As our reliance on technology grows, companies face increasing risk of exposure to cyber breaches. The following outlines some of the risks your business faces and explains why you should implement strategies to manage your risk before a cyber breach occurs.
What Is Cyber Risk?
Cyber risks include any security incident in which information is released or accessed by unauthorized individuals. Risks include both external cyber attacks, such as hacking or disclosure of information by third party vendors, and internal cyber breaches, such as accidental disclosure of sensitive information through improper disposal of old computers and equipment.
The Threat Is Real.
In the past year, targeted cyber attacks against small and medium businesses has nearly doubled: from 18% in 2011 to 35% in 2012, according to a study released by the National Cyber Security Alliance and Symantec. Recent studies report that 74% of small to medium businesses experience some type of electronic banking fraud. Symantec reports that almost 40% of the over 1 billion cyber attacks it prevented in the first quarter of 2012 targeted companies with less than 500 employees. Yet, 83% of U.S. businesses have no formal plan to address these threats, and nearly 6 out of 10 small to medium size businesses have no contingency plan for responding to and reporting data breach losses.
The Costs Are Immense.
The costs stemming from cyber breaches can be devastating. Chartis estimates that the average cost of a data breach is $14 Million per business. Other estimates range from $5 to $214 per compromised record and in 2011, Ponemon estimated that data breaches cost companies an average of $5.5 Million per incident. Costs include mandatory notification required in at least 47 states. Each law differs in its requirements, timing, and the potential penalties for noncompliance, but if your company suffers a breach, you must comply with the laws of each state in which you have clients or customers. Other costs of cyber breaches include reputational damage, lost business, loss of use of equipment, data or information, attorneys' fees and litigation costs, damage awards, fines, penalties and the costs of implementing regulatory requirements.
Managing Your Risk.
Managing your cyber risk includes implementing in-house procedures and safeguards to prevent cyber breaches and obtaining adequate insurance funds to respond to breaches that occur. We will detail ten steps your company can take to manage your cyber risks in our next client advisory.
Standard Insurance Policies.
Insurance coverage may be in important source of funds to respond to cyber breaches. While many companies look to their standard insurance policies, such as commercial general liability, directors & officers, or crime policies, to cover such events, it is unlikely these policies will cover all of your company's cyber risk. For example, it is unlikely that any one of these policies will cover both third-party costs (including responding to litigation, damages awards and attorneys' fees), and first-party costs (including business interruption, notification costs and responding to regulatory requirements). Moreover, traditional insurance carriers are aggressively denying coverage for such losses and increasingly adding cyber exclusions to standard form policies. Even so, there is some favorable precedent for finding some coverage under certain policies. Therefore, if your company suffers a cyber attack or cyber breach, it is important to consider potential coverage under each of your insurance policies. Keep in mind that it may take more than one policy to fully cover the risks. A qualified independent insurance broker or insurance coverage attorney can review these policies for possible coverage avenues.
In response to increasing exposure for cyber liability, some insurers are offering, and many businesses are buying, specialized cyber policies to specifically address cyber risks. These policies are specially designed to address cyber security and privacy issues. The carriers who offer robust cyber coverage may also provide cyber risk assessment tools as a service to your company. These policies vary in what coverage they afford and are largely untested in the courts. When considering this option, it is important to know your risk and compare that to the coverage being offered. When in doubt, consult with a qualified broker or coverage attorney to evaluate the potential pitfalls and benefits of a particular product. In a future advisory we will offer suggestions on what to look for in a comprehensive cyber insurance policy.
See, e.g., Small Firms Have False Sense of Cybersecurity, Ned Smith, http://www.businessnewsdaily.com/3273-small-businesses-cyber-security.html; Biz Report: October 24, 2012: 83% if SMBs Have No Formal Cyber Security Plan, Helen Leggatt, http://www.bizreport.com/2012/10/83-of-smbs-have-no-formal-cyber-security-plan.html.
 See, e.g., Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh, 691 F.3d 821 (6th Cir. 2012).
Attorneys in the Sherman & Howard Insurance Recovery Practice Group
are available to assist with these and other issues.