Insurance for When You Get Hacked

Question: In light of all the hacker attacks in the news, how often are smaller businesses targeted? Is there insurance that covers you in case of an attack?

Answer: In a survey (pdf) of 800 members last year, the National Small Business Association reported that almost half had experienced security breaches, with nearly 60 percent of those incidents resulting in business interruption. The average cost associated with cleaning up the attacks approached $8,700.

While more than 90 percent, however, of those surveyed said they were very or somewhat concerned about cybersecurity, one in four reported knowing little to nothing about cybersecurity issues.

I recently detailed five areas where small business owners can tighten their security practices. But what happens if you’ve already been the target of a hacker?

Along with the cost of notifying customers (a legal requirement) that their credit card or other data have been stolen, there can be a serious cost to your company’s reputation in the wake of an attack, says Andrew Bagrin, chief executive and founder of cybersecurity company My Digital Shield. “More than one-third of patrons say they wouldn’t return to a business that experienced a breach. Unfortunately, few businesses recognize and understand the impact of a breach until it’s too late,” he says.

Harris Tsangaris, senior vice president at New York insurance broker NFP, says he has seen an uptick in claims for so-called cyberliability insurance, as policies intended to cover costs of data breaches are called. “There’s a significant threat of hackers getting into systems and obtaining confidential information,” he says. Cyberliability insurance covers both electronic hacking incidents and confidentiality breaches that result if your company is not properly disposing of paper files that contain financial information.

The insurance usually includes liability coverage in case lawsuits are filed over the security breach, Tsangaris says. It typically pays for the cost of notifying all individuals who have been affected, as well as providing credit monitoring services for them after their confidential information has been compromised. Another cost that should be included in a cyberliability policy is any regulatory fines or penalties that could be levied against your company as a result of the breach, he says.

Extra coverage could pick up the cost of business interruption due to a network security data breach, but “that’s usually more applicable to a tech company,” Tsangaris says. “If you’re a dot-com, and someone hacks in and causes an interruption, the insurance policy could cover that.”

The policies can be purchased on a standalone basis or in conjunction with a standard errors-and-omissions business insurance policy, depending on the type of business being insured, he says. Minimum annual premiums are typically around $2,500 but can be much higher, particularly for retailers who collect thousands of customer credit card numbers.

That cost is likely to be prohibitive for many small companies, but with the need growing, premiums may be coming down. Bagrin says his company is working with a large insurer to develop a limited-scope policy more suitable—and affordable—for small companies. “The primary focus across the board [has been] on large enterprises,” he says. “We are looking forward to putting together a bundle package with a reduced premium to help the small businesses safeguard themselves from potential cyber threats.”

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE