Table of Contents 

Cyber liability: Small business, big exposure

With a threefold increase in attacks on businesses with under 250 employees, agents must protect their clients

By Elisabeth Boone, CPCU

Do you think that cyber criminals target only giant retail chains and mega-banks?

Think again. According to security software developer Symantec's Internet Security Threat Report 2013, companies with fewer than 250 employees were the focus of 31% of all cyber attacks in 2012—a jump of 58% from 18% in 2011.

The report notes: "While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyber defenses."

Therein lies the rub, says Todd Cusano, E&O product manager at Business Risk Partners (BRP), a managing general underwriter that specializes in professional and management liability. A lawyer by trade, Cusano came to BRP from Darwin/Allied World, where he used his legal background to underwrite lawyers professional liability coverage.

"Cyber attacks on large corporations or governmental bodies grab the headlines, but in recent years cyber criminals have shifted their focus toward small and mid-sized businesses," he says. "The statistics reported by Symantec are truly startling, and I believe they point to the future of cyber crime and cyber liability."

Cashless economy

Cusano agrees with Symantec's conclusion that smaller businesses are less likely to have strong cyber risk management controls in place. One reason, he suggests, is the rapid transition from a cash economy to one that is virtually cashless.

"Not so long ago, on a Friday night you would get cash from the ATM and use it to buy a pizza and movie tickets," he says. "Now you use your debit or credit card to order the pizza and tickets online. As the economy has undergone this shift, so have the processes used by small businesses. As cash goes the way of the dinosaurs, the modern economy is operating on massive amounts of data flowing through cyberspace. For small and mid-sized businesses, adapting to this new reality creates risks they may not be aware of and therefore can't defend against," Cusano explains.

"A cyber criminal doesn't have to go after a huge corporation in order to reap huge rewards." -Todd Cusano, E&O Product Manager Business Risk Partners

"As a result, smaller businesses often are easy targets for cyber thieves because of weak or perhaps even nonexistent security measures," he continues. "Small businesses typically don't have a dedicated risk management professional, much less a risk management team. For cyber criminals, this is like a thief finding an unlocked car. An unprotected network almost begs for a cyber attack."

What's more, he notes, a small business with an unsophisticated and unprotected network can be a training ground for cyber thieves who are honing their skills to prepare for bigger attacks. "Smaller systems are a good place to start if you're a cyber criminal—and they also may be connected to larger systems or larger companies," he points out. "Through mergers or acquisitions, smaller companies become part of larger companies, and their networks offer the cyber criminal both practice and access."

He suggests another reason that smaller companies are being targeted by cyber thieves. "When a big company is hit by a cyber attack, it immediately becomes headline news. Some cyber attackers seek publicity by hitting big targets like huge corporations and government bodies." For criminals who want to shun the glare of publicity, he says, smaller and mid-sized companies are easier targets with less risk of discovery.

A company doesn't have to be in the Fortune 500 to possess data that is attractive to cyber criminals, Cusano comments. "A small or mid-sized business may have information that is more appealing to a cyber attacker than data from the obvious large targets," he explains. "A smaller company may have intellectual property that is extremely valuable, and its system may be more vulnerable to attack than those of large companies. A cyber criminal doesn't have to go after a huge corporation in order to reap huge rewards."

Big banks and retailers are obvious targets for cyber attackers because they store and process vast quantities of credit and debit card data and personally identifiable information (PII). (The U.S. General Services Administration defines PII as "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.")

Here again, Cusano points out, smaller companies may be more attractive to cyber criminals because they often lack security controls to protect their data. "An attacker can fly under the radar and be in and out of the system before the company realizes it's been hit," he says.

Can we talk?

To help small business clients manage their cyber liability risks, agents and brokers must understand each client's exposures and be aware of the coverages and strategies that can address those exposures appropriately.

That's a tall order, Cusano observes, and presents many challenges to agents and clients alike. Chief among them, he says, are conflicting terminology in this emerging segment; lack of standardization in policy language, coverage, and endorsements; and a confusing variety of risk management approaches.

"Agents need clear definitions of cyber terminology, and they also need to know how to discuss cyber protection that is appropriate for small and mid-sized businesses," he asserts. "Agents must know the right questions to ask to assess the client's exposures and determine the level of coverage required."

The term "cyber," Cusano says, "is used as a prefix to define activities and situations that have evolved as a result of technology. We commonly hear terms like 'cyber criminal,' 'cyber activist,' and 'cyber squatting.' But we don't have a generally accepted definition of the term 'cyber' or the myriad of industry-specific cyber terms that are used in policies."

The lack of uniform terminology can be a minefield for agents and their clients, Cusano points out, because carriers often define cyber terms differently. "Even if the same word is used from one policy to the next, it likely has different meanings. For example, a key reason that a business buys cyber liability insurance is that it covers the costs of notifying customers and others of a data breach. In almost every policy, this coverage section is called Notification Costs. But how a particular policy defines that term can have a significant impact on the scope of coverage."

Although he doesn't have a solution for this confusing lack of standardization in policy language, Cusano suggests a starting point. "Often the term 'cyber liability' is used as a catchall to describe technology E&O policies and stand-alone data breach/privacy policies because both of those policies contain some cyber elements," he explains. "The two policies, however, are quite distinct from one another. This is a simple distinction, but I think it's an important one.

"For example, a software developer needs a technology E&O policy to cover liability exposures that arise from the provision of software products and services," Cusano says. "In contrast, a company that does not develop or market technology, like a clothing retailer, does not have a technology E&O exposure. Instead it has exposures related to the acquisition, storage, and transmission of customer data, meaning credit card details and other personally identifiable information. So a clothing retailer needs a data breach/privacy policy."

Two kinds of exposures, two kinds of policies—the distinction seems clear cut. Not so fast, Cusano warns. "Where the lines begin to blur is when a technology company creates tech-based products and services and also stores and transmits customer data. A software developer that uses personally identifiable information needs both technology E&O and data breach/privacy coverage," he explains. "The company may purchase two separate policies, or it may buy a technology E&O policy with built-in coverage for privacy and data breach exposures."

Coverage solutions

Business Risk Partners serves more than 30 classes of business in the technology arena, including service providers that specialize in hardware and software design, maintenance, and installation; telecommunications; computer forensics; data entry and management; Web site design; call centers, and more.

BRP offers technology E&O with built-in data breach/privacy coverage for tech service providers in the classes listed above. For small and mid-sized companies, BRP offers stand-alone data breach/privacy coverage. Both policies are underwritten by Liberty International Underwriters (LIU), the specialty lines division of Liberty Mutual Group. The policies are available nationwide to privately held companies with a per-claim limit up to $5 million. A deductible credit of 50% is offered for claims that are resolved through mediation.

The policies cover legal liability and direct loss, including first-party expenses for costs associated with a data breach. LIU offers a suite of loss mitigation services and a first responder program that gives the insured a single point of access to the variety of services that are required in the event of a breach. Among these services are crisis mitigation, forensics, and legal services. In addition, the insured is contacted by a privacy and security advisor who will explain the services and how to take advantage of them. This is a key feature for small and middle market companies that may not have the time or resources to invest in a comprehensive program of risk control.

As technology continues to transform the economy, the seasoned underwriters at Business Risk Partners have their fingers firmly on the pulse of emerging exposures and the tools to help smaller companies reduce their vulnerability to data breaches.

For more information:

Business Risk Partners

Web site: www.BusinessRiskPartners.com

CONTACT US | HOME