At a panel presentation/discussion titled “Hacked: The Implications of a Cyber Breach,” hosted by Travelers in New York City, Timothy Francis, enterprise lead for Cyber insurance, noted that although most of the cyber breaches that make the headlines are from large, national companies, the smaller breaches of local companies are far greater in number.

Francis noted that 62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.

Mark C. Greisiger, president of NetDiligence, which provides cyber risk assessment and data-breach crisis services, noted that healthcare and financial services are the two most affected industries at the moment. Those small to mid-sized financial services businesses include many of the insurance agents and brokers in the U.S.

A good many data breaches go undetected and others are willfully unreported, Greisiger observed. Often, the data breach incident is a denial of service attack, which companies don’t report because they aren’t obligated by law to do so. According to Francis, there are 34,529 known computer sercurity incidents per day in the U.S. How many more are unknown?

Confidential concept-words on chalkboard-SS-Krasimira Nevenova

(Photo: Shutterstock/Krasimira Nevenova)

All businesses are vulnerable

The average per-breach cost for legal fees is $690,000, while for larger companies the breach claims cost can amount to $3 million per event or more. That per-breach estimate is skewed toward the amount of information stolen from healthcare and small to mid-size companies, Greisiger added, but companies without insurance can expect to pay significantly more, primarily because they generally don’t have instant access to the various experts (that is, the “tiger team” with pre-negotiated rates) needed to mitigate the breach in a timely manner after it occurs.

These include a forensics team to conduct investigations, public relations representatives, a call center to deal with customer fallout, and legal counsel, including a “breach coach” whose job it is to work with the client to help ascertain exactly what was stolen. Businesses that suffer a breach that don’t have insurance protections can expect to pay three times as much for these services, and even then, are often doing so to vendors that haven’t been vetted and selected by a major insurer.

Regardless of size, however, all businesses should consider themselves vulnerable. In Francis’ view, “It’s not if a breach will occur, it’s when.”

Greisiger also suggested that businesses learn to think of the issue as one of “privacy management,” explaining that the term “cyber” applies to all media and all devices, including personally identifiable information that your employees might have access to on their tablets or smartphones.

A few years ago, lost laptops were the leading cause of the loss of data and hacking, according to Greisiger. That seems to have tapered off, primarily because of better employee training. Now, the issue has become one of improper data collection or improper use of the personally identifiable information collected.

 Thief stealing mobile device from woman's purse-SS-Antonio Guillem

(Photo: Shutterstock/Antonio Guillem)

‘Main Street’ event

John F. Mullen, the managing partner of the Philadelphia regional office and chair of the U.S. Data Privacy and Network Security Group with Lewis Brisbois Bisgaard & Smith, suggested that businesses think of a cyber breach like a burglary: You own the data as if it were a tangible object that can be stolen, and you have a duty to protect it.

Storing data in the cloud doesn’t eliminate your responsibility, Mullen pointed out: “You own the data because you got it first.” A client can’t fully transfer the risk of safeguarding the data to its cloud storage company. Even though a company might trust its cloud storage vendor, that data may be vulnerable when that vendor outsources storage to another cloud storage vendor.

In additional to the business interruption issues, Mullen pointed out that it can take from two months to two years to determine whether your business will be fined for the breach, and by how many state or federal regulators. The high dollar costs, coupled with the distraction of dealing with the breach, can be enough to put a small to mid-sized company out of business.

Francis noted that agents and brokers need to convey the need for cyber risk insurance to their small to mid-sized clients. The insurance industry also has to do a better job of educating agents and brokers as well as raising awareness of the issue for themselves and their clients. If not, the business that closes could be theirs.

Click “Next” to see statistics about the number of small businesses in the U.S. and the percentage that are concerned about specific cyber risks.

By the numbers

The Office of Advocacy of the Small Business Administration defines a small business as an independent business having fewer than 500 employees, which covers the majority of businesses in the U.S.

Small businesses make up:

  • 99.7 percent of U.S. employer firms,
  • 63 percent of net new private-sector jobs,
  • 48.5 percent of private-sector employment,
  • 42 percent of private-sector payroll,
  • 46 percent of private-sector output,
  • 37 percent of high-tech employment,
  • 98 percent of firms exporting goods, and
  • 33 percent of exporting value.

Here is a list of cyber risks and concerns and the percentage of business decision-makers that worry about each one having an impact on their company. (Click to enlarge.)

Chart: Cyber risks and concerns 

Source: Travelers/NetDiligence