Does My Small Business Need Cybersecurity Insurance?

During the spring of 2021, the public became aware of a ransomware attack on Colonial Pipeline. The company is part of an oil distribution system that delivers gasoline primarily to Southeastern states, and the ransomware attack halted operations, causing a gasoline shortage in some states.

Because the impact on gas prices was immediately clear to the public, this story garnered considerable public attention leading many to ask how often these types of crimes happen. 

Unfortunately, this type of attack is not rare. In fact, cybercrime is increasingly common and ransomware, a criminal practice in which hackers gain access to a company’s vulnerable systems and hold them hostage demanding a ransom payment, is a rapidly growing threat.

There are a number of myths surrounding cybercrime and how it impacts small businesses. In this article, we will dispel some of these myths, and show you how you can protect your small business with cybersecurity insurance.

Myth #1: Small businesses aren’t a target

Fact: Any business, large or small, can be a target for hackers. In fact, small and medium-sized businesses are targets for hackers specifically because they are less likely to dedicate the resources and money necessary to keep both hardware and software up to date to prevent hacks.

Hackers know this, and so smaller businesses are a prime target. Put another way, criminals gravitate to where the defenses are the weakest—this is true whether you’re talking about an unlocked car being broken into or a cyberattack. 

If your business uses email, operates in the cloud, has a bank account, stores sensitive personal data – such as social security numbers or health information, for employees or customers –  or processes credit cards, the business could be at risk. 

Myth #2: As long as you update your software, you’ll be safe

Fact: While updating your software is important, it might not be enough to protect you. Cybercriminals have developed very sophisticated processes for gaining access to business systems. 

The entertainment industry cliché of a group of hackers sitting in front of a bank of computers writing code to circumvent corporate software systems is certainly still true, but common risks for businesses are the following tactics:

• Phishing: Phishing is designed to trick an email recipient into either disclosing private information, or downloading malware. Cybercriminals have become very adept at designing emails that look like they are coming from legitimate sources, such as banks or company vendors. These types of emails frequently ask recipients to click a link to verify login or account information.
• Spear-phishing: “Spear phishing” takes phishing to a more sophisticated level. Hackers will target specific people within a company or organization, usually a person with access to sensitive information such as banking or private employee data. Emails to this person may appear to come from someone who it would be difficult for an employee to say no to, such as a CEO or owner. Basically, in spear-phishing criminals are manipulating a person’s desire to be helpful in order to gain the access to information that they are seeking.
• SMS-phishing: “Smishing” scams are text messaging scams designed to install spyware on a mobile device. These are also sometimes called link scams.

Once a criminal has used one of these techniques to access the sensitive or critical systems in your business, they can install what is known as ransomware.

Ransomware typically will lock legitimate users out of a system, encrypting the data. Then cybercriminals demand payment for the encryption key, holding the computer system for ransom until they are paid. Of course, there’s no guarantee that they will provide the key once receiving payment.

Demanding ransom isn’t the only form of cybercrime. Sometimes the impact is a data breach, where sensitive information is used by criminals for identity theft. Some criminals have succeeded in transferring funds from company accounts to untraceable currency such as Bitcoins. 

Myth #3: Cybercrime is rare

Fact: Cybercrimes against businesses are depressingly common and the numbers are rising. Typically, we only hear about these types of crimes on the news when they are either very large breaches affecting many people, or when the disruption impacts our daily lives, such as gas prices rising in the wake of the Colonial Pipeline incident. But the fact is these crimes are happening with astonishing frequency and the problem is growing.

Myth #4: It’s expensive to protect yourself from cyberthreats.

Fact: If you add in the cost of lost customers and reputation, it’s probably far more expensive not to protect your business. Businesses can take steps right now to better protect against cyber intrusions, and some of these steps are surprisingly affordable—some are even free.

• Strengthen passwords: Cybersecurity experts continually point to weak passwords as a problem, and no wonder. Look up some of the most frequently used passwords and you’ll find examples such as: “123456” and “password.”  
• Button down your document control: Cybercriminals don’t just exist in faraway places. Some breaches start right in the office from lax behaviors such as passwords written on post-it notes tacked up to screens. 
• Restrict web browsing and update browsers to the latest versions: The internet is a valuable business tool, but allowing employees to have unfettered access to websites can leave your systems vulnerable—especially if you are using outdated browsers. Some sites are full of malware that can end up on your computers.
• Train your employees to recognize suspicious activity: Engaging in employee cybersecurity training might be the most important item on this list. As noted above, criminals are always evolving their tactics, and tricking your employees is one of the fastest ways to access your systems. Anyone can be vulnerable, so make sure that every employee you have knows what to look for. It only takes one click of one link in what appeared to be a legitimate email to compromise your systems.

Training must take place frequently to be effective, because criminals are constantly adjusting their practices and tactics. There are a number of organizations that offer resources for businesses large and small, including the Cybersecurity and Infrastructure Security Agency (CISA), the Small Business Administration (SBA), and the Department of Homeland Security (DHS). 

What is Cyber Liability Insurance?

Cyber liability insurance is business insurance to protect your company from the financial losses associated with a data breach or other types of cyberattacks. As noted earlier, almost every business presents some level of risk for cybercrime.

Talk to your insurance agent about your business’s risk level for cybercrime. 

What can cyber liability insurance cover?

Recovering from a data breach or ransomware attack can be expensive. Depending on what type of information was lost, recovering from an attack can take a long time. And, there’s the threat of litigation from customers or vendors who may claim that the cyberattack was due to negligence on the part of the business.

These are the types of expenses that cyber liability insurance is designed to help cover.

There are two primary types of coverage: first-party cyber coverage and third-party cyber coverage.

• First-party cyber liability insurance offers protection against losses that directly relate to your business. For example, if your company is victim to a ransomware attack, first-party coverage can cover things such as the extortion payments and the cost of the investigation. 
• Third-party cyber liability coverage protects your business from the costs associated with any resulting lawsuits from vendors or customers that arise after a breach or ransomware attack.

How much does cyber liability insurance for businesses cost?

Unfortunately, because cybercrime is growing and costs to recover are soaring, premiums for this type of coverage are rising. The amount and type of coverage you need, along with the risk your business faces, will impact how much you will need to pay for cyber liability insurance.

The Bottom Line

Your business can and should take steps to reduce your risk of a cyberattack or data breach.  Train employees, update your hardware and software, and take other preventative measures such as enabling multi factor authentication whenever possible. Talk to your agent or schedule a risk consultation with an experienced small business insurance agent today. 

Disclaimer: 

All information provided in this publication is for informational and educational purposes only, and in no way is any of the content contained herein to be construed as financial, investment, or legal advice or instruction. Guaranteed Rate Insurance does not guarantee the quality, accuracy, completeness or timelines of the information in this publication. While efforts are made to verify the information provided, the information should not be assumed to be error free. Some information in the publication may have been provided by third parties and has not necessarily been verified by Guaranteed Rate Insurance. Guaranteed Rate Insurance, its affiliates and subsidiaries do not assume any liability for the information contained herein, be it direct, indirect, consequential, special, or exemplary, or other damages whatsoever and howsoever caused, arising out of or in connection with the use of this publication or in reliance on the information, including any personal or pecuniary loss, whether the action is in contract, tort (including negligence) or other tortious action.