There are three widely accepted methods for addressing liabilities identified by a risk assessment, examination, or audit. You can take steps to limit your risk exposure, which is called mitigating the risk. Another option is to simply accept the identified risks as a cost of doing business in your market, referred to as assuming the risk. Finally, you can purchase insurance or receive indemnification from a vendor to cover the liabilities, known as transferring the risk.
Small businesses, in particular, should take serious consideration of the option to purchase fairly priced liability insurance as opposed to simply accepting the risk. Large corporations can much more effectively weather the expenses and possible liabilities of a lawsuit which could be devastating to a small business. Insurance companies are more readily prepared to defend you significantly in a complex and rapidly changing field like cybersecurity. They can draw from a wealth of industry experts to do the same. In addition, the very fact that you purchased said insurance shows that you are taking risks associated with your business's cyber threat seriously.
What Does Cybersecurity Insurance Cover?
While this is an understandable question for most small business owners, the answer is slightly more complicated than you would expect at face value. Like traditional business insurance, cybersecurity insurance coverage depends on the type of policy you purchase. Each class has different purposes, and the purchase of the wrong policy can leave you with significant liabilities.
Types of Cybersecurity Insurance
There are three significant types of cybersecurity insurance, and we'll discuss each of them in more detail below. They are:
- First-party coverage
- Liability coverage
- Technology errors and omissions, or E&O insurance
First-party coverage is a type of insurance policy that protects your small business if you suffer a cyber attack on your network or device. It typically provides for the cyber incident investigation, coverage for loss of revenue, future risk assessments, and some policies even cover ransomware or cyber extortion payments. These policies also commonly cover notifying customers affected and providing services such as credit monitoring for them.
As the average cost of the investigation, treatment, and business recovery of a data breach is estimated to be $3.86 million, this is not an area that you can afford to overlook. It's a rather sobering statistic to realize that over 60% of small businesses go under within six months of a cyber incident. A high percentage of these policies also cover costs for public relations and crisis management specialists to assist you with moving your business forward through these trying times.
Liability Coverage or Third-party Coverage
Liability coverage is similar to first-party coverage in that it covers data breaches that occur on your network or devices. This third-party coverage kicks in when another party is damaged due to such an incident, and they decide to file a lawsuit against you or your business. Attorney fees, regulatory fines, and awarded damages or settlement awards can be devastating as a small business owner. Cyber liability insurance is designed to address those costs on your behalf up to plan limits.
Technology Errors and Omissions Coverage
This category of insurance is geared more toward tech companies. E&O insurance helps protect your company if a program you have written or sold or a service that you provide results in a breach of a third party's system and a loss on their part. This type of insurance policy is an absolute necessity for anyone providing technology as a product or service. These losses aren't otherwise covered by different cybersecurity insurance or general liability insurance types.
With any of these various insurance policies, it is critically important that you speak with an insurance broker familiar with the cybersecurity insurance space to get an accurate assessment of what type of policy your small business would benefit from. If you so much as store customers' personal information on a computer system, you need to evaluate your need for cybersecurity insurance. As important as it is to stay healthy while running a business, it is equally important to account for the health of your business model to ensure its continued operation despite emerging cyber threats.
Important Policy Options
While we covered most of the standard topics included in the majority of policies above, there is a wide range of options that can be added to your policy based on the specific risk profile facing your business. In our opinion, one of the essential options to add is digital media coverage. This can cover losses that arise from civil complaints of slander, libel, trademark infringement, and many other topics when they are based on content found on your business's website, social media platforms, or other digital advertising.
This next item is not generally an additional option, but it is something that you should verify is included in your policy. Lost or stolen devices that are unsecured or later breached by a criminal are a vital area of coverage. If it is not included in the insurance quote, you should seek out the cost to add it, as this is one of the easiest ways to fall victim to a cybersecurity incident.
Some insurance companies with specialized coverage in the cybersecurity field offer an exciting add-on that includes training for you and your employees. It may be a different option, but many agencies provide this access with certain types of cybersecurity insurance or higher levels of coverage. This is a significant benefit as the single best way to protect your business is to make sure that your employees are well trained on cybersecurity best practices. The most effective way to handle a data breach is to provide adequate training to prevent one in the first place. Even options include a 24/7 help desk and incident response services.
How Do You Choose The Correct Policy?
This has been a lot of information so far, and it's understandable if you're feeling slightly overwhelmed at this point. It may seem like the sheer number of options on the table is never-ending, and that's without considering specialized policies for businesses in the healthcare space, legal field, or those with other specific cybersecurity concerns.
As a small business owner, your best bet is to leverage the subject matter experts at hand. Many insurance companies offer a cyber risk evaluation before providing you with an official quote for your policy. This may be a detailed on-site risk assessment, or it could simply be a series of questions posed by an agent. Either way, your best bet is to undergo one or more of these processes and compare the insurance quotes and evaluations that you receive to see which policy offers you the best combination in terms of coverage, options, deductibles, and rates. This also allows you to know if you're getting similar coverage levels offered to you so that you don't end up overspending on an unnecessarily large policy.
Is Cybersecurity Insurance for Small Business Owners Really Necessary?
As we mentioned above, cyber liability insurance is even more critical for small business owners. Some cybercriminals actively target small businesses as they are assumed to have more lax cybersecurity protocols. This leads the criminals to believe that they are more likely to succeed with actually obtaining something of value from a small business and that their likelihood of being caught and prosecuted is significantly lower.
You must consider cybersecurity insurance as a small business owner for these reasons. The access to investigative and incident response personnel alone could be worth their weight in gold should a breach or similar incident take place. If you're interested in other valuable small business tips, you can subscribe to our EMA newsletter to keep up to date on small business trends and information across all markets.