Ask any commercial business customer about their exposure to data breaches, computer attacks, and identity theft and most will reply that cyber security is not their major concern. After all, many believe data thieves “always hack the big guys, like Target or the IRS.”
In fact, these business owners could not be more misinformed. As reported by cybersecurity firm Symantec 1, cyberthieves have been increasingly targeting small businesses over the last four years. During 2015, almost half of cyber attacks worldwide were against businesses with less than 250 employees.
Cyber threats are real. Please refer to the information below to help your clients understand the importance of incorporating cyber protection into their Nationwide commercial insurance program.
Top 4 reasons small to mid-sized businesses need cyber coverage.
1. SMBS are easy targets due to weak security.
SMBs may think they don’t have information that cyber criminals want. Yet, SMBsaccept credit card payments, collect and maintain personal information on their employees and customers, have websites, and do online banking. These activities create opportunities for cyber criminals to obtain the type of information they are looking for. Cyber criminals understand that SMBs have fewer resources to invest in proper data protection and security controls, making them an attractive target. A survey commissioned by Nationwide of 500 small businesses in 2016 2 revealed that most small-business owners (78%) still don’t have a cyberattack response plan, even though more than half (54%) were victim to at least one type of cyberattack. About 60% of those who did experience a cyberattack said it tooklonger than a month to recover.
2. Value-added services are essential for SMBs.
Once a breach of personally identifiable information (PII) occurs, it is unlikely that the SMB will have an available team of resources to comply with various state legal requirements. Our members who purchase Data Compromise coverage will have access to a helpline staffed by experts to assist in responding to a data breach. States can require notification to affected individuals within a required time frame and by a specified method, plus credit monitoring offered at no charge for a specified duration. A call center may need to be set up to answer questions from the affected individuals and to assist in providing credit monitoring services. To further complicate matters, state
breach notification laws are governed by where the affected individual lives, not where the SMB is located. So for any one breach of PII, several state laws may determine the appropriate response. Fines can ensue if a business fails to comply with these laws. Further, many businesses suffer a loss in productivity following a data breach because employees spend time dealing with the aftermath of the data breach instead of focusing on their job duties.
3. Breach notification laws can be triggered in other ways.
It’s not just about cyber criminals hacking in to an SMB’s computer system. A lost or stolen laptop containing unencrypted sensitive information may trigger breach notification laws. Even sensitive information contained in paper files poses a risk. Thieves go through garbage in search of financial statements, receipts and documents with personal information, or an office that is burglarized may find paper files missing that contain tax records, bank accounts or social security numbers. The thief could even be a disgruntled employee. Data Compromise coverage will respond to expenses associated with the loss of third-party information as well as that of employees and owners. Identity Recovery coverage will apply to key individuals/owners and employees and their resident family members to give them further assistance should their identity be stolen.
4. Weak security and lack of controls can result in first-party and third-party claims.
In addition to stealing information directly from an SMB, the SMB can be a gateway for hackers to access the systems of its large suppliers, customers or banks. Such was the case with the Target Corporation breach, whereby hackers targeted a midsized HVAC contractor whose networks were directly connected to Target’s. Upon obtaining an employee’s credentials via a phishing email, the hackers used that to gain entry to Target’s systems, completely undetected. Cyber insurance is intended to provide defense and settlement costs for similar situations. A small to mid-sized business could also unintentionally forward a virus or malware to a supplier or customer causing that third party’s website to go down resulting in loss of income for which they could bring suit against the SMB. With the purchase of cyber coverage from Nationwide, the business could be covered not only for a third party’s loss of income, but also for its own loss of income, as well as for any costs incurred to restore computer systems or data.
Ask our agents about policy updates to your business coverage.
1. Data Compromise
3. Identity Recovery
June 05, 2017
by John Connor