As the threat of cyberattacks continue to loom over corporations across the globe, small to midsized businesses are still sitting on the sidelines when it comes to purchasing cyber liability insurance policies despite the ominous warning signs.
The overall frequency of data breaches continues to rise according to a global analysis from IBM released in June. While it’s the large scale breaches, such as Sony, The Home Depot and Target that make headlines, hacks targeting smaller businesses are also growing in regularity.
Symantec’s 2016 Internet Security Threat Report revealed that 43 percent of phishing campaigns targeted small businesses in 2015, up from 34 percent in 2014. However, only 5 percent of small businesses recently surveyed by Endurance International Group indicated they carry a cyber liability insurance policy.
As evidenced by the big breaches of the past few years, we know the negative impact of a data breach can be devastating. It’s hard to understand why small businesses across the globe continue to overlook their cybersecurity and cyber insurance needs. However, as insurance agents, it’s our responsibility to find a way to articulate the necessity of a cyber liability policy.
The largest barriers preventing small business owners from purchasing a policy revolve around a misunderstanding of their perceived threat, what’s covered, and the reasonable pricing. Take the time to explain every factor at play and how the cost of the policy will be well worth the investment should a data breach occur — because it’s only a matter of time before you receive a phone call from a client asking you if they’re covered.
Although attempting to sell these policies to businesses with smaller budgets can appear to be a daunting task, here are a few tactics to help small to midsized business owners understand how a policy could save their company.
1. Show them the money
A significant data breach can cripple a small company’s balance sheet and potentially put the firm out of business altogether. According to the IBM study, the average cost of a data breach is approximately $4 million and the average cost per lost or stolen record in the U.S. is $221. If your prospect is wondering why reacting to a data breach is so expensive, insurance agents must clearly delineate every significant cost associated with a breach.
After a data breach is identified, the affected company will need to hire a computer forensics firm to look at its computers and identify where the hack occurred. After that, 47 states in the U.S. require businesses by law to notify and provide credit monitoring for every individual affected in the event of a data breach. The business also must hire a legal consultant and should consider engaging a public relations firm to help notify customers and manage the company’s reputation.
On top of all of this, regulatory fines and penalties can also be handed down by state legislators. Third party lawsuits, an unfortunate reality when dealing with thousands of disgruntled customers, may also arise and can quickly rack up the expenses.
Considering that each cost described here is covered in a basic cyber liability policy, purchasing this coverage could be lifesaving to a small to midsized business.
2. Put the ‘It’s too expensive’ argument to bed
After hearing about the extensive and potentially business-saving cyber liability coverages, a potential buyer might wonder how much a policy will cost. In our experience, cyber liability is actually fairly inexpensive relative to other insurance needs.
For a business with approximately $5 million in annual revenue, a comprehensive policy covering the expenses outlined will cost the company approximately $5,000 per year; for a company with $8 million in revenue, the cost is approximately $7,000 per year. This policy will be far from the company’s most expensive insurance cost, and, considering the extensive coverages, it will be well worth having in the event of a breach.
3. Dispel the misconception around cloud-stored data
Many small businesses believe that if customer data is stored in the cloud, they won’t be culpable should the information be compromised. This is a common misconception, as most cloud providers have hold-harmless agreements in place with their customers. These agreements release the cloud provider from liability in the event of a data breach.
In this event, the bill for all costs related to notification, credit monitoring, litigation, forensics and other costs related to a breach, will ultimately fall to the consumer facing small business.
4. Compare security measures to larger companies
Considering that most of the headlines making national news surrounding data breaches involve massive, multinational companies, many business owners think hackers won’t bother with their small firm. However, as we mentioned earlier, this is not the case. A growing number of phishing and other hacking techniques are targeting smaller businesses.
Smaller businesses are also often more susceptible to an attack than larger enterprises. With so many areas of vulnerability, including stolen laptops, computers or other computer storage devices, backup tapes lost in transit, employee theft, internal security failures, viruses, Trojan Horses, computer security loopholes and improper eradication of information, it can be incredibly difficult for a small business to keep every potential entry point protected.
Big companies with large IT staffs have the resources to train employees as well as implement cybersecurity measures that can dramatically reduce the likelihood of a successful attack. For small companies, cyber security simply isn’t seen as a priority, which can result in a higher susceptibility to attack.
Although all businesses should take some level of proactive preventative measures, a cyber liability policy can at a minimum stop the financial bleeding after an attack.
Harris Tsangaris is the vice president of corporate development at New York-based NFP, an insurance broker and consultant that provides employee benefits, property & casualty, retirement and individual private client solutions for clients across the United States, United Kingdom and Canada. He can be reached at firstname.lastname@example.org.