4 Cyber Risk Misconceptions Popular with Midsized Firms

August 30, 2016

Despite frequent reports of hacking, cybercrime, security breaches and related events in all parts of the U.S., many middle market companies continue to underestimate their exposure to these attacks along with their need for focused risk management measures, which may include the purchase of specialized insurance.

A new report from Assurex Global, a privately-held commercial insurance brokerage group, identifies four misconceptions about cyber risks, predominantly among mid-sized and small businesses

Number one on the list is the notion that cyber events primarily affect larger businesses.

“Even though you may not hear about breaches at $50 million or $100 million manufacturers, they’re happening,” says Mike Richmond, a risk advisory executive at The Horton Group, an Assurex Global partner. “Sometimes that’s because the cyber protection at smaller companies isn’t as sophisticated, so hackers consider them an easy target.”

The second biggest misconception: “My type of business isn’t a target.”

“As the growing number of victimized companies attest, that misconception is being debunked nearly every day,” Richmond says. “There’s no question that every enterprise is now a potential target for a cyber-attack – public, private or nonprofit, you still may be vulnerable.”

The report cites Symantec’s list of the top sectors breached in 2015 by number of incidents: services; finance, insurance and real estate; retail trade; public administration; and wholesale trade.

The third leading misconception: a business can self-insure against a data breach.

In fact, the high cost of cyber-attacks makes this a perilous option, especially for small and mid-sized companies, say the Assurex experts. The average cost of a data breach for 350 companies participating in the Poneman Institute’s 2015 Cost of Data Breach Study was $3.79 million, up 23 percent from 2013.

“If a data breach occurs today, businesses are almost certain to be subject to defense costs even if customers have yet to suffer any immediate or identifiable loss from the data breach,” says Richmond. “Once there’s a breach, costs can mount rapidly.”

The fourth misconception: many firms believe they’re insulated from financial consequences of cyber events because they outsource their network security, data management and payment transactions.

Yet, according to the report, as the original data owner, a company sustaining an attack will likely be named in third-party lawsuits and be held liable in most jurisdictions. While a vendor agreement may contain indemnification provisions, there may be caps on indemnification amounts and exclusions for certain types of data breaches. Further, the vendor may become insolvent, bankrupt, or simply not honor the agreement.

“We’re working with customers now to continuously improve their front-end protection; then, adding insurance to make sure that if something slips through the cracks, the company has insurance to pay for it,” Richmond says.

With respect to insurance, Richmond recommends companies consider two primary types of coverage for cybercrimes: a cyber liability/data breach policy and a commercial crime policy.

Cyber liability/data breach policies can include third-party coverage, first-party coverage, and media liability. Meanwhile, many commercial crime policies can be structured to address certain cyber-related risks otherwise not covered under a cyber liability policy, such as those involving certain phishing scams and corporate account takeover.

Although many firms opt to structure cyber coverage as an endorsement to their package policy rather than purchasing standalone cyber insurance, Richmond says standalone policies usually have higher limits, fewer exclusions, and are more comprehensive.

In choosing insurance he suggests businesses work with an insurance agent, get support from the company’s C-level executives, and take steps to identify the firm’s risk and critical protection needs.

Richmond adds: “Start with the question: If a data breach happens, how would your company pay for the damages? This should impel businesses to assess their risks, shore up their risk management, and investigate and purchase cyber liability insurance.”

The report is Exposed, Targeted and Breached: The Risk of Cyber Crime.

Assurex Global is an exclusive partnership of independent agents and brokers with $28 billion in annual premium volume and more than 600 partner offices.

Source: Assurex Global