According to a report by ransomware recovery specialists Coveware, ransomware disproportionately targets, and succeeds at infiltrating, small businesses. That’s because small businesses are attractive targets for ransomware attacks. They often have few security measures in place, and therefore are more vulnerable. They also likely have fewer resources to recover from a ransomware attack and are more likely to pay the ransom, even if it is a significant sum of money. In reality, companies who have considered themselves too insignificant to attract cybercriminals’ attention are the prime targets.
Sadly, the trouble often does not end after paying the ransom. The criminal groups responsible for the attack may require an additional extortion fee to prevent any exfiltrated data from being posted online. These groups are financially savvy and often index their ransom demands to a point just below what would cause devastation and bankruptcy, then offer a modest discount. A recent study shows that actual payments are around 48% of initial demands. These groups know their marks, and rely on a steady stream of (comparatively) modest payments from companies that will neither resist nor have the bandwidth to take much recourse.
Adding insult to injury, once the initial damage is done ransomware victims can face significant legal repercussions. Of the 27 states that have data breach laws, 26 of them have the power to impose civil and/or criminal penalties on ransomware victims, for a data compromise arising from the breach itself and for improper notification after the fact. Nine states also allow for private causes of action by users, which could tie a victim company up in litigation for years, and result in additional settlements or judgements to impacted users. And remember, it’s the states where the user resides that counts, not the state where the business was attacked.
Isn’t cyber insurance only for companies with big networks?
Surprisingly, smaller businesses benefit disproportionately from cyber insurance because of the relative immaturity of their networks, backup, and cyber defense operations. Consider this scenario: A part-time, temporary worker is helping a small business run a modest warehouse operation for direct-to-consumer shipments. The worker, using a shared computer, clicks on an embedded link, disguised as part of a customer complaint, which exploits the unpatched operating system and gives access to everything on the network and everything that computer has recently accessed. This includes the complete customer’s name and address list, payment details, inventory database, accounting system, shipping and receiving records, and emails. With this access, the cybercriminals who placed the bait will encrypt all accessible data, delete or corrupt databases, and lock the business owner out of the website until a ransom is paid.
Once a business pays the ransom, and any extortion fees they think they can get after examining your financial and customer information, the true costs start to kick in. Even imagining that you receive the promised decryption key, the cyber group likely didn’t write a decryption program, leaving the business to figure out how to decrypt the information, re-image all the computers, rebuild any destroyed or corrupted data, and pay for all security updates needed to minimize the chances of a repeat attack. Next step is to figure out if you must notify your users, based on where they live, and various government agencies that PII was compromised or risk fines and penalties. Finally, how much will the interruption in your operations during peak season hurt your sales, customer loyalty, and employee morale?
The cost for cyber insurance for a small business that is storing the data associated with an e-commerce or service provider business is likely a tiny fraction of the costs of an attack and recovery. While costs may run higher if you are holding significant amounts of personal or financial data (think healthcare or finance), the comparative value of peace of mind and support in case of an attack that would otherwise lead to devastation remains constant.
Doesn’t my business insurance cover me?
Usually, no. While general liability or errors and omissions policies may be triggered if a business owner is sued personally for mishandling their private or sensitive information, these policies aren’t designed to rebuild your business after cybercriminals wreak havoc on your network and data. A good cyber insurance policy will cover all costs associated with response, investigation, recovery, and notifications in the wake of a cyber incident. Additionally, it may have coverage for the reputational harm associated with breach notifications or with the malicious release of any information taken in the attack.
What should I look for in a cyber insurance policy?
Just like any insurance policy, the devil is in the details. When discussing the terms of the insurance policy with an insurance company, consider the following:
- Does the policy cover losses associated with first-party losses[mfn] A first-party loss is one directly suffered by the business[/mfn], third-party losses[mfn] A Third-party loss includes any losses by customers, partners, vendors, etc. because of the attack[/mfn], or both.
- Are comprehensive duty-to-defend costs paid for by the insurer, and not merely reimbursed?
- What level of business interruption coverage is included? The average disruption to a business is 28 days, so consider the total impact of that outage.
- What are the security and prevention requirements you need to keep the policy from being voided? These requirements should be reflected in your business’s security policies and procedures. Also, be cautious of any policy that is void due to carelessness on behalf of employees or third parties.
- What is the deductible or self-insured retention?
How can I make cyber insurance more affordable?
A strategic documented cybersecurity program can help to reduce your risk of having a cyber incident, which will also reduce your premiums. While not an exhaustive list, a strong cyber security program typically includes:
- Implementing strong security measures, such as firewalls, antivirus software, intrusion detection systems, digital loss prevention, and multifactor authentication.
- Regularly training and testing employees on cybersecurity requirements and best practices.
- Conducting regular security audits and penetration tests to find vulnerabilities before they are exploited.
- Having a plan in place to respond to a cyberattack and minimize the damage.
An attorney experienced in cybersecurity can help you to develop and implement a good cybersecurity program that is tailored to your business. An attorney can also help you to negotiate with insurance companies to get the best possible rates on cyber insurance.
