Assessing cyberinsurance for your business

CNET@Work: Cyberinsurance covers threats like data breaches, cyberextortion and damage to your reputation. Before you can know your needs, you need to know your data.

Mary Shacklett Contributing Writer
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.
Mary Shacklett
5 min read
Getty Images/iStockphoto

With technology increasingly intertwined with all aspects of business, CNET@Work can help you -- from prosumers to small businesses with fewer than five employees -- get started.

The Equifax breach in September undermined the confidence of companies around the world -- but nowhere did it generate more concern than in small businesses.

"Cybersecurity is a real concern," said Christopher Adams, chief executive officer of Glauser Life Sciences, which produces an anxiety relief supplement. "A breach has the potential to destroy value overnight. Our R&D and intellectual property is at risk if not protected, not to mention our client data. If your customers can't trust you with their information, they are not going to trust your product. Our vendor data and supply chain could also be compromised. In a growth business, if you can't deliver on time, you are in trouble."

But what if you aren't sure about the cyberprotections your company needs, or what your insurance company can offer?

See also: Never work without a net: Insuring your business

The Deloitte Center for Financial Services reports that companies have a "hard time quantifying exactly how big a risk they face ... that may lead to uncertainty about what type of coverage and how much insurance [a company] might need, as well as the cost/benefit associated with transferring at least part of this burgeoning exposure to insurers."

Cyberinsurance covers threats such as data and security breaches, cyberextortion that forces you to pay fees to unlock your data or website, and damage to your reputation.

Within the cyberinsurance category, coverage is available for the business itself, for the business owner, for customers of the business or for other companies that work with the affected business.

"We can provide a basic cyberpackage that can be added onto a Commercial Multi-Peril policy, but if a customer wants more coverage and higher limits, they can access a product that is priced commensurate to their exposures," said Tim Francis, enterprise cyber lead at Travelers Insurance.

The trick is knowing what the particular exposures are in your business, and this is where many small businesses have trouble.

Know your data

Brandy Mayfield, vice president of commercial product for Allstate Business Insurance, recommends that business owners begin by thinking carefully about the kinds of data that they use and maintain in their businesses before they shop for cyberinsurance.

Credit card phishing

Cyberinsurance isn't just about data theft, but also about the destruction of data and information that can prevent a business from running.

Getty Images/iStockphoto

"Think about the amount of data that exists within a business," said Mayfield. "It could be private customer information, lists of suppliers and proprietary business data that could be affected and affect an organization's ability to serve its customers. Cyberinsurance isn't just about data theft, but also about the destruction of data and information that can prevent a business from running."

Mayfield gives these examples:

  • A virus destroys a beautician's calendar of customer schedules. She is unable to send out reminders, and consequently, only 25 percent of her clients show up the next two months.
  • An artist sells his work in local galleries and his prints online. He also participates in many art fairs across the region. An attacker steals his customers' data, including all credit card and bank account information.
  • A restaurant sets up accounts with many suppliers. Their accounts are compromised, and someone else begins using the accounts to make purchases.
  • A photographer has an online blog showcasing where she journals about the experiences that surround her landscape pictures. Her system is infected with malware that emails a virus to her subscribers.

Once you have a handle on the types of cyberthreats you should protect yourself against, what's the best way to ensure that you obtain the right types of coverages?

Cyberliability insurance is designed to cover a variety of liability and property losses that may result when a business engages in various electronic activities, such as selling on the internet or collecting data within its internal electronic network. This insurance also covers data loss or destruction, computer fraud, funds transfer loss and cyberextortion.

Another type of insurance in the cyberspace is data compromise insurance, which helps businesses investigate a data breach, notifies affected individuals and provides credit monitoring, case management and other services that help prevent identity theft and fraud following a breach of personal identifying information.

When business owners talk to insurance companies, they should do their own due diligence on policies, because some insurers sell cyberliability and data compromise insurance policies separately, while others include the data compromise insurance in a single, over-arching cyberliability insurance policy.

"In all cases, I recommend acquiring both data compromise and cyberliability for most small businesses," said Mayfield. "Data compromise provides coverage for customer payment information, but in the event of a covered data breach, a business' system may also need restoration."

If your business is online retail and you're accepting credit cards, Francis recommends acquiring a policy that provides access to forensics investigation, legal counsel and a breach coach should an attack take place.

"You should also have a system to notify customers whose personal data may have been compromised; and insurance for compensating the business for any lost revenue," he added. "Certainly, some organizations have less exposure than others, but, even if you have a lawn-cutting business, if you have a website or you're relying on technology to schedule your customers, you could be vulnerable if that technology is compromised."

How much does it cost?

Because cyberinsurance can be costly, it's best to start with a modest policy that you can scale up as your business expands.

"A business owner can get $50,000 in cyber and data coverage for as little as $250 annually," said Mayfield. "$50,000 of coverage offers limited protection for first- and third-party attack for around $150 annually. The recommended limit is $100,000, which costs about $300 annually and offers enhanced protection for first- and third-party attack ... For data compromise, you can purchase $50,000 in coverage for a little as $100."

Finally, business owners who work with an insurance agent should be sure that the agent is well versed in first-party (the business), third-party (the business' customers), data compromise and what types of cybercoverage are being offered at each limit -- because even the smallest companies are not immune to data breaches.

"The cyberinsurance market is still in its infancy," said Adams. "Insurers are having challenges modeling coverage and understanding the threats and pricing loss or exposure. We didn't feel comfortable navigating the insurance landscape without some guidance, which is why we opted to use an agent who specializes in this area."