Imagine logging onto your work computer one morning, only to be met with a notification informing you that your data has been stolen by hackers. To get it back, you need to pay $100,000. What are your next steps? The answer likely hinges on whether you’re set up with cybersecurity insurance.
Although many business owners think they’re immune from attacks like this due to their size, there are more than 700,000 attacks against small businesses each year, StrongDM reports. Alarmingly, just 17 percent of small businesses have cyber insurance, and more than half of those that fall victim to ransomware wind up paying the ransom.
This alone is enough to make most business leaders uneasy but the reality is that ransomware is only one potential threat. Hackers are active. They want your website, financial data, customer data, cash, and more. And, the risks are growing. On this page, we’ll walk you through some of the most common threats, how to determine if your business needs cybersecurity insurance, and information you’ll need to know if you decide to set up a policy.
Cybersecurity Risks for Small Businesses
Before we get into cyber risk coverage, let’s take a quick look at what the actual threats are that may impact your business.
Phishing Attacks
Phishing is one of the greatest cyber threats to businesses today. It involves tricking your employees into sharing sensitive information such as passwords or financial details. This is often done by sending them an email that looks like it’s from a legit vendor or business partner but isn’t. While many businesses think their firewalls and antivirus software will protect them, 70 percent of files or links containing malware are not blocked by these measures, according to the Cybersecurity and Infrastructure Security Agency (CISA). Moreover, eight in ten small businesses have at least one person who takes the bait in agency assessments, and one in ten people overall executes malicious links or attachments.
Ransomware
In a ransomware attack, a hacker prevents you from accessing your data. They may encrypt it and leave it intact on your systems or pull a copy for themselves and delete your files. In either case, the business typically discovers the breach by finding a notice from the hacker directly on their system. The notice informs them of the incident and provides the steps to have the data returned, which usually involves making a hefty payment. Not surprisingly, cybercriminals aren’t exactly known for their code of ethics, so businesses that pay don’t always get their data back. Sometimes, the hacker comes back for a second round, too.
This presents two major issues. First, the business likely has to report to the government and its customers that their data is now compromised. Secondly, the business has now lost its data. This is concerning because three in four small businesses do not have a backup strategy or disaster recovery plan, NinjaOne reports. This means the data is simply gone with no hope of recovery in most cases.
Insider Threats
Malicious attacks like those covered above comprise 55 percent of data breaches, according to IBM. However, hackers aren’t your only threat. Sometimes, those creating the risks for your business are those you trust most. Human errors, such as clicking a bad link or unintentionally emailing data to someone outside your organization, account for 22 percent of breaches.
IT Failure
In all, 23 percent of breaches are tied back to IT failure, IBM reports. These can be caused by anything from using outdated software to failing to apply patches in a timely manner or even coding errors.
Weak Passwords
More than 40 percent of data breaches involve unauthorized access, meaning someone gains access to a system or information they shouldn’t have been able to. In situations that did not involve a misuse of privilege, such as an IT pro checking out payroll numbers, or an error, 62 percent involve stolen credentials, Astra reports.
Unfortunately, people make it very easy for hackers to crack their passwords. For instance, the top password of 2023 was “123456.” Most people use the same password for multiple accounts and most never change or reset them either.
The Cost of Cybersecurity Incidents
The cost of a cybersecurity incident varies greatly depending on the nature of the incident and the business. For instance, the average ransomware payout now sits at $1,542,333, Varonis reports. But, even if you don’t wind up paying a hacker, you may still be hit with:
- Data Recovery Costs
- Consulting and Legal Fees
- Losses Due to Downtime and Business Interruption
- Client Losses Due to a Damaged Reputation
- Public Relations Costs
- Government Compliance Fines
- Lawsuits
- Increased Insurance Premiums
- And More
All this can add up to millions of dollars in expenses stemming from a single incident. It’s no surprise, then, that 60 percent of small businesses that experience a cyberattack close permanently within six months, according to The National Cyber Security Alliance (NCSA).
What Cybersecurity Insurance for Small Businesses Covers
Cybersecurity insurance, sometimes called cyber liability insurance, helps protect your business from the costs associated with cyberthreats and data breaches, but what it covers and how it works varies from one policy to another.
First-Party vs. Third-Party Coverage
There are two main types of cybersecurity insurance: first-party and third-party.
First-Party Coverage Protects Your Business
First-party coverage deals with the costs that directly impact you and your business in the aftermath of a cyber incident. It covers a wide range of expenses to help you get back on your feet quickly, such as:
- Data Recovery Costs
- Business Interruption
- Costs to Notify Customers
- Crisis Management and PR
- Cyber Extortion Payments
- Forensic Investigations
Third-Party Coverage Protects You from Others’ Claims
Your third-party coverage steps in when your business is held liable for a cyber incident that impacts others. This typically includes expenses like:
- Legal Defense Costs
- Regulatory Fines and Penalties
- Customer Notification and Credit Monitoring
- Settlements or Judgments
What Cybersecurity Insurance Doesn’t Cover
Cybersecurity insurance is designed to protect you against many potential losses, but it’s not a catch-all. There are gaps and exclusions businesses should be aware of.
- Pre-Existing Vulnerabilities
- Negligence or Failure to Follow Security Best Practices
- Loss of Intellectual Property or Future Profits
- Reputational Damage Beyond PR Costs
- Regulatory Fines Due to Gross Negligence
- Social Engineering and Fraud Losses
- Cost of Improving Security After an Incident
Cybersecurity Insurance vs. General Liability Insurance
Oftentimes, business owners wonder if insurance for cyber attacks is the same as business liability insurance or if their general liability policy covers cyber threats. The short answer is no, you’ll usually need to purchase these coverages separately. Although you may be able to get both types of business insurance from the same company, general liability is usually limited to things like bodily injury, property damage, and advertising injury.
Cyber insurance is also not typically part of a business owner’s policy (BOP), which typically bundles general liability, commercial property, and business interruption insurance.
With that said, it’s always a good idea to read through your current policies to see if you purchased a cyber add-on or if some of your coverages may apply to cyber incidents.
Cost of Cyber Insurance
A typical small business pays $1,740 annually, or $145 per month, for cyber liability insurance, Insureon reports. One-third of small businesses come close to this mark, landing between $100 and $200 monthly, while just over one-third comes in under $100, and the remaining group invests over $200 monthly. This is based on a variety of factors, such as:
- Your Business Size and Industry
- Coverage Limits and Deductibles
- Cyber Threat Protection Measures in Place
- Claims History
To give some context, a sole proprietor might be able to get $250,000 in coverage for as little as $500 a year, whereas a small business might be able to get a $1,000,000 policy for $5,000 a year or less.
Bottom Line: Is Cyber Insurance Worth It?
Whether cyber insurance is a worthwhile investment for your business is a personal choice that only you can make based on your level of risk tolerance. If you’re unsure, ask yourself the questions below.
Can Your Business Absorb a Major Financial Loss?
As explored earlier, a single cyber incident can cost a business millions of dollars. While this is more of a worst-case scenario, if your business cannot absorb any kind of significant loss, a cyber insurance policy may be worth it.
Would a Data Breach Significantly Damage or Close Your Business?
It’s important to remember that the upfront losses are only part of the equation. How customers view your business after, and costs associated with making things right by them after an incident such as credit monitoring and government fines, can really add up. This is why cyber incidents are catastrophic for most small businesses that are impacted by them. If your small business will need help bouncing back, insurance may be worthwhile.
Are You Required to Have Cyber Insurance?
Sometimes cyber insurance is required as part of a licensing process or as part of the requirements for participating in a professional organization. If something like this applies to your business, you will likely need a policy.
Is it Better for You to Have a Predictable Expense vs. Unpredictable Loss?
Sometimes businesses can absorb a loss from a cyber incident, but it makes more sense from a budgeting standpoint to pay predictable insurance premiums rather than potentially face a loss of unknown value. If you appreciate the predictable nature of premiums, a policy probably makes sense for you.
Will Cyber Insurance Boost Trust with Customers or Stakeholders?
Sometimes insurance is a selling point. For instance, let’s say that you run cloud-based software-as-a-service (SaaS) company in the medical industry. Your systems therefore host sensitive patient data. Your customers and prospective customers are likely to have more confidence in your software if they know you have an extra layer of protection in place. Equally, leadership and potential investors may feel more secure knowing that your business won’t suffer a major loss in the event of a cyber incident. In situations like these, it usually makes sense to obtain a policy.
Things to Consider When Setting Up a Cyber Insurance Policy
Although you can just choose an insurance company and select your coverage, you’ll get a more tailored fit by keeping a few points in mind.
Your Risk Profile
Identify your vulnerabilities, data sensitivity, and industry-specific threats to help determine your needs.
Coverage Types
Determine whether your business needs first-party or third-party coverage and identify how much coverage you need based on your unique risks.
Exclusions and Fine Print
As you review potential policies, keep an eye out for exclusions to avoid surprises if you need to make a claim later. For instance, some policies don’t cover unpatched vulnerabilities, while others won’t cover negligence.
Deductibles and Premiums
Higher deductibles mean lower premiums, though you’ll pay more out-of-pocket if there’s an incident. Find the right balance for your business.
Compliance Requirements
Find out if you’re required to have specific coverage based on your industry and make sure any policy you’re considering aligns with requirements to avoid non-compliance fines.
Value-Added Services
Some insurance companies offer extras such as incident response support, risk assessments, or training programs. These perks can help you avoid issues and be a major source of relief if you experience an issue.
Add-Ons
Some plans offer add-ons for things like social engineering or direct cybercrime to cover growing threats like phishing. These can be very helpful for those with larger teams.
Incident Response Requirements
Many policies have requirements for reporting and handling incidents. For instance, you may be required to report a ransomware attack within 24 hours. While these aren’t usually dealbreakers when choosing a policy, you’ll need to familiarize yourself with them to ensure you handle incidents in a way that ensures you’re covered.
Choosing the Right Insurer
Go with an insurance company that’s known for strong cybersecurity expertise and has a good track record on claims.
Policy Reviews and Updates
Set a reminder to review your policy before it renews each year so you can make adjustments to ensure it covers new threats and addresses any changes in your business operations or technology.
Get Immediate Funds for Your Premiums or Cybersecurity Upgrades
Most business owners understand that having the right people, technology, and insurance in place is crucial to avoiding catastrophic outcomes from cyber incidents, but finding the cash for these investments can be challenging, especially if you’re growing your business. Invoice factoring can provide you with the capital you need instantly through the sale of your unpaid invoices. Instead of taking out a loan with interest and having to pay that back over time, you simply sell your invoices to a factoring company like Charter Capital at a slight discount. Use the cash to expand your IT team, upgrade your security, cover premiums, and more. To get started, request a complimentary rate quote.
- Can My Small Business Afford AI Solutions? - December 10, 2024
- Cybersecurity Insurance for Small Business: Is it Worth It? - November 11, 2024
- Customized Factoring Solutions for Seasonal Businesses - October 14, 2024