Main Street America: A Vulnerable Target for Cyber Attack
Cyber risk affects everyone. There’s not a business small or simple enough to escape its reach. If you handle personally identifiable information on behalf of employees or customers, use a computer to conduct business, or work with a vendor that does, your company is exposed.
Small businesses that make up Main Street America, however, continually underestimate their risk. These are the local food markets, ice cream shops and hardware stores; independent legal and consulting firms; preschools and small nonprofits that underpin community economies.
Sixty-one percent of businesses in this sector suffered a cyber attack in 2017, yet only 25 percent had sufficient cyber insurance coverage, according to Ponemon Institute’s “2017 State of Cyber Security in Small & Medium-Sized Businesses.” Even fewer – 22 percent – were taking steps to protect themselves by encrypting private employee and customer data.
Addressing the coverage gap requires two steps. First, small business owners need to better understand the type and extent of their cyber exposure. Second, their insurer and broker partners need to proactively educate this sector about the risk transfer solutions available to them.
The Many Forms of Cyber Risk
“Cyber risk refers to the financial consequences a business has in the face of a network security breach or a breach of private information in their care, custody or control,” said Betty Shepherd, Divisional Senior Vice President, Great American Insurance Group.
“This risk can manifest itself in several forms, but the majority comes down to data. It’s important to analyze how data flows through your organization to determine your exposure.”
A network security breach can include anyone gaining unauthorized access to a company’s systems and/or data. A network breach may or may not result in a privacy beach, in which an unauthorized person gains access to personal identifiable information (PII) like credit card numbers, Social Security numbers, addresses or other sensitive data. A network breach can cause business interruption, data loss or even an extortion event.
Possible theft of PII triggers a host of extra expenses. All 50 states now require businesses to report cyber breaches involving PII to affected individuals as well as regulators. An organization may need to conduct forensic investigation to determine what — if anything— was accessed or stolen. Affected companies may also offer ongoing credit monitoring services to affected customers if financial information was divulged.
“In states with notification requirements, data owners are legally obligated to notify an individual if their private information has been breached or thought to be accessed in an unauthorized manner,” Shepherd said.
“Many small businesses believe this obligation falls to their third-party data processors, such as payment processors handling credit card data, or outsourced accounting functions administering payroll, for example. But that is not the case. Care of that data remains the responsibility of the business that collected it.”
Cyber extortion in the form of ransomware has grown increasingly common as a way for thieves to make off with small sums. Many companies would rather pay an affordable ransom and regain system access quickly than battle with an unknown assailant.
Denial of service attacks can cause financial harm via business interruption and lost income.
Third-party liability also enters the picture if the data belonging to a vendor or other business associate is unlawfully accessed, stolen or corrupted.
“An affected third party could file a claim against you if your network is determined to be the source of malware or the entry point for a cyber thief, thus enabling the compromise of the third party’s network,” Shepherd said.
Business owners should also keep in mind that paper trails are as important to safeguard as digital ones.
“People also tend to forget that cyber risk extends to paper files as well as electronic. Data is data,” Shepherd said. “Physical documents that contain sensitive information are still an exposure. Failing to properly store and/or dispose of that paper may open a company up to the same liability as if a computer system gets hacked.”
More often than not, carelessness on the part of employees — rather than a malicious hacker — is the cause of network security failure. Unwittingly clicking on a link or attachment within a phishing email, for example, can plant malware without any overt indication. Mobile devices used for work can be stolen or lost. Papers casually tossed in the trash are easy targets for theft.
“Understanding where cyber risk comes from is the first step of risk mitigation,” Shepherd said.
Developing a Risk Management Strategy
Once a business pinpoints where its exposure lies, it can take specific steps to strengthen vulnerabilities. Encrypting data renders it useless to a cyber thief. Storing sensitive documents in a locked cabinet and enforcing proper disposal protocols reduces the risk that they’ll fall into the wrong hands. Installing firewalls and dual-authentication processes can enhance network security.
But advancing technology and increasingly sophisticated hackers make it nearly impossible to build ironclad defenses against cyber risk. This is why adequate cyber insurance is critical in helping small companies stay up and running in the aftermath of a breach.
Parsing through the insurance options available, though, can be difficult even for large corporations with more cyber expertise. Lots of overlap exists among current products on the market. General liability, E&O and fidelity products may have some cyber component built in but may not offer all the coverages a company needs. Still, some small businesses can find it costly to purchase a standalone cyber policy.
“There are many policy variations, and there’s no single form on the market that will cover every cyber peril,” Shepherd said. “The appropriate solution depends on the nature of your exposure.”
A pizzeria, for example, can still make pies and accept cash payments if their point-of-sale system goes down, so its management team is less concerned about business interruption expenses. A manufacturer, on the other hand, may suffer a total lapse in operations if their industrial network is compromised. A consulting firm is likely to have staff working remotely and may need specific coverage for mobile devices more so than a clothing boutique. But the boutique will transact a larger volume of credit card data and may be more concerned with breach notification and remediation costs.
Expertise to Craft Custom Solutions
Insurers with expertise in cyber risk can offer the tailored solutions that small businesses need.
Great American offers a modular policy format with a menu of insuring agreements, including security breach liability and expenses, cyber extortion threats, funds transfer fraud, replacement or restoration of electronic data, and public relations expenses, among others.
“A Great American policy includes the third-party liability exposure inherent in many network security and privacy breaches as well as the first-party exposure like breach notification, investigation and credit monitoring expenses,” Shepherd said. “We also have separate coverage available for public relations services to help an organization mitigate reputational damage in the event they experience negative publicity following a breach.”
Great American policyholders also have access to a web portal offering informational resources like whitepapers, as well as breach calculators and referrals for security, forensic investigation and legal firms.
Great American has focused its cyber expertise on the needs of small- to medium-sized companies, underwriting businesses with up to $250 million in annual revenue.
“Every organization has a cyber risk exposure, but we’re not looking to underwrite everyone. We’re dedicated to the unique needs of small- and mid-size organizations,” Shepherd said. “We will continue to educate and serve this sector as the risk and exposures evolves.”
Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Policies are underwritten by Great American Insurance Company, Great American Assurance Company, Great American Alliance Insurance Company, Great American Insurance Company of New York, Great American Security Insurance Company, and Great American Spirit Insurance Company, authorized insurers in all 50 states and the DC.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Great American Insurance Group. The editorial staff of Risk & Insurance had no role in its preparation.