The Four Biggest Misconceptions About Cyber Threats
Some Middle Market Companies Still Lag in Securing Protection
Despite frequent media reports of hacking, cybercrime, security breaches, and related events in all parts of the U.S., many middle market companies continue to underestimate their exposure to these attacks along with their need for focused risk management measures, which may include the purchase of specialized insurance.
A new report from Assurex Global, the world’s largest privately held commercial insurance, risk management, and employee benefits brokerage group, identifies four misconceptions about cyber risks, predominantly among mid-sized and small businesses. The notion that cyber events primarily affect larger businesses tops the list.
“Even though you may not hear about breaches at $50 million or $100 million manufacturers, they’re happening,” said Mike Richmond, a risk advisory executive at The Horton Group, an Assurex Global partner. “Sometimes that’s because the cyber protection at smaller companies isn’t as sophisticated, so hackers consider them an easy target.”
The second biggest misconception: “My type of business isn’t a target.”
“As the growing number of victimized companies attest, that misconception is being debunked nearly every day,” said Richmond. “There’s no question that every enterprise is now a potential target for a cyber attack—public, private, or nonprofit.”
The report cites Symantec’s list of the top sectors breached in 2015 by number of incidents: services; finance, insurance and real estate; retail trade; public administration; and wholesale trade.
The third leading misconception: you can self-insure against a data breach. In fact, the high cost of cyber attacks makes that a perilous option, especially for small and mid-sized companies. The average cost of a data breach for 350 companies participating in the Poneman Institute’s 2015 Cost of Data Breach Study was $3.79 million, up 23 percent from 2013.
“If a data breach occurs today, businesses are almost certain to be subject to defense costs even if customers have yet to suffer any immediate or identifiable loss from the data breach,” said Richmond. “Once there’s a breach, costs can mount rapidly.”
The fourth misconception: many firms believe they’re insulated from financial consequences of cyber events because they outsource their network security, data management, and payment transactions. Yet, according to the report, as the original data owner, a company sustaining an attack will likely be named in third-party lawsuits and be held liable in most jurisdictions.
While a vendor agreement may contain indemnification provisions, there may be caps on indemnification amounts and exclusions for certain types of data breaches. Further, the vendor may become insolvent, bankrupt, or simply not honor the agreement.
“We’re working with customers now to continuously improve their front-end protection,” said Richmond. “Then, adding insurance to make sure that if something slips through the cracks, the company has insurance to pay for it.”
Richmond recommends companies consider two primary types of insurance coverage for cybercrimes: a cyber liability/data breach policy and a commercial crime policy.
Cyber liability/data breach policies can include third-party coverage, first-party coverage, and media liability. Meanwhile, many commercial crime policies can be structured to address certain cyber-related risks otherwise not covered under a cyber liability policy, such as those involving certain phishing scams and corporate account takeover.
Although many firms opt to structure cyber coverage as an endorsement to their package policy rather than purchasing standalone cyber insurance, Richmond noted standalone policies usually have higher limits, fewer exclusions, and are more comprehensive.
“Start with the question, If a data breach happens, how would your company pay for the damages?” Richmond suggested. “This should impel businesses to assess their risks, shore up their risk management, and investigate and purchase cyber liability insurance.”