How Much Cyber-Security Should a Small Business Invest In?
Small businesses are at an equal or greater risk of experiencing a cyber-attack as most larger businesses. The average small business records electronic data about its customers but typically does not employ the same sophisticated cyber-security protections that large businesses can afford. Hackers exploit these weaknesses, both to compromise customer data held by small businesses and to use small business data systems as stepping-stones to hack into the data systems of other companies that do business with the smaller company.
Small businesses can procure cyber liability coverage to protect themselves from the financial losses that result from cyber-security breaches, but few of those businesses have any basis for calculation how much cyber-security liability coverage they need. Calculating that number is a matter of understanding the small business’s information and its information systems, assessing how much that information is worth to the business, and estimating the damages that a small business would face if its information is compromised.
Understanding Information and Information Systems
Small businesses often hold far more information than they realize. In addition to customer and vendor contact and financial records, a small business retains employee records, including employee health and financial records if the small business has a self-funded healthcare plan and retirement plan. Trade secrets and intellectual property are the lifeblood of many small businesses, and that information can be exposed and destroyed in a cyber-attack. A small business can install cyber-security defenses in its information systems, but those defenses are limited. A sprinkler system will minimize damage from a fire but it will not prevent the fire in the first instance, and a small business will still need fire liability insurance. Likewise, cyber-security defenses only minimize damages from a data breach, and cyber liability coverage will provide compensation for losses associated with the breach.
Assessing What the Information is Worth to the Business
Small business owners know that some of their physical assets have a mission critical value and other assets are more readily replaced. The same is true for data assets. Owners can assess the value of their data by categorizing different types of data as high, medium, and low-value electronic assets. High-value electronic data is any information that would have a catastrophic effect on the business if it were lost or compromised. Medium value data would have a serious effect if lost or compromised, but that loss would not signal the end of the business. A small business can then focus on producing cyber liability coverage for high and medium-value electronic records.
Estimating Damages Due to Loss of Electronic Data
A 2014 analysis of the costs of an organizational data breach indicated that small businesses that held less than 100,000 electronic records suffered between $3.2 and $5.9 million in losses from a single data breach. Not all of those losses are amenable to cyber liability coverage, however, and insurance for elements such as lost business and customer acquisition costs will not be available. Another 2014 study segmented loses by industry sector and suggested, for example, that the average insurance payout to a large company that suffered a data breach was $2.9 million. That study also showed that the average payout for companies in the healthcare sector was $1.3 million. A 2015 Verizon study suggested that the average loss for a business that holds 10 million records is between $2.1 and $5.2 million.
Small businesses can refer to these and other studies to determine their own cyber liability coverage needs. Cyber-security insurance is a relatively new area of risk protection and most small businesses will benefit from the assistance that cyber liability coverage specialists can provide. These consultants can help small businesses identify their vulnerabilities to cyber-attacks, recommend the best tools to minimize attack risks, and find the right insurers that can provide the right amount of cyber liability coverage to insulate a small business against the worst potential losses from those attacks.