AXA XL uses two forms of cookies on this site:

  1. to enable the site to operate and retain any preferences you set
  2. for analytics to make the site more relevant and easy to use

These cookies do not collect personal information. For more information about our cookie usage, please click here. To comply with EU privacy laws you must consent to our use of cookies.

By using this site, you agree that we can place these types of cookies on your device. If you choose to change your cookie settings you will be presented with this message the next time you visit.

Fast Fast Forward

Small Business, Exposed

Small Business exposed to cyber risks


For US-based consumers, it was a breach like no other. An estimated 147 million records were compromised when consumer credit reporting agency Equifax fell victim to a major systems breach in March 2017. At risk were millions of names, Social Security numbers, dates of birth, phone numbers, email addresses, and passport information. Additionally, nearly 209,000 credit card numbers and expiration dates were compromised.

Yet those numbers are small in comparison to how many identity record breaches have occurred in 2017 alone. Over 3 billion records were curated from an astounding 8.7 billion raw data records that were culled from nearly 3,000 different breaches. That represents a 64% increase in exposed data year over year.

The real issue, however, is the overall cost associated with data breaches. According to Equifax’s 2018 first-quarter financial report, the company has spent $242.7 million in IT and data security costs and related expenses on breach-related recovery activity.

While that may seem like an insurmountable amount, the Equifax event, so far, is not the costliest. That designation belongs to Epsilon, whose systems were compromised in 2011, exposing an unknown number of names and emails from 75 customers such as Capital One, Citigroup, Best Buy, and JP Morgan Chase. The cost to date: $4 billion.  On average, cyber-attacks and breaches cost US businesses $1.3 million per breach.

The Indiscriminate Risk
Despite attention-grabbing headlines suggesting cyber breach is a concern for the global corporations, there is no organization immune to cyber liability. Many small to mid-sized businesses have been targeted by cyber thieves, and there is no industry insusceptible to such attacks.  For example,  an elementary school lost or misplaced 151 enrollment records containing personal identifiable information of both students and parents;  A county government was hit by a crippling ransomware attack, bringing down its entire network, and the thieves demanded ransom in Bitcoin currency.
If a business collects and/or stores customer information, payment data, or personal health records, there is a data breach risk. In many cases with small to mid-sized businesses, breaches are not immediately detected. The longer breaches go unnoticed, the higher the number of records that are compromised could be.

The business financial losses are not the only losses to consider. The loss of customer trust and the hit to the business’s reputation can have a long-lasting impact. Still, far too many smaller business entities are going without cyber liability coverage. Why? Because too many businesses believe they are not at risk. In a survey of 2,500 small-business owners, 82% say they do not feel they are at risk for a data breach or cyber security incident.

In fact, 60% of cyber-attacks in 2016 were perpetrated against small businesses. That’s the same percentage of small businesses that go out of business within six months after an attack. Such attacks are costly – estimates run between an average $177,000 to $148,000 per occurrence for a small business. Those are costs that 90% of small businesses have not protected against.




In fact, 60% of cyber-attacks in 2016 were perpetrated against small businesses. That’s the same percentage of small businesses that go out of business within six months after an attack."


Yet cyber liability coverage, particularly for the small to middle market business, seems sized for the larger, multinational organizations. Limits often exceed what a smaller enterprise would need, and premium costs could, in some cases, outpace the exposure. While prices continue to fall in the standalone cyber liability coverage market, it still appears far down the list of priorities for the Main Street business owner.

Then there’s the matter of availability of right-sized coverage. Not all carriers and brokers offer cyber liability products. Even if they do, not all customers want or need a larger, standalone cyber product, and their brokers are unaware of any cyber liability products that could fit their customers’ needs.

Solution: The Cyber Endorsement
One solution is a cyber liability endorsement that attaches to the customer’s commercial general liability policy. For businesses that want protection from potential cyber events, yet are unsure whether a larger standalone policy is affordable for them, a cyber liability endorsement provides a good option to obtain coverage they need at a price that makes sense.
A cyber liability endorsement benefits smaller companies in a number of ways:

  • The cyber endorsement, attached to a commercial general liability policy, gives customers a more economical option for covering cyber events;
  • Coverage limits are lower than those for standalone products, which makes it a more affordable option;
  • A cyber endorsement is a viable starting point for smaller entities looking to gain cyber coverage without a larger financial commitment, and;
  • The endorsement gives smaller companies an avenue for mitigating cyber risks, including access to forensics, public relations, and legal expertise.

For brokers, offering a cyber liability endorsement delivers much-needed protection to business customers who might have to look elsewhere for such coverage. Because the coverage augments commercial general liability products, it can be easily added to an existing line of business.  Plus, a cyber endorsement gives standard insurance companies entry into the cyber market without the need to have underwriting and claims expertise in that area.

The Endorsement Up Close
When considering purchasing a cyber liability endorsement, or when looking to add such an endorsement to an existing product, industry experts suggest looking for a product that offers a broad network of breach response expertise. A cyber add-on product should include computer forensics, credit and ID monitoring, breach notification, call center support, public relations support, and legal support that comes with security and privacy expertise. Also important is access to 24/7 claims support.
Other coverage options to look for:

  • The option to choose up to 100% risk transfer;
  • Longer reimbursement periods for data or cyber breach incidents;
  • Unlimited reimbursement period for  loss of business income and extra expenses, as well as;
  • Coverage for outsourced providers, including third parties contracted to perform service on behalf of insurer.

Also, brokers and consumers alike should look for a product from an insurance company that has the expertise needed to help recover quickly from a data breach.

Because companies are unique, their cyber liability exposures vary in both nature and scope. Brokers and their customers should consider working with a company that offers an endorsement tailored to fit the business needs of their customers.

Procuring cyber liability coverage is now an affordable choice for small and mid-sized companies. Through a cyber liability endorsement added to a commercial general liability policy , property policy or other insurance policy, businesses can attain good essential cyber coverage without a large investment. For brokers looking to help their customers protect their businesses, a cyber liability endorsement delivers a valuable solution for relatively low cost.


About the author. . .

Katherine Walas is a senior underwriter and head of cyber operations for XL Catlin’s Cyber & Technology insurance team. She can be reached at  or at +1 860 948 1858.


© 2018 AXA SA or its affiliates
AXA XL is the P&C and specialty risk division of AXA.