Businesses are getting a new kind of insurance to safeguard against data breaches

Keith Dmochowski, Reading Eagle, Pa.
5 min read
0

Aug. 22—From small shops to corporate juggernauts, nearly every business has seen some facet of its operations migrate online.

And as professional tasks are digitized, so too is the vital information they involve: Personal records and bank account info. Trade secrets.

The type of information so confidential that people of a past age only felt safe knowing it was behind lock and key — this data now moves through cyberspace at rates that would likely astonish and horrify the pre-internet population.

Brian Mahon has seen what happens when sensitive data is seized by the wrong hands.

"A lot of the times it's a situation where, somebody who has been in business 20 years, this is the most stressful two weeks of their life, dealing with the repercussions of a data breach," said Mahon, cyber insurance counselor with EHD Insurance, Lancaster.

At a presentation Wednesday, Aug. 9 for the Greater Reading Chamber Alliance, Mahon told the story of a distributor in south central Pennsylvania.

"They were making a big acquisition...about a week after the merger, a third shift employee got what seemed like an email from a second shift employee," Mahon said. "He clicked on the link."

The next day, the company was hit.

Hackers attacked using ransomware — malicious software designed to deny an organization access to their own computer system.

"(The company) had to pull all their guys out of the field, all their salespeople, even some ex-employees, to help recreate customer data," Mahon said. "They spent $60,000 replacing servers, laptops, and phones. They also were down for two or three weeks, not making any money."

About 60% of small businesses fail within six months of a data breach, according to the National Cybersecurity Alliance, a national nonprofit that focuses on cybersecurity awareness.

A 2019 report by insurance carrier Hiscox shows that data breaches cost companies an average of $200,000.

Mitigating that damage is what motivates Mahon to encourage companies to pursue cybersecurity insurance.

"It really does apply to every modern business," Mahon said.

What is cybersecurity insurance?

A cybersecurity insurance policy works similarly to other forms of insurance — companies pay a monthly premium and can file claims in the case of an incident.

Coverage varies by policy, but commonly covered expenses include the costs of business interruptions and lost hardware, data recovery, and notifying customers of a breach, as well as third-party liability coverage if an affected customer sues a company that was breached.

Some policies even expand their coverage to lawsuits that arise from a company's social media activity, public relations expenses following an incident, and regulatory fines.

Regulatory fines can be particularly expensive, especially for companies that store data from large number of customers.

"There was a famous case with Uber in Pennsylvania...they lost all their drivers' license information (in the state)" Mahon said. "The Pennsylvania attorney general fined them...it was something like $1,000 per (lost record)."

Mahon said nearly all companies can benefit from cybersecurity insurance, not just multibillion dollar corporations.

"We work with small business that could be two or three people, contractors, doctors, law firms," Mahon said. "I've even seen local restaurants that have issues with their point of sale system...(cybersecurity coverage) is far reaching."

He noted that having cybersecurity insurance is increasingly a contractual requirement for some companies.

"I have a couple software companies that do K-12 budgeting, their school district clients require them to have cybersecurity insurance," Mahon said. "Bigger firms like Apple, Deloitte, McDonalds, they're requiring cyber insurance from businesses they contract with."

The cyber insurance industry has taken off over the past decade — in 2010 cyber insurance underwriting premiums totaled $600,000 globally. That number rose to $10 billion in 2021, and is expected to reach $23 billon by 2025, according to Forbes.

Impact of COVID

COVID played a major role in the spiking interest in cybersecurity insurance, Mahon said.

"During COVID, everybody went to go work from home. They had to quickly adapt to Zoom, and virtual private networks, it kind of added an extra layer of risk, where a lot of small business owners didn't do that in a secure way," Mahon said.

He said cybercrime also rose dramatically during COVID.

"Threat actors were also working from home...they couldn't do traditional crime during the pandemic," Mahon said.

Beyond cybersecurity insurance, Mahon said there are simple steps companies can take to protect themselves in the digital landscape.

Strategies like implementing multi-factor authentication, or using two or more credentials when logging in, can prevent bad actors from logging in under false credentials.

Backing up computer systems and training employees to identify phishing scams — where hackers trick people into revealing sensitive info — can also prevent a hack, Mahon said.

Those strategies aren't just useful in preventing data breaches — they're often required by insurance underwriters before a company can have a policy approved.

Mahon said the caution is paramount in a world where cyberattacks, and the threats they pose, are growing exponentially.

"I attended an event last year with three different bank CEOs...all three of them said cyber risk is the number one concern they have," Mahon said. "There are even people out there who think cyber insurance may not even exist in the future, that it'll be uninsurable, like flood insurance in Florida: Carriers will pull out because they lost all their money."

Mahon said he hopes that isn't the case.

Advertisement

Recommended Stories