Midsize businesses face sizable cyber risks
A perfect storm of cyber risk is brewing for middle-market businesses, and many of them are unprepared.
News headlines tend to emphasize data breaches at big multinational corporations and health care entities that expose millions of records, but studies show that smaller organizations account for the majority of cyber claims. Cyber risk assessment firm NetDiligence, in its 2015 Cyber Claims Study, found that 71% of claims came from organizations with less than $2 billion in revenue. The majority of claim payouts were due to notification and credit monitoring, forensic, legal and regulatory expenses.
Large organizations have more resources to devote to technology security and cyber defenses, and therefore are becoming somewhat more difficult for hackers to crack. So where do cyber criminals look to exploit weaknesses and hone their skills? Easier targets, which means they are looking at midsize and small organizations. Many middle-market executives mistakenly believe their firms aren’t large enough or have the kinds of data to attract cyber criminals. With fewer resources, smaller IT security teams and greater interest from cyber criminals, middle-market businesses are facing a comparatively greater level of exposure.
There’s a lot of value at risk in this segment. Middle-market businesses collectively are an engine of economic growth, accounting for one-third of U.S. jobs and contributing nearly as much in private-sector gross domestic product, according to the National Center for the Middle Market. The center defines the middle market as businesses producing revenues between $10 million and $1 billion, and counts more than 200,000 of them in the United States alone.
Even if a cyber incident does not physically disrupt a midsize business, the costs associated with forensic investigation and breach notification can be a shock. The effect on the balance sheet may derail the organization’s plans and result in the loss of jobs and/or customers.
According to the Ponemon Institute, the average cost of a single breach in 2015 was $3.5 million, and organizations lost $1.57 million in business, on average, from each breach. Part of the cost involves investigation and remediation. Forty-seven states have breach notification laws, and businesses cannot simply ignore those requirements if they have a data breach. Notification, forensics and related services are expensive to obtain, especially after a cyber incident occurs. Very few, if any, organizations have the in-house ability to address the legal, regulatory and technology issues that arise from a data breach. Outside expertise is almost always recommended and required.
When an incident does occur, a single phone call to a hotline can activate a response plan with a team of experts..."
Consider this example: A law firm with 25 lawyers and a relatively broad set of practice areas, including corporate litigation, suffers a data breach that exposes confidential information from hundreds of clients. The firm has legal expertise, certainly, and may be able to address the notification requirements and pursue recovery from a responsible party, if one is identified. But the firm likely does not have in-house staff who are experienced in computer forensics and data discovery or have crisis management experts who can help mitigate the law firm’s reputational damage. Professional liability policies typically do not respond to litigation triggered by data breaches and exclude immediate crisis management costs such as notification and credit monitoring, forensics, and public relation. The firm could well have to pay hundreds of thousands of dollars in costs arising from the incident. Regardless of the type of business, a cyber incident can cause tremendous stress and threaten the life’s work of its founders or partners.
What can a middle-market business like the above law firm do? It can invest in strengthening its IT security, to reduce the risk of breach. But companies of all sizes continue to experience cyber-attacks, so the risk can’t be eliminated. Cyber liability insurance, for almost all organizations, is a valuable solution. Cyber coverage provides a lot of value, not the least of which are the inclusion of expert services at below-market rates and stress relief for beleaguered business owners.
Partnering with an experienced cyber liability insurer can be one of the smartest purchases a midsize company can make. When an incident does occur, a single phone call to a hotline can activate a response plan with a team of experts in multiple fields, including claims, and provide financial resources so that the business can focus on doing what it does best. Cyber insurance, while not an all-encompassing solution for a lack of preparedness, can provide peace of mind; for a middle-market organization, it can mean the difference between staying in business and closing its doors.
About the Author
Richard Schulz is a vice president and underwriting manager in XL Catlin’s Cyber and Technology group. Before joining XL Catlin, he underwrote a broad spectrum of media, technology, privacy and network security risks for a global insurance company.