as well as its financial services team.  Harvey is a member of the Virginia Society of Certified Public Accountants (VSCPA) and the VSCPA Tidewater Chapter. For more information, please contact the author at [email protected] or visit www.pbmares.com.