Your e-mail might live in the cloud, just like your customerdata. You might store files there, too, and you certainly havewebsite content that resides in the nebulous world of modern datastorage. No matter the industry you work in or the size of yourbusiness, cyber criminals want to steal your data.

The FBI is investigating an incident involving a Los Angelesmedical center, which paid a $17,000 ransom to a hacker who seizedcontrol of the hospital's computer systems and would return accessonly when the money was paid. The medical center paid theransom.

Small and mid-size businesses are just as susceptible to databreaches and cyber attacks as large businesses — in fact, an attackmight be easier to pull off on a small business with lesssophisticated IT security. These smaller companies will also find it harder to fix a damagedreputation in the wake of a data breach.

The Ponemon Institute tracks the cost of Internet-based crimefor its annual "Cost of Cyber Crime Study" report. In 2015,cyber-crime costs jumped by 19%. Smaller organizations experienceda higher proportion of related costs caused by web-based attacks,including phishing and social engineering, malware, viruses, worms,trojans and botnets. Larger businesses experienced a higherproportion of costs related to denial of service attacks, maliciousinsiders (employees, contractors, etc.), as well as malicious codeand stolen devices.

Establish a cyber-response plan

To adequately protect vital data, it's a 21st Century imperativefor businesses to establish a cyber-response plan, protectinformation with encryption, train employees, and purchasecyber-risk insurance. Cyber-risk insurance typically covers:

• Damages to digital assets.
• Business interruption and extra expenses.
• Third-party privacy liability.
• First-party privacy liability.
• Security liability.
• Media liability.
• Privacy regulation defense awards and fines.
• Crisis management.
• Cyber extortion coverage.

Cyber-risk insurance may provide financial protection from theloss of employee and customer data, downtime your businessexperiences, and penalties you might face. It may also help offsetthe enormous cost to repair your company's reputation and manage acrisis when it hits.

The protection you get from your Cyber policy should becustomized to your business, so you're paying only for coveragethat makes sense for your specific exposures.

But above the actual protection lies another problem: Cyberinsurance is designed to cover a manmade problem. Other Propertyand Casualty insurance policies cover issues such as businessinterruption if there's a fire or damage caused by a snowstorm —environmental disasters that have been affecting commercialenterprises for hundreds of years. Cyber security, on the otherhand, is a relatively new type of risk, with only a couple ofdecades' worth of claims data on which to create a loss model. Thiscreates challenges for insurance companies who struggle tounderstand how to underwrite Cyber insurance without solid claimsdata.

And this, in turn, presents a huge problem for actuaries andunderwriters, who typically depend on data and consistent lossmodeling to accurately price a risk. There's a gap betweenbusinesses that want — and need — Cyber insurance and the abilityfor insurance companies to accurately underwrite the risk in arelatively cost effective manner. Pricing for Cyber insurance canvary greatly from company to company, and many smaller carriersdon't offer Cyber policies for this reason.

Standalone policy

Carriers currently underwrite Cyber insurance similar to Errorsand Omissions (E&O) or Professional Liability policies. Muchlike E&O, Cyber insurane is typically sold as a standalonepolicy. Your cost may vary depending upon what coverage isprovided, such as first- and third-party liability, notificationcosts, legal fees, etc.

Risk managers in the banking and finance, government, healthcareand retail industries need to be especially vigilant when it comesto cyber risk as these are the top four industries affected. But regardless ofyour industry, you should get together with your Property andCasualty insurance broker to discuss the level of exposure yourparticular business faces.

How many customers do you have, and consequently, how manycustomer files do you have? What type of data do you store, andwhat security measures does your information technology team taketo protect this sensitive information? All of these factors play apart in determining the cost of a Cyber policy. 

Without a cyber-attack prevention and response plan, andadequate insurance coverage, you're likely putting your customerdata, your reputation — and maybe even your business — indanger.

Benjamin Zhang is a consultant in the Property and Casualtypractice at Mount Laurel, N.J.-based Corporate Synergies, an insurancebrokerage and consulting firm. Opinions expressedin this article are his own.