Could an employee’s lost laptop cost a company $5.4 million? It could if the employee has access to sensitive customer data, hasn’t taken proper security precautions, and the company hasn’t shielded itself with a proper cyber-liability protection policy.
It’s far simpler to replace a misplaced or stolen computer than it is to investigate and seal a data breach, notify thousands of customers that they are potential victims (as required by law in most states) and, in the worst-case scenario, pay damages, legal fees and PR management costs as a result of a class action or other litigation.
However, executives by and large seem slow to recognize cybercrime as a growing international problem, with U.S.-based companies the primary target of foreign-based hackers. Energy companies, in particular face an increasingly sustained threat, according to authorities here. In fact, the National Institute of Standards and Technology in February released a framework to help targeted companies avoid what Leon Panetta, the former defense secretary, once called a 'cyber Pearl Harbor.'
According to some recent estimates, ongoing cybercrime against top U.S.-based companies costs our economy more than $300 billion each year. And the cost of a typical data breach of a public company’s systems could average as high as $5.4 million, according to the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy.
For small-to-midsize businesses, the average cost per breach may be smaller -- roughly $188,242 -- according to specialist insurer Hiscox, but the complete toll can be higher. Two thirds of such companies close their doors within six months of a cyber breach. Without protection, they don’t have the same resources as a major corporation to withstand the damage.
And small companies that think they are below the radar of hackers should know that attacks on businesses with fewer than 100 employees amounted to 31 percent of breaches in 2013, according to a study by insurance underwriter Chubb. Hackers know that compromising a vendor’s server can yield access to much larger connected companies and their customers’ data.
Weak data security can be costly in another way, too. A convicted former hacker has just announced that he’s launching a hedge fund that will short-sell stock of companies his fund managers deem vulnerable to cyber-attacks. Such companies would then have to cope not only with damage control from breaches (and a potential rise in attacks from grateful hackers) but also with a setback in raising capital. Data security is now paramount to a health bottom line and companies who want to be seen as fit to successfully conduct business, ignore it at their peril.
Complacency Not An Option
Higher levels of awareness and better security software, as well as proactive practices like encryption, firewalls and frequent password changes may have prevented a drastic rise in cyber attacks, but have not driven them down. A 2013 poll of 500 U.S. executives, and security experts by cybersecurity firm PWC found that the largest number of respondents, 42 percent, said the number of events faced by their organization remained the same last year, compared to 24 percent who saw an increase. Just four percent, however, saw a decline of more than 15 percent.
Conventional insurance policies won’t cover all the legal and technology costs of a data breach, which is why companies increasingly look to a growing line of products to cover damage caused by hidden vulnerabilities like Heartbleed, malicious software, Trojan horses or international hackers who steal information for fun and profit.
In much the same way drivers with spotless records still need car insurance, companies that do their due diligence and invest in up-to-date systems and well-trained personnel still also need to plan for the worst. All it takes is one careless or malicious employee, or one less-diligent electronic partner, to compromise a system.
In the meantime, increasingly stringent European data security laws are drastically impacting the way U.S. companies do business in the E.U. and increasing the chances they could face litigation. In response, experienced international insurance brokers who prepare U.S. companies for the risks they face overseas are fielding an increasing requests for information and coverage.
Coverage Gaps and Legal Expenses
Policies from international insurers like Clements Worldwide are crafted based on where a U.S.-based company operates, to ensure that there are no gaps in coverage in other countries. Although policies are structured based on a company’s individual needs, some common policy add-ons include:
- First-party costs incurred in response to a data breach
- Claims expenses and damages for third-party liability claims
- Civil or regulatory fines or penalties
- Payment Card Industry (PCI) fines/penalties
- Shared or stand-alone limits
- Voluntary notification
- Contractual liability and indemnity
- Expert breach response assistance, with 24/7 access to a law firm and team of breach response service providers.
Since most hacks originate in Europe and Asia, particularly the Russian Federation, Taiwan and Germany, Clements, for example, specializes in products that transcend borders and protect clients in all jurisdictions.
Those protections cover not only reporting, but litigation expenses from setbacks such as identity theft and lost business as a result of the breach. The legal exposure can be more severe if the breach came from within the company, as was the case in 21 percent of events in 2013 reported by executives surveyed by the security company PCW.
When small companies concentrate resources on updating their systems with emerging technology for efficiency, but not always for increased security, it is essential to have the right policy to fill in the gaps of other coverage and protect against a catastrophic breach event. Consider for example, the breach that hit the ironically named retailer Target earlier this year, costing the company millions, and sending profits in the fourth quarter down 46 percent. Professional network LinkedIn, Yahoo! and even dating site eHarmony have also been breached.
Yet despite the clear advantages of cyber-liability protection, nearly two-thirds of public companies aren’t taking advantage of it, according to a survey by Chubb and other sources. It’s not that they don’t believe they’ll be hacked. In fact, 71 percent of companies surveyed said they do have a risk plan to deal with potential threats.
For 57 percent of decision-makers, however, their current plan doesn't include cyber-liability coverage. That means they could potentially be betting their future, or at least millions in assets, on malware analysis and deep-packet inspection. The gamble goes on while hackers and cyberthieves continuously up their game by sharing tools and exploits.
Hopefully, they won’t have to revise that strategy by learning the hard way.
Author David Turkaleski is director of Commercial Insurance at Clements Worldwide, the leading provider of international insurance solutions for individuals and international organizations.