small business data breachThe term “breach fatigue” has been used since 2011, which not coincidentally was the first of many years to be termed the “year of the breach.” Breach fatigue typically describes the phenomenon whereby consumers are so desensitized to the reality of ongoing and widespread data breaches that they no longer pay very close attention to the dialogue. These days, though, the term could also apply to small businesses and organizations that often feel so overwhelmed by cyber threats that they engage in very little, if any, preventative measures to get ahead of what they perceive is inevitable and out of their hands to prevent.

Consider the case of John Jones*, proprietor of a small sporting goods business with fifteen full-time and twenty-four part-time employees. John understands the risk of data breaches, but throws his hands up when asked about the security measures that he should be taking to protect his business and his customers.

Ransomware 101: What to Do When Your Data is Held Hostage

“If a hacker really wants to target my business, I can’t stop them,” he said. “I could make it more difficult for them, but that would cost me thousands of dollars [that] I don’t have. So to be honest, I just cross my fingers and hope they don’t bother with a little business like mine.”

Unfortunately, cyber crime is not limited to just large organizations, and attacks on smaller organizations are reportedly on the rise. According to Symantec’s 2016 Internet Security Threat Report, small organizations were the target of 43 percent of all cyber attacks in 2015. The report also noted an increase in such attacks over the past five years, “proving that companies of all sizes are at risk.”

What Steps Should Your Small Business Consider Taking Now?

Claire Smith* is a financial adviser with offices in two states. Her IT provider has installed up-to-date security measures for Smith’s business and performs an annual review of weaknesses that are then addressed and remediated. However, Smith admits that she also feels overwhelmed by cyber threats and is trying to balance those threats with the need to rein in costs.

“We take common-sense measures, including working with large, established vendors, but I don’t think there’s a silver bullet to protect businesses from hacking,” Smith states. “We do the best we can in a cost-effective manner, and then we cross our fingers and hope.”

Along with implementing the latest IT security measures, Smith has purchased a $1 million cyber insurance policy to protect her business and her clients—an increasingly common step taken by all size organizations to hedge against the risks of cybercrime. According to the 2016 Advisen report Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, 64 percent of organizations have purchased a standalone cyber insurance liability policy as a part of their risk management strategy and use it to offset data breach costs including those associated with legal counsel, forensics, notification, and identity protection services.

However, not all cyber insurance carriers—or cyber policies—are created equal, and at present many other types of non-cyber insurance policies are in the throws of addressing cyber claims tendered for coverage under these other forms of insurance coverage. For example, traditional management and/or professional liability policies were never intended to provide fulsome coverage for cyber events such as hacking and malware attacks. As the Advisen report above reminds, purchasing cyber insurance is a positive, risk-mitigating step to take, but not necessarily a cure-all for data breach exposure in its entirety. Unanticipated gaps in coverage or applicable exclusions in many cyber and traditional, non-cyber insurance policies may leave organizations paying a large amount of breach costs out of pocket—and these costs can be significant.

Seek out cyber insurance carriers that are able and willing to customize policy terms and limits based on the specific needs of your organization. This, obviously, necessitates first assessing , analyzing and thus knowing what specific risks and exposure areas your organization has that should be addressed by cyber insurance coverage. Policy coverage details matter, such as whether first-party and third-party policy limits will be flexible enough to allow your organization to use your coverage to respond as necessary in the context of any given breach event. For example, one breach event may require extensive forensic costs to be incurred, whereas another may require a more significant expenditure on legal costs or public relations/crisis management. If the policy contains restrictions or sublimits as to how the overall policy limits may be used, that could impact the breach response effort and/or potentially leave your organization out-of-pocket for the response steps that you and your breach response team deem necessary for your organization?

It is also important to understand that while cyber insurance is designed to pay for some or all of what the policy will deem “covered” costs of a breach event (however the policy’s specific coverage trigger may be defined) cyber insurance is not in all cases necessarily designed to drive the overall breach response effort. If his business were breached, Jones said, “I don’t know what I’d have to do. I guess I’d call my cyber insurance provider and start asking questions.”

The next blog in this series will provide guidance on why it is important for organizations to evaluate for themselves – internally, holistically and in advance of a privacy/security incident or breach event- what specific breach response partners, service providers and vendors are the best “fit” for the organization.

*Names changed to protect confidentiality.

This discussion is intended for educational purposes only and should not be construed as legal advice or opinion with respect to any specific set of facts or circumstances. Consult a designated privacy counsel for advice or opinion regarding a specific set of facts or circumstances.

Ransomware 101: What to Do When Your Data is Held Hostage