Data breaches on the scale of OPM, Target, or Anthem Blue Cross cost millions to clean up; your files, priceless though they may be to you, are valued at considerably lower amounts. But if homeowner’s insurance covers stolen laptops and hard drives (and occasionally data, valued at up to $1,000) why can’t individuals buy cyber insurance? As we saw two days ago, individuals can get add-ons to current insurance policies that cover cyber bullying, or identity theft, in some cases reimbursing fraudulent expenses and helping with calls to credit agencies and banks. Some insurers will audit a home network or provide monitoring services. But to get the same type of policy that a business gets, you may need to incorporate.
62% of cyber attack victims are small to mid-size businesses, 70% of cyber crime affects businesses with 100 or fewer employees, 43% of spear-phishing attacks affect businesses with 250 or fewer employees, and 27% of data losses are incurred by small businesses. (If some of these numbers sound contradictory, well, experts sometimes disagree). Wait, then what is a small business’s actual risk? The best way to assess risk is to look at the sensitivity of the data your business holds; a small business that manages and stores a lot of health records is at higher risk than one that sells t-shirts and doesn’t store credit card information on its servers. Even so, some malware is designed to scan every site it comes across and exploit the same vulnerability over and over (for example, see yesterday’s article on ransomware) so a small company with a low profile could be just as easy a target as a larger one.
You’re also only as secure as your friends — as we saw from the Target and Home Depot breaches, third-party vendors like HVAC contractors and companies providing point-of-sale systems or self-checkout stations provide a way in to the network of a larger company, making them attractive targets because of a perceived lower level of sophistication. It only takes one employee clicking on a phishing link to compromise a system, so hackers may prefer to target lower-level employees or assistants rather than executives. The Federal government doesn’t make specific cyber insurance requirements for its contractors, preferring instead to require standards for data protection and security that contractors are welcome to meet however they can. That’s not to say cyber insurance isn’t a good idea for government contractors; when a provider of background checks for the OPM fell victim to a hack that exposed government employee information, their $417M contract was terminated and the contractors’ parent company filed for bankruptcy. Worried contractors can also consider using DHS-certified cybersecurity tools, which under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act can limit the liability of those using approved equipment, in the case of a cyber attack.
Speaking of bankruptcy, though, if small businesses and contractors can be targeted just as easily as large businesses, won’t cyber insurance premiums be relatively constant across the board, and therefore much more expensive for smaller companies? A sampling of annual premiums found variability across industry, with costs ranging from .002% of revenue to 25% of revenue, depending on the coverage limit and industry involved. (That 25% of revenue was for a clinical data analysis startup, who likely hope to increase their revenue soon). It’s a good idea to shop around, and many companies layer their cyber insurance policies. As the New York Times reported earlier this year, no business — from a community skate park to an educational toymaker — is too small to be hacked.
Join the conversation on Medium