You don’t have to be a computer genius to see that cyber attacks are increasing. Anyone who pays attention to the news has heard about the numerous high-profile hacks that have compromised the personal data of millions of American consumers, leaving them vulnerable to identity theft, mortgage fraud, and other kinds of cyber crime. According to the most recent Internet Security Threat Report by Symantec, over 552 million identities were exposed last year through data breaches.
FBI Executive Assistant Director Kenneth Bixby, the agency’s “point man” for cyber fraud, recently presented testimony before Congress regarding the bureau’s efforts to combat computer fraud. While attacks on large corporations like Target, Neiman Marcus, and Home Depot make the evening news, Bixby emphasized that smaller companies (those with fewer than 250 employees) are the targets of almost one third of all cyber attacks.
Last year, according to FBI statistics, federal agents informed over 3,000 U.S. businesses that their data had been hacked. In nine out of ten cases, these companies didn’t even know their computer systems had been breached until they were informed by the government.
Symantec estimates that attacks on small businesses increased 91 percent from 2012 to 2013, and experts believe the increase in software as a service and cloud storage solutions suggests that the problem is only going to get worse. As one security expert puts it: “Either you have been data breached or you just do not know that you have been data breached.”
The Cost of Data Breaches
In a separate Symantec-sponsored study, researchers identified the major direct and indirect expenses associated with business data breaches. They include:
Direct Costs: engaging forensic experts, providing customer hotline support and consumer credit monitoring subscriptions, discounts for future products and services.
Indirect Costs: in-house investigations and communication, the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
The same study pegs the per-record cost of a data breach at $188—32 percent for direct costs and 68 percent for indirect. This is just an average, however. According to researchers, the cost per record for data lost or exposed due to employee errors and system glitches is (on average) “cheaper,” coming in at $159 and $177 per record, respectively. In contrast, the cost associated with data loss or exfiltration from malicious cyber attacks is much more “expensive” at $277 per record.
A separate 2014 study by Kaspersky Lab tallied business losses for a given data breach “from $66,000 to $938,000 per organization, depending on the size of the company.” In addition, the Kaspersky study found that, in data breaches that involved business-to-business accounts, 43 percent of businesses terminated a business relationship following a reported fraud on their account, while 82 percent of companies indicated they would consider ending a business relationship with a company that suffered a data breach.
Cyber Liability Insurance
A critical component of combating the risks to your business represented by cyber crime and unintentional data breaches is to purchase a cyber liability insurance policy. Cyber coverage isn’t exactly new, but the need for it is increasing as the rate of cyber crimes rises. Also, many business owners don’t realize that cyber insurance often needs to be purchased as its own policy. As you begin looking into getting this crucial insurance for your company, it’s important to note that pricing and coverage will depend in large part on the details of your business, your data, your security measures, and your online presence.
Policies and coverages vary, but a cyber liability insurance policy generally covers the following:
Coverage for actual costs associated with a data breach: these can include consumer notification, customer support, and contracted credit monitoring services for those affected.
Liability for security/privacy breaches: protection from lawsuits and other actions resulting from the exposure of confidential customer information.
Asset recovery and restoration: the cost to restore, update, and/or replace hardware, software, or data assets damaged through cyber crime or by an unintentional loss or release of data.
Business interruption costs: coverage for additional expenses incurred and losses sustained as a result of a data breach.
Reputation management: protection from liability related to slander, libel, copyright claims, and other harm to your reputation resulting from activity on a business website or in social media.
Some policies also cover additional items, such as cyber extortion, cyber terrorism, and the cost of regulatory penalties or sanctions that may result from a breach of data.
If you think your existing business liability policy will protect you in the event of a breach of your company’s data, you’ll want to think again. Many business policies specifically exclude this type of risk because of the extreme variability between different companies’ risks and assets. If you’re not sure whether you’re covered, schedule an appointment to talk to your insurance advisor so you can be protected in the likely case of your company suffering a data breach.
|Company/Organization||What Was Compromised|
|Target||Names, addresses, phone numbers, and other personal information for up to 70 million people, plus credit and debit card information for 40 million customers|
|Neiman Marcus||Credit and debit card information for 1.1 million customers|
|Variable Annuity Life Insurance Company||Names, full or partial SSNs, and other personal information for more than 774,000 customers|
|University of Maryland, North Dakota University System, Indiana University||Breaches at these three institutes of higher education compromised the personal information of more than 737,000 students, faculty, and staff|
|Spec’s Liquor Stores||Credit and debit card information for 550,000 of the company’s customers|
|St. Joseph Health Systems||Names, SSNs, medical information for 405,000 former and current patients, employees, and some employees’ beneficiaries|
|Sutherland Healthcare Solutions||Names, SSNs, billing information and possibly also birth dates, addresses, and medical information on 338,700 California residents|
|Deltek||Access credentials for 80,000 employees of federal contractors, as well as credit and debit card information for 25,000 users of the software company’s systems|
|Coca-Cola Corporation||Names, addresses , SSNs, driver's license numbers, and other personal information for 74,000 current and former employees|