Almost every business relies upon computers, electronic data, network access and the Internet. That technology creates new cyber risks. And as larger companies harden their cyber defenses, hackers increasingly see medium-size businesses as easier targets.
It’s easy to see why. A midsize business keeps a substantial amount of personal information and business data on employees, customers, vendors and others. Yet, most lack the technology resources and expertise of larger corporations to prevent a data loss.
A Ponemon Institute report states that 44% of businesses had a data breach in the past year, and McAfee puts the percentage at 60. The average time from the actual data breach to its detection was 210 days.
In a separate Ponemon survey conducted for the Connecticut-based Hartford Steam Boiler Inspection and Insurance Co., 55% of smaller business owners and professionals reported at least one breach and almost a third at least one cyber attack. HSB also polled risk managers for mostly large companies in 2015 and found 69% had experienced at least one hacking incident in the previous 12 months
Costs associated with a breach can be significant. Although per-record cost estimates range, the ID Theft Resource Center said the mid-range cost per record was $217 in 2014. And that doesn’t account for the damage a data breach can do to a company’s reputation.
Cyber criminals may focus on medium-size companies as a potential backdoor to access the networks of larger clients. As a supplier, contractor or vendor, the smaller business is a trusted source for the larger company and often has access to its computer system.
The 2013 data breach at Target, for example, was traced to hackers who stole and exploited the credentials of a midsize company, a mechanical contractor with access to electronic billing. The data breach affected about 40 million people, and Target paid $39 million to several banks that had to reimburse customers who lost money.
"Ransomware" is malicious software that encrypts data on a victim's computer system and then demands payment from the victim company to unlock the data. (Photo: iStock)
Cyber extortion is also a growing threat, in which thieves install “ransomware” that encrypts data and then demand payment to unlock the victim’s computer system.
A California hospital this year paid $17,000 to hackers, who took over the facility’s data network. The hospital’s system was shut down for about 10 days and security experts fear publicity over the ransom will encourage other hackers. The hospital reportedly paid the criminals in Bitcoin cyber-currency, making it harder to trace.
The Internet of Things, which links equipment, systems and devices through software, sensors and network connectivity, is increasing the danger as more business information is stored in the cloud. That sensitive information is accessed and shared through multiple devices that are vulnerable to hackers and cyber thieves.
According to Cisco, the number of things connected to the Internet exceeded the number of people on earth in 2008. The company estimates there will be 50 billion connected devices by 2020, while other experts believe it’s already 1 trillion.
Sometimes, hackers infiltrate computer systems to help carry out illegal activities. In a recent claim we investigated, a midsize manufacturer noticed a high volume of outgoing Internet traffic. Criminals were secretly using the system to transmit e-mail spam and launch denial of service attacks against other computer systems.
Because of incidents like these, larger companies increasingly are imposing contractual obligations on smaller contractors and suppliers to prove they have taken steps to strengthen their system security, including the purchase of Cyber insurance.
Midsize businesses tend to buy Cyber coverage with inadequate limits. (Photo: iStock)
The problem for midsize businesses is that they are squeezed between expensive insurance coverage designed and priced for large corporations and limited packaged policies designed for small businesses with less financial exposure.
At the same time, many medium-size companies, which have never purchased Cyber insurance before, underestimate their risk. So, they choose a Cyber policy that lacks enough coverage features and has inadequate insurance limits.
The manufacturer whose computer system was hijacked by criminals, for instance, selected a $50,000 cyber policy and declined coverage for the loss of business income. It took nearly two weeks and hundreds of thousands of dollars to rebuild its system and restore the data, shutting the company down for almost two weeks.
It’s challenging for a midsize business to choose the right insurance program because there are no accepted standards for Cyber coverage. Most insurance companies will offer certain coverages, but not others. It is difficult to find a broad, inclusive policy, and many business owners and risk managers are not sure which Cyber coverages they really need.
Here are some of the Cyber coverages that midsize businesses should consider:
- Data breach response coverage for the expense of notifying individuals, credit monitoring and other services.
- Data breach liability for litigation and settlement costs of lawsuits resulting from a breach.
- Identity theft insurance to pay for expenses and expert help for business owners to restore credit standing and identity records.
- Computer attack for data restoration or re-creation, system restoration, loss of business income and other services.
- Cyber extortion to cover the amount of money demanded to unlock a commandeered system, including the cost of an investigator.
- Network security liability to defend against claims that “negligent failure of computer security” caused third-party damage.
- Electronic media liability for claims that information displayed on a website infringes or violates the rights of individuals or defames them.
As insurers offer more Cyber coverage designed for medium-size companies, agents, brokers and business owners must choose carefully. Packaged policies may serve a small business well, but likely will lack the broader protection that a midsize business needs. Cyber insurance for large corporations often includes coverage and limits that a midsize business doesn’t need and premiums it can’t afford.
Technology is changing so fast, it’s hard to keep up. Yet, every business is expected to safeguard the information it keeps. Data breaches and cyber attacks happen often to mid-size companies and it’s important that they have an appropriate level of Cyber insurance. That coverage should include the unique features that the business requires and the protection that their customers, employees and business partners deserve.
Tim Zeilman is vice president and counsel for strategic products with the Connecticut-based Hartford Steam Boiler Inspection and Insurance Co.
Related: Do you know these 9 hacking terms?
Have you Liked us on Facebook?