[BreachExchange] 4 Cyber Risk Misconceptions Popular with Midsized Firms

Tue Aug 30 19:49:30 EDT 2016

http://www.insurancejournal.com/news/national/2016/08/30/424769.htm

Despite frequent reports of hacking, cybercrime, security breaches and
related events in all parts of the U.S., many middle market companies
continue to underestimate their exposure to these attacks along with their
need for focused risk management measures, which may include the purchase
of specialized insurance.

A new report from Assurex Global, a privately-held commercial insurance
brokerage group, identifies four misconceptions about cyber risks,
predominantly among mid-sized and small businesses

Number one on the list is the notion that cyber events primarily affect
larger businesses.

“Even though you may not hear about breaches at $50 million or $100 million
manufacturers, they’re happening,” says Mike Richmond, a risk advisory
executive at The Horton Group, an Assurex Global partner. “Sometimes that’s
because the cyber protection at smaller companies isn’t as sophisticated,
so hackers consider them an easy target.”

The second biggest misconception: “My type of business isn’t a target.”

“As the growing number of victimized companies attest, that misconception
is being debunked nearly every day,” Richmond says. “There’s no question
that every enterprise is now a potential target for a cyber-attack –
public, private or nonprofit, you still may be vulnerable.”

The report cites Symantec’s list of the top sectors breached in 2015 by
number of incidents: services; finance, insurance and real estate; retail
trade; public administration; and wholesale trade.

The third leading misconception: a business can self-insure against a data
breach.

In fact, the high cost of cyber-attacks makes this a perilous option,
especially for small and mid-sized companies, say the Assurex experts. The
average cost of a data breach for 350 companies participating in the
Poneman Institute’s 2015 Cost of Data Breach Study was $3.79 million, up 23
percent from 2013.

“If a data breach occurs today, businesses are almost certain to be subject
to defense costs even if customers have yet to suffer any immediate or
identifiable loss from the data breach,” says Richmond. “Once there’s a
breach, costs can mount rapidly.”

The fourth misconception: many firms believe they’re insulated from
financial consequences of cyber events because they outsource their network
security, data management and payment transactions.

Yet, according to the report, as the original data owner, a company
sustaining an attack will likely be named in third-party lawsuits and be
held liable in most jurisdictions. While a vendor agreement may contain
indemnification provisions, there may be caps on indemnification amounts
and exclusions for certain types of data breaches. Further, the vendor may
become insolvent, bankrupt, or simply not honor the agreement.

Cyber Coverage

“We’re working with customers now to continuously improve their front-end
protection; then, adding insurance to make sure that if something slips
through the cracks, the company has insurance to pay for it,” Richmond says.

With respect to insurance, Richmond recommends companies consider two
primary types of coverage for cybercrimes: a cyber liability/data breach
policy and a commercial crime policy.

Cyber liability/data breach policies can include third-party coverage,
first-party coverage, and media liability. Meanwhile, many commercial crime
policies can be structured to address certain cyber-related risks otherwise
not covered under a cyber liability policy, such as those involving certain
phishing scams and corporate account takeover.

Although many firms opt to structure cyber coverage as an endorsement to
their package policy rather than purchasing standalone cyber insurance,
Richmond says standalone policies usually have higher limits, fewer
exclusions, and are more comprehensive.

In choosing insurance he suggests businesses work with an insurance agent,
get support from the company’s C-level executives, and take steps to
identify the firm’s risk and critical protection needs.

Richmond adds: “Start with the question: If a data breach happens, how
would your company pay for the damages? This should impel businesses to
assess their risks, shore up their risk management, and investigate and
purchase cyber liability insurance.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160830/0b2b474a/attachment.html>