Today's cybercrimes put your grandmother's spam email list toshame. According to a 2011 study by Ponemon Institute, the medianannual cost of cybercrime for a large company is $5.9 million peryear. Ponemon and ArcSight studied the effect of cybercrime on 50large organizations in various industry sectors in the UnitedStates for its “Second Annual Cost of Cyber Crime” study.

Cybercrime is criminal activity conducted via the internet andincludes such things as malicious codes, hacks in which privateclient or company information is made public or stolen anddisrupting normal operation. It can be perpetrated by rogueemployees, 'hacktivists' attempting to make a political statementor a third party seeking financial gain.

These attacks have become common occurrences. (Slideshow:5 Notorious Data Breaches) While everyone has heard ofWikileaks and the problems experienced by Google, Sony and manymajor banks, smaller companies are not immune from cyber attacks.Companies participating in Ponemon's study experienced more thanone attack per company per week, a 44 percent increase from theprevious year's study. Any company that stores PersonallyIdentifiable Information (PII) or Personal Health Information (PHI)is vulnerable to attack.

Accounting for more than 90 percent of recovery costs, the mostfrequent forms of cyber attacks are those resulting from maliciouscode, denial of service, stolen or hijacked devices and deleteriousinsiders. Ponemon also found that if a problem is discoveredquickly, it will be less costly and less time intensive to solve.It takes 18 days on average to resolve an attack, and insiderbreaches can take an average of 45 days to contain.

Recovery costs fluctuated based on industry, company size andthe level of protection companies employed against potentialthreats. Smaller companies tend to see more cybercrime related tomalware, loss or theft of paper records from offices and accidentalsharing of or theft of PII and PHI. Small businesses (100 employees or less) make up 72percent of data breaches worldwide.

Ponemon did not find significant differences in cost associatedwith use of cloud computing, but new and often unknown threatsarise with the use of new technology. In a different Ponemon studytitled “Security of Cloud Computing Users,” only 47percent of respondents believed that cloud services were evaluatedfor security prior to use.

Getting down to the finer details, Ponemon addressed specificcosts in its “U.S. Cost of a Data Breach” study. Breaches cost U.S.companies an average of $204 per compromised record in 2009. TimFrancis, enterprise cyber lead for Travelers, noted that thisnumber can include costs of the following:

• Technical forensics to determine the scope of the breach
• Legislative costs associated with defending lawsuits arising asa result of the breach
• Notification of victims
• Credit monitoring and crisis response often provided forvictims
• Public relations to repair the company's damagedreputation
• Lost revenue related to clients wishing to move businesselsewhere
• Fines and penalties imposed in cases where information stolenor made public violates a regulatory law (such as HIPPA).

Wi-Fi and mobile devices such as laptops,tablets and smartphones pose a new set of risks. Although thistechnology is crucial to business practices today and allowsemployees to work remotely, it also means the information is nolonger protected by four walls of a secure office building or asecure and monitored internet connection.

Francis cautioned that while having up-to-date technologyprotection is important, employers and business owners would dowell to remember the “human element.” Are employees in publicspaces that leave device screens vulnerable to people looking overtheir shoulders? Are they using unsecure or externally hosted Wi-Finetworks where security levels are unknown? Are their passwordssecure? What are they storing on mobile devices? Does a companyhave full control over how an employee may use a personal devicefor business purposes, and what happens when that employee isterminated? These questions and more have uncertain answers andmight involve the HR dept. working in partnership with IT.

Businesses that use Wi-Fi and also allow customers on theirpremises to use it as well, such as coffee shops, have a unique setof risks. Francis related a story in which the producers of aHollywood movie brought a claim against the owner of a restaurantoffering Wi-Fi to its customers. A customer had used the Wi-Fi todownload a copyrighted bootleg of the movie and investigators wereable to trace it to the business. This risk and more could beoverlooked for many business owners installing Wi-Fi for customeruse. How are business owners to determine what counts as protectingthemselves and what might be an invasion of customer privacy? Thesequestions are still new and could have varied answers.

Many companies are not prepared for cybercrime perpetrated by“hacktivist” groups such as Anonymous, which gained notoriety fordisrupting several national banking websites. One problem Franciscited with large-scale blackmail threats is determining whether ornot it is from a credible source. It's easier to know what damage aprevious employee of the IT department might be capable of than athird party group.

“Generally speaking, potential exposures are new andundefined, but that doesn't mean that there isn't a large amount ofexposure,” Francis said. He had the following advice for businesseslooking to improve tech security:

• Consult with an attorney about your business's specificexposures. If you're not making your wireless internet available tothose outside of your company, your risk of dealing with a lawsuitsimilar to the restaurant owner's is minimal.
• Don't overlook the human element when it comes to securetechnology. Offer comprehensive training and concrete guidelinesfor employees.
• Work with agents, brokers and carriers to determine whatappropriate coverage is needed and that the risk/reward isunderstood.
• Know that there isn't a one-size-fits-all solution to thisproblem, and that the problem itself is in a state of constantflux. Re-evaluate guidelines and coverage often and don't adopt newtechnology without first considering the risks involved.

Wi-Fi, the internet and portable devices aren't going away, andrisks get bigger the more we rely on technology to get through abusiness day. Ignoring those risks and not insuring them like we doour cars, homes and lives doesn't make sense. Travelers offers asuite of cyber risk management liability products and coveragesolutions that can fit the needs of each customer. “Cyber productsare being purchased more frequently, but we're still not seeing asmany companies buying this coverage as we ought to see,” Francissaid.

1. CyberFirst Essentials—small businesses can get coverage for avariety of cyber security breach claims and lawsuits with thisoption, including expenses such as notification, credit cardmonitoring, public relations and more. “This is a good option forsmall companies with a smaller amount of cyber exposure who needbasic coverage at lower limits and lower cost points,” Francissaid.
2. CyberFirst—this coverage is specifically for tech companies andincludes Tech E&O liability, network and information securityliability, communications and media liability and expensereimbursement.
3. CyberRisk—this coverage option is broader in order to match theneeds of various industries and company sizes with ten separatecoverages including network and information security liability,e-commerce extortion, computer fraud, security breach remediationand notification expenses, and regulatory defense expenses.