Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
GE

Breach insurance: Not just for the big guys

Elizabeth Weise
USA TODAY
Being hit by hackers is worse than getting hit with a fire, earthquake or another natural disaster, business owners say. A survey done by the Ponemon Institute, an independent data security organization, found that 76% of business owners who've been hit by hackers rank it as high or higher than other insurable business risks such as natural disasters, business interruption and fires.

SAN FRANCISCO — A ruling last week by a federal judge that Target is on the hook for financial losses sustained by banks when it was hacked earlier this year is making companies of all sizes look at breach insurance with a new eye.

Cyberbreach insurance, which covers losses and costs due to hacker attacks on a company's computer system, is a relatively new type of policy. It was first introduced in the 1990s, mostly to cover computer failures at banks and Fortune 500 companies. In the 2000s it began to be applied to companies whose information had been hacked.

Today, as all types of companies move increasing amounts of their business online, it's something small- to medium-sized companies need to start thinking about.

A worker looks at a pile of wine bottles that were thrown from the shelves at Van's Liquors after a reported 6.0-magnitude earthquake on Aug. 24 in Napa, Calif.

Take the owner of a small rubber gasket manufacturer that Dan Hanson at Marsh & McLennan Agency, a customized insurance and financial services firm, spoke with recently.

The owner at first said he didn't have a lot of online exposure. But then he realized that his staff gets schematics from companies like GE and 3M in advance of products being released, and his sales staff carried these around on their laptops.

"If one of those got lost, that's millions of dollars in liability," Hanson said. The owner ended up buying a cyberliability policy.

How much the policies cost depend on several factors including how large or small the company is, how much data it keeps and how good a job it has done of protecting it.

"We're seeing an average premium of about $2,500 per year," but it can go up to as much as $10,000 a month depending on the company, said Harris Tsangaris, a vice president at NFP Property & Casualty, an insurance brokerage.

The damage a cyberbreach can cause a company is starting to sink in, especially as the nation watches Sony Pictures Entertainment deal with a massive attack. Among companies hit by a cyberbreach, 76% say it's equal to or greater than a natural disaster or fire in terms of disruption, a survey by the Ponemon Institute, an independent privacy and information security organization, found.

There was a time when the courts said that a company's general liability coverage covered breaches, says Robert Sumner, a lawyer with Moore & Van Allen in Charleston, S.C., who specializes in data security.

The insurance companies complained, but the courts said, "Too bad for you, these poor people thought they were covered, so you have to pay," he said.

That's no longer true. Today courts hold companies responsible for the fallout from a breach, as Target is finding.

That still hasn't hit many small business owners, says Neil Ness, who specializes in insuring cooperatives for Farmers Union Insurance in Bismark, N.D.

"Sometimes they tell me, 'I've got a general liability policy, so if I'm liable then that should cover it.' I tell them, 'Well, GLC only covers bodily harm or property — stealing someone's information isn't covered,'" he said.

Just 33% of small- to mid-sized companies have a cyberliability policy, a survey released last month by insurance exchange company Marsh & McLennan Agency found. In 2013 the number was just 16%.

Smaller businesses are especially vulnerable, said Ness. "That's how these hackers practice. They go after the little ones who aren't really paying attention."

For now, coverage is most likely to be purchased by companies in financial services, 88%, and health care, 53%. Both are federally regulated and have strict data security compliance standards.

Cyber-risks that might cause a company to take out such a policy include processing credit card transactions, holding employee records, having a website that collects personal information from visitors or holding client or customer information.

Every stolen record costs on average $188 to make whole, a survey by the Ponemon Institute found.

In some ways, just the process of getting the insurance is protective. It makes companies look closely at their risk. That includes things like who has access to what data, where data is stored and whether any third-party vendors pose a risk.

In the case of the $148 million Target breach, for example, hackers got in using credentials from a refrigeration contractor.

It's important to remember that cyber insurance actually is a bundle of several types of policies. Some cover lawsuits and regulatory claims, some cover the cost of investigation and repair, some cover notification and identity protection for customers whose information was taken, said Seth Harrington, a lawyer with Ropes & Gray in Boston who focuses on responses to data security incidents.

A company probably isn't going to be getting cyberinsurance from the same firm that provides it with general liability coverage, but an agent or broker can help find a policy that works, said Tsangaris.

No matter how small the company, being protected is important, said Sumner. No one wants to be in Target's shoes, with credit card companies coming after them to make up their losses.

"Probably an army of Visa lawyers is about the scariest thing you can imagine," he said.

Featured Weekly Ad