Cyber Liability Insurance – Does Your Retail Business Need It?
The news is full these days of hackers stealing credit card and other customer information from United States retailers such as Home Depot, Target, and Neiman Marcus (and the federal government) among others. These mega-breaches make great headlines, but what about smaller retailers? Are smaller retailers and restaurants targets for cyber criminals? The answer is yes. Although hackers rarely attempt to directly breach the firewall protections of specific small businesses, identity thieves will frequently send out tricky mass emails to hundreds of small businesses claiming to be from PayPal, QuickBooks, Xerox, etc., and once the email is opened or the link accessed by an unwitting employee, the hackers have access to the system.
According to the Chairman of the House Committee on Small Business, “nearly 71% of cyber-attacks occur at businesses with fewer than 100 employees,” because they have less sophisticated security defenses and cyber policies and consequently are more vulnerable to hackers and human error. According to Benetrends Financial, responding to an average cyber-attack typically costs small businesses around $21,000 (approximately $215 per lost record). Response costs can include notifying customers of the breach, hiring forensic investigators to review how the hacker gained access to the system, providing complimentary identity protection services to affected customers, reimbursing banks for the reissuance of breached credit cards, and paying public relations consultants to rebuild the company’s reputation. These costs don’t include expenses associated with lost business or litigation arising from the breach.
Although some insurers may have provided limited coverage for cyber liability claims on older commercial general liability forms, the frequency and severity of cyber liability claims have forced insurers to create exclusions on existing forms clarifying that cyber liability claims are excluded from general liability policies. Furthermore, use of an outside vendor to manage data (in the cloud or otherwise) does not necessarily relieve a business owner of his or her obligations. Under state and federal privacy laws, a business owner who accepts personal information, such as credit card data, from a customer remains responsible for the security of the customer’s information even though the business owner hires a third party to process and store the information. Therefore, business owners now need to consider obtaining standalone, dedicated cyber liability insurance policies to cover their cyber liability risk. Depending on the coverage obtained, all of the costs mentioned above can be covered by cyber liability insurance. A summary of the different elements of cyber liability insurance can be reviewed here.
When applying for cyber liability insurance, a business owner should select an insurance broker who has an experienced, cyber liability knowledgeable team. The broker should be in a position to help the business owner use an application that is thorough and appropriate for the owner’s line of business. The application form will require detailed information from the IT and network security team (regarding cloud providers and monitoring mechanisms), the finance department (regarding premium limits, deductibles, and scope of insurance), and the legal department (regarding indemnities and other contractual protections from outside vendors). The best rates are given to those businesses that have cyber breach detection and response plans in place, and have internal policies designed to avoid a data breach and to protect personal identity information.
Cyber liability insurance is obtained as a separate policy, and can be obtained from an owner’s regular insurance broker or through an insurance broker specializing in cyber liability coverage. Because cyber liability insurance is a relatively new insurance product, the cost, coverage terms, and limit of coverage can vary widely from insurer to insurer making it worthwhile to shop around.