Guest Blogger David Navetta - May 23, 2011
According to Verizon’s 2011 Data Breach Investigations Report, small to mid-sized merchants have become hackers’ main targets. Organized crime views such merchants as high-reward/low-risk targets.
These attacks are often costly causing significant financial stress for small & medium merchants. In Symantec’s 2010 SMB Information Protection Survey, companies reported that the average annual cost of cyber attacks for small and medium merchants was $188,242. Merchants of all sizes need to realize there is a high possibility of networks, Web sites and databases getting hacked; compromising personal and credit card information.
Types of expenses/liabilities of computer network breaches include:
- The initial damage caused by the hacker
- Cost to provide notice and credit monitoring of personal information involved
- Secondary liability expenses of actions by vendors, payment processors, customers & regulators
- Cost of cleanup.
Cyber liability coverage is a new area of the insurance industry. Major companies like Chartis, ACE, Beazley and Hiscox have been in the market for some time focusing on large companies. Most insurance companies are now offering cyber insurance coverage for small & medium merchants. The specifics of the coverage are addressed below:
Breach Notice Costs: This is for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring services. These costs involve a multiplier effect. For example, credit monitoring can cost anywhere from $10 to $200 per year, per person impacted by a breach. If one million individuals are at issue, costs could run millions. These costs also include attorney fees & forensic investigation expenses to determine the cause of a breach and whether notice is required under law.
Damages and Defense Costs: This provides coverage for information security, privacy breaches and technology professional liability. This element of the insurance plan is designed to provide coverage for damages & defense costs from lawsuits or claims related to a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Some cyber policies also protect against the cost of regulatory investigations.
Merchant Service Provider Breach: With more merchant accounts outsourcing credit card processing to third parties, it’s important that a cyber policy provides coverage in case a breach happens to one of the insured’s merchant service providers. That will protect your company against many types of expenses. However, these policies are unlikely to provide any coverage for personnel hours expended internally to address the breach.
Crisis Management, Business Interruption and Data Restoration: This helps cover the costs for getting the network back up and running & restoring lost data. Public relations services may also be included to help restore the merchant's reputation.
Denial-of-Service Attack: If a merchant account or service provider, such as a web host, is shut down by a denial-of-service attack or other type of hack, some insurance policies will cover lost income and costs of repairing the network.
Cyber Extortion: In a case where a hacker decides to hijack your website, network or database, & demands money to restore it, a cyber extortion clause in an insurance policy can help to cover the settlement and the cost of hiring a security firm to track down the hacker.