Sep. 14—While cybercrimes such as data breaches and ransomware attacks are more widely publicized when large, nationally recognized companies are the victims, many small businesses are no less at risk.
According to a May report from Cybersecurity Magazine, 43% of all data breaches involve small and medium-sized businesses, while 61% of all small businesses reported at least one cyberattack during the previous year.
And when an attack is successful, it can harm a business beyond repair.
"It does put small businesses out of business," said Bill Woodworth, a senior account manager for Spotts Insurance Group and self-described "insurance nerd."
With the rise in businesses going digital in response to COVID-19 in the last year, Wyomissing-headquartered Spotts Insurance increasingly recommends either data breach insurance or cyber liability insurance — in some cases, both — to its commercial clients.
That's not as ludicrous as it might sound, either. In June, a cybersecurity professional told the Reading Eagle that buying insurance is the first thing he suggests potential customers do to protect their businesses from attacks.
The amount of insurance needed may vary wildly depending on how much business is conducted online and the amount of customers' and employees' personal information is stored on networked computers.
Regardless of the size or location of the operation, though, Woodworth agreed it's a good idea.
"We have had some customers that had this happen to them," he said, recalling one example of a local business where systems were down for an entire week. "It can definitely happen in this area and to any type of business.
"Hackers don't care if you're big or small. From what I've heard, hackers like the small businesses because they're more willing to pay to get back up and running and generally don't have a huge IT department at their fingertips."
The different types of cyber insurance
At its 10 offices spread across southeastern Pennsylvania, Spotts Insurance offers two types of cyber insurance which cover two separate types of attacks — though other insurers may have different coverages.
Data breach insurance specifically covers situations when the personally identifiable information of customers or employees such as credit cards, social security numbers, dates of birth, driver's licenses, bank account information or health information is leaked or stolen from networks.
While a data breach doesn't impact business finances directly, huge costs can be incurred.
"The business then has a responsibility to notify all of their customers," Woodworth said. "They have to handle identity theft monitoring for all their customers. It comes with legal fees and defense. They have to pay to figure out how their systems got hacked. And, basically, they're covering their customers for that breach happening."
Cyber liability covers the business itself in the event of a website or network going down or a ransomware attack — hackers holding a network hostage for ransom.
"That's where they're actually covering the business for repairing the network, actual patent for the network, or potential business lost from the network being down," Woodworth said.
Depending on the insurer, cyber liability may or may not also cover phishing attacks — where hackers bait users into voluntarily sharing secure information via email by posing as colleagues or business associates.
"There's a slew of different coverages," Woodworth said. "We've been discussing it with basically all of our customers no matter what type of business they have and really determining what type of risk they have."
Should your business have cyber insurance?
Insurance for cybercrimes is not a one-shoe-fits-all product, so not every business is going to have or need the same level of protection.
A business that maintains any significant amount of personally identifiable information on a computer network with internet access — even if it's only employees — may want to think about data breach insurance.
And any business that is actively engaged in e-commerce in sales or even simply using an online computer network in operations could probably use cyber liability.
Yet, businesses that deal primarily in cash or check and don't store clients' or employees' secure information on networked computers may have little need for coverage.
"It depends on the customer's situation," Woodworth said. "There are definitely industries that need it much more obviously than others. We still have a chunk of industries that tend to not accept credit card payments or don't tend to get personally identifiable information.
"Mercantile business, those are the ones that really can get hit hard and are in need of this because of accepting credit cards and personal information."
Woodworth noted he would still like to see more people opt for some form of coverage, however, noting it's "hit or miss" and up to a business to decide the level of risk it's comfortable with.
"I like to take more of an advisory role, talk through all of their different scenarios and help them make the best decision for themselves in ultimately determining how much insurance they need," he said.