In the wake of last year’s massive Target breach, public awareness of data breaches has increased. More people are realizing that a cyber incident can be costly, difficult to repair, and might even directly affect their own personal information. Estimates are that up to 110 million accounts were affected by the Target hack, meaning that a substantial portion of the US population was impacted.
Companies, like individuals, are starting to see the dangers of cyber attacks. Small and medium sized businesses (SMBs) have been reluctant to buy cyber liability insurance in the past, mainly because they haven’t seen a compelling need for it. That’s slowly changing, and it’s a good thing: One study found that nearly two-thirds all businesses that experienced a data breach went out of business within 12 months.
SMBs are particularly vulnerable to hacking because they typically don’t have security nearly as robust as that of bigger companies. So cyber criminals see SMBs as easy prey. In fact, the Ponemon Institute found in a 2013 survey that 55% of SMBs had experienced a data breach.
Those in SMB C-Suites might think that their data isn’t as valuable as a publically-traded company, but that’s not true: Every business has confidential information on employees, if not customers, that hackers can sell on the black market. SMB networks also contain proprietary information that unscrupulous competitors might pay for. Furthermore, automated technology makes it easy for hackers to troll the web to find SMBs with security holes, which they are then more than willing to exploit.
SMBs in the retail space have even more post-breach headaches than their non-merchant peers, because retailers are subject not just to fines and penalties of government agencies, but also those of the payment card industry (PCI).
“Information exposures are difficult to control and are subject to many different types of loss events. And even with the best systems, controls and personnel, no retailer is immune to the risk. It only takes one small human error, a simple property crime, or one clever hacker, to compromise millions of customer records,” said Jamie Orye, who heads Beazley’s private enterprise team, which focuses on the professional liability needs of small businesses.
As we’ve mentioned before in a previous article on PCI issues, when a retailer is compromised, PCI contracts are written to assume the merchant is out of compliance – even if the merchant has done everything the contract required and has done nothing wrong. The burden of proof is on the retailer, and it can be a long and difficult process to prove innocence.
If that weren’t bad enough, PCI rules allow for the merchant bank to withdraw funds from the retailer’s bank account to pay for fraudulent charges before the retailer can even mount a defense.
We encourage SMBs to practice good digital security, including maintaining network logs. Even with the best security, however, it’s probably not a matter of “if”, but rather of “when” your company will be hacked.
So, it makes a lot of sense for SMBs, and especially those taking payments via debit and credit cards, to buy cyber insurance.