Data Breaches Threaten Every Business
Cyber crime is a growing problem for large and small businesses alike. Although major corporations like Target and Home Depot have suffered the highest-profile data breaches in the past few years, nearly 20% of confirmed data loss incidents in 2015 occurred at businesses with fewer than 1,000 employees. And while the finance and healthcare industries remain major targets for cyber criminals (constituting 44% of breaches in 2015), the retail and service sectors weren’t far behind, combining to account for just over 20% of confirmed breaches in 2015. The average cost of a data breach in 2015 was $217 for each lost or stolen record—far more than most small business owners could ever recover from. In other words, cyber security is an issue that can affect businesses of all sizes and industries.
To protect against devastating security breaches, some business owners might consider purchasing data breach insurance policies. General liability business insurance typically does not cover instances of data theft, so modern cyber insurance policies often consist of a customized set of coverages specifically designed to cover the potential costs of lawsuits, investigations, regulatory penalties, advertising, and customer notification. These policies are relatively new for the insurance industry and are generally tailored to finance and healthcare merchants, but they could potentially have value for other small business owners. If you’re a merchant who is planning to shop for data breach insurance, you should ask the following questions.
What does the policy cover?
The costs of a data breach can be wide-ranging, and any data breach insurance policy worth its premiums will offer a range of coverages that address your needs. Possible expenses following a data breach include regulatory fines handed down by Visa, legal fees related to customer- or bank-initiated lawsuits, breach investigation fees, breach management costs (such as notifying customers), advertising expenses to restore consumer confidence, and security costs incurred prior to or after the breach. All of these potential costs (and others, depending on your business type) should be accounted for in your policy.
In general, you should make sure that your policy aligns with your areas of greatest risk. If you are in the healthcare industry, for example, you will want a policy that insures against the costs associated with a HIPAA violation. Similarly, if your business relies on just a handful of regular customers, then the costs of customer notification following a breach will likely not be very high. You may be able to secure better coverage for your business’s weak points if you’re willing to accept less coverage in your business’s low-risk areas.
What doesn’t the policy cover?
Be on the lookout for clauses that enable the insurer to get out of paying under certain circumstances. Possible instances that may not be covered under a standard policy include third-party negligence (i.e. if you outsource your payment processing to a third party and they are breached), paper record theft, unencrypted data theft, failure to regularly scan or update your systems, breaches through employee-owned devices, and government-imposed fines. In the event that your third-party vendor is breached, the vendor may have an insurance policy that covers any costs related to a breach. You should ask your vendors whether they carry such a policy and consider getting your own policy (or switching vendors) if they don’t.
There may also be sub-limits found in your policy’s fine print that dramatically reduce how much of a payout you receive in specific instances. For example, you may have a $1 million general liability policy, but only $50,000 of that policy will be applicable to regulatory fees. It’s important to ask whether these sub-limits apply, as insurers may or may not impose them.
Does the policy include preventative security assistance?
A breach is in neither your interests nor your insurer’s. For this reason, your policy may offer assistance with maintaining proper on-site data security measures. This assistance could take the form of subsidized security audits, installation of fraud monitoring software, employee training, network security assistance, or response planning. Insurance companies are gradually catching up to technology and payment processing experts in their knowledge of the industry, and they may be able to alert you to an unforeseen vulnerability at your business.
Can you qualify for low premiums?
Certain business environments are inherently riskier than others. If your point-of-sale system encrypts card data at the moment it is swiped and then sends that data off-site, it is much more secure than a system that stores unencrypted data on your own servers. Similarly, if you maintain stringent password protocols and regularly scan your systems for malware, your cyber crime exposure is lower than that of a business that grants its employees unrestricted access to sensitive customer data. These difference matter to insurers, and they could help you secure lower monthly premiums that make data breach insurance affordable for you. If you apply for a policy, be sure to ask questions about the kinds of precautions you can take to qualify for a lower premium.
Insurance Is Not A Substitute For Security
By asking the right questions and making a full assessment of your business’s vulnerabilities, you can secure an affordable, effective data breach insurance policy. However, just because you’re insured doesn’t mean that you can ignore data security. Insurance markets are ever-changing, and a single breach incident on your record can confine your business to sky-high premiums for the rest of its lifespan. A good data breach insurance policy is just a safety net to keep you in business when the worst happens. Whether the worst happens is up to you.
For more information about data security, see our list of six ways hackers can steal your data and our guide to finding and fixing your point-of-sale system’s security flaws.