Courtesy of Associates of Glens Falls
By Christine Graf
With cyberattacks against small businesses on the rise in recent years, it is more important than ever for companies to have cyber liability insurance policies.
According to Verizon’s 2021 Data Breach Investigations Report, 46 percent of all cyber breaches impact businesses with fewer than 1,000 employees. In 2020, there were over 700,000 attacks against small businesses, resulting in $2.8 billion in damages.
“We’ve been dealing with cyber liability insurance for about 10 years, but it hasn’t been until the last five years that it has become more mainstream. Every business should have a general liability policy as well as a cyber liability policy,” said Jeremy Deason, a Chartered Property Casualty Underwriter (CPCU) and account executive at Associates of Glens Falls Insurance, an independently-owned insurance agency that writes policies throughout the United States.
When cyber liability was in its infancy, policies were purchased primarily by companies that accepted credit cards or other digital forms of payment. These policies cover credit card breaches as well as the costs associated with providing data monitoring to customers.
Several years ago, hackers also began targeting employee data, breaching hospital, school, and government agency databases.
“These hackers were threatening the release of social security numbers and other personal identifiable information (PII),” said Deason. “And most recently, they are more focused on ransomware.”
A type of malicious software, ransomware is designed to block access to a computer system until a sum of money—a ransom– is paid, often in Bitcoin. Companies without ransomware coverage are at risk of losing their data if they are unable to pay the ransom.
As an example, Deason said a small local contractor, one with no ransomware coverage, fell victim to an attack. Unable to pay the ransom and with no Cloud backups, he lost all of his accounting, invoicing, and other data.
“He basically had to start over from scratch,” Deason said.
Although all cyber insurance policies are different, the policies recommended by Associates of Glens Falls Insurance cover credit card breaches, employee and customer PII breaches, and ransomware. These policies also include business interruption insurance for cyberattacks.
“Most people have business interruption insurance on their property coverage for a property loss–a fire, a windstorm, or something like that. We do not sell policies that don’t have it,” said Deason. “But on a cyber policy, you want to make sure you have that coverage as well.”
Deason estimates that only about 50 percent of companies have cyber liability insurance, saying that those who do are often under insured.
“Some people may have $100,000 in cyber liability coverage, and that’s nothing. The policies we sell have at least $1 million,” he said.
Clients that experience a cyberattack are instructed to immediately report the attack to their cyber insurance carrier.
“They take it and run with it because they know what to do,” said Deason. “They do all of the notifications, and they make sure you are following all of the state, local, and national guidelines, which is huge. That would be such an onerous task for someone to do on their own. All of that is covered by the policy.”
Cyber liability policies vary in cost but are significantly less expensive for companies that utilize multi-factor authentication (MFA). MFA prevents unauthorized access to data and applications by requiring a second method of identity verification. With MFA, even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the network or database.
In addition to cyber liability insurance, Deason recommends companies carry employment practices liability (EPL) insurance. EPL provides coverage to employers against claims made by employees alleging discrimination, wrongful termination, or harassment.
“What a lot of people don’t realize is that if your employee sues you, there is no coverage in a regular general liability policy. It’s not just first-party harassment with a boss harassing an employee, it could be employee to employee, employee to customer, customer to employee, vendor to employee.”
Deason also said that any organization or non-profit that has a board of directors or board of trustees should have insurance coverage for directors and officers.
“You want to make sure that people who are volunteering their time to serve on these boards are not exposing themselves to liability. If I’m serving on a board, the first question I ask is, ‘Do you have directors and officers coverage?’”
With the cost of insurance rising, Deason understands that business owners are reluctant to add or increase their coverage.
“It’s our job to think about worst case scenarios,” he said. “It’s hard to get people to understand, and unfortunately, sometimes it takes a loss. The question I ask is, ‘Can you put your head down at night and feel comfortable knowing that you have the right coverage in place?’ At the end of the day, that extra cost is totally worth it.”
For more information, visit www.aogf.com