Cyber liability insurance: Don't run a business without it

You wouldn't go into a blizzard without a coat, scuba dive with a hungry shark or bungee jump without measuring the cord. Yet, according to the 2009 FBI Computer Crime and Security Survey, 71% of American companies endanger their financial stability by not having insurance that will cover Internet liability.

Almost every company has some kind of network, database or online presence that puts it at risk for litigation. If you have Web site content, your company can be targeted for violating copyright or intellectual property laws. A company laptop that is stolen or left in a taxi can launch a long and costly nightmare involving theft or extortion. A rogue employee posting on a blog, social media page or discussion forum can make your company liable for slander or defamation. Personal and financial information of customers sits on your servers or at a data store, daring hackers to get in and party.

Sound fun yet? There's more. Add to that recent federal regulations requiring customers to be notified in the event of data compromise, and there's plenty to keep you awake at night. More than ever, it's vital to make sure your company is protected.

Most standard business insurance policies include general liability, which protects the policyholder in case of a suit resulting from injury or property damage. If you sell your product to a company whose employee becomes injured as a result, you're covered. But if you sell that company software or forward an e-mail with a virus that damages records or allows a data breach, traditional insurance policies rarely offer adequate protection.

The current Web 2.0 climate means increased communication and data-sharing across the Internet, widening opportunities for commerce, education and new business relationships. The current trend toward outsourcing Web-hosting, credit card processing, call centers, document storage and data warehousing creates a web of convenient partnerships. But with sensitive information out of your complete control, opportunities are riper than ever for error, negligence or cyber crime, damages from which are seldom covered by traditional insurance.

If you think you're covered by your current business insurance policy or that of a business partner, you may be unpleasantly surprised. In fact, if you read the fine print, such damages are often specifically excluded.

The following are among all-too-common scenarios for which you can be held liable:

* If you pass along a virus or other type of malware, even unknowingly, especially if another company's customer information is then compromised.

* If one of your employees gains unauthorized access to another company's information or if confidential information is disclosed or misused.

* If an employee knowingly or unwittingly slanders another company in a blog, e-mail, or in a social media or forum post, or infringes on copyrighted material.

* If you do not follow federal or state regulations controlling notification of customers whose personal data has been compromised.

Statistics from the 2009 National Small Business Cybersecurity Study regarding the risks sound a warning:

* 65% of small businesses store customer data.

* 43% store financial records.

* 33% store credit card information.

* 20% have intellectual property content online.

Yet the vast majority do not see themselves as vulnerable. Why not? Here are some common reasons, and why they aren't sufficient:

* Our company uses a firewall, encryption, antivirus software, many levels of security authentication and subscribes to monitoring programs. According to the 2009 Data Breach Investigations Report by the Verizon Business RISK team, 69% of breaches were found by a third party and 75% of those breaches had occurred weeks or months before they were discovered.

Consider, too, that roughly half of all data breaches involve off-line events like stolen paper documents and lost laptops. This is an expensive problem. The cost per record of a data breach in 2009 reached $204, according to the Ponemon Institute's most recent annual study; for a relatively modest 1,000 records, that's $204,000.

Lost time and business are compounded by costs for data restoration and by the expense of complying with federal regulations requiring customer notification. That notification can entail printing, mailing, telephone costs and worse: loss of customer business and confidence, and serious damage to your good name.

* Our company doesn't participate in e-commerce. According to the Verizon report, one-fifth of data breaches were instigated by internal sources, or an insider was "turned" by a criminal who found it easier to exploit human weakness than work to discover and exploit software flaws. Disgruntled employees can sell client information, make company data unavailable or threaten to destroy it. Insiders can also be valuable tools in larger extortion schemes. Sound like the stuff of gangster movies? It happens.

* The only real risk is to financial institutions. Surprise! The Verizon report noted that the largest number of cyberattacks were launched against retailers, followed by financial institutions, then members of the food and beverage industry. Those three sectors combined for 75% of those hit.

* Small businesses aren't that vulnerable. Gone are the days when cybercrime was confined to the occasional genius hacker sitting in a dark basement overseas. Current hacking and malware technologies are sophisticated, and easily obtained and learned. Criminals are selectively targeting specific businesses and sectors rather than using the widespread "worm" attacks of the past. Small businesses, which store customer information without the expensive and complex security systems used by large corporations, are no longer being ignored. Verizon reports that 50% of cyberattacks were on companies with fewer than 1,000 employees. Companies with 11 to 100 employees sustained 26% of all attacks. Nobody likes those odds.

The good news: Cyber liability insurance is easily tailored to the needs of your business. Whether you're more concerned with network security, privacy issues, crisis management, technology errors and omissions or media and intellectual property issues, you can work with an underwriter to find a plan that best covers your greatest risks.

Better news: The insurance is affordable. A typical $100,000 policy for a small business costs between $1,000 and $1,500 annually. That's a small price to pay, especially compared to what a successful suit could cost, not only in damages, but also in time, stress, lost business and tarnished reputation.

As the Internet and our use of it changes, so will ways in which we can get ourselves in trouble, often without realizing it. Providing adequate protection against not only rapidly evolving criminal strategies, but also human error or omission is virtually impossible. For every solid and dependable proactive measure taken, there's another risk lurking.

As your company grows and succeeds, savvy business people understand that a higher profile equals higher risk. Take a look at your old insurance and make sure it's growing with you. Chances are you've left yourself too vulnerable for comfort in today's cyber business world.

In the long run, many experts believe cyber liability insurance will become the norm for businesses, along with other more accepted insurance types, such as fire, auto and worker's comp. Like it or not, the Internet with all its risks and rewards is here to stay, and success brings with it responsibility for navigating new terrain safely.

Cyber liability insurance: Don't run a business without it. And if it's snowing, remember your coat.

Caesar, a senior executive vice president at HUB International, is the chief marketing officer responsible for management of Insurance Company Relations and operations of HUB's California Central Coast office locations.

Learn more about this topic

Banking's big dilemma: How to stop cyberheists via customer PCs

Ubiquitous broadband poses problem for cyber security

Continued sophistication of cyber crime: Microsoft 
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies