Part of being a small business owner is knowing the various costs that go into operations. While most are fully aware of their monthly expenses towards rent, salaries, office equipment, etc., the full cost of a cyber attack on business operations may still be largely unknown.
According to recent research by Insurance Bureau of Canada (IBC), only 31% of small and medium-sized business owners surveyed consider cyber security a financial priority, and 73% have cut back on what they spend on cyber security. However, recovering from a cyber attack may involve more costs than many small business owners may realize and could lead to sticker shock. In a 2021 IBC survey, 41% of small businesses that ever suffered a cyber attack reported that it cost them at least $100,000. Some of the expenses incurred after an attack may include recovering corrupted data, notifying and providing credit monitoring to affected individuals, forensic investigations and legal costs. What’s often even more stressful for business owners dealing with a cyber event is knowing what’s needed and where to turn for help.
Fortunately, with cyber insurance, many of these expenses can be covered, and you don’t need to face the risk alone.
Cyber insurance is a specialty insurance product intended to help protect businesses from loss resulting from data and technology risks such as data confidentiality breaches, technology disruptions and cyber extortion. It can provide value-added services to help you prepare for and manage a cyber incident.
There are also added benefits to obtaining a cyber insurance policy. For example, during the application process, an insurance representative may be able to help you identify security gaps, give advice and access to resources to help build cyber resilience as well as a breach response and mitigation plan. If an incident does occur, in addition to covering your recovery costs, your insurer may also connect you to approved expert resources, such as legal counsel and data forensics experts, to help identify your options and help restore your business.
If your business falls victim to a cyber attack, a cyber insurance policy can provide you with the support you need to protect your business. For example, consider the owner of a pharmacy, who gets a cyber policy because of the sensitive customer data she retains and has several staff members and vendors with access to the company’s network. As a small business owner, she has limited access to IT professionals and has incomplete knowledge about how to fully recover from a cyber attack on her own.
Unfortunately, six months after securing the policy, a new employee who had not yet received cyber training is tricked into opening an email attachment and it infects their network with malware. Hackers can access the pharmacy’s records, including the birthdates, addresses and health records of hundreds of customers. After she makes a claim, her insurance company advises her to hire experts to stop the breach, while preserving the evidence needed for a follow-up investigation. The insurer also recommends deploying a network and data forensics team who determine that critical client information was extracted.
While some personal records were leaked, the pharmacy’s systems overall are spared, and she can resume operations quickly after the breach. The cost of all these cyber security professionals, as well as recovering her systems and the costs of forensic and legal expenses would have far exceeded the owner’s financial resources. When the business owner was considering her cyber insurance options, she went with the most comprehensive policy that her budget would allow, therefore all of these services were covered. Furthermore, the insurance company’s roster of trusted service providers enabled her to speed up the process of securing the right professionals instead of having to spend precious time figuring out who she needed and then searching for qualified individuals within budget.
In the aftermath of a cyber attack, more unexpected expenses can still arise. For example, if customers had their information compromised in a breach, they may file a lawsuit for damages against the business for the breach. A comprehensive cyber policy could cover additional professional services for legal matters. This could also help recover the business’s reputation and regain customer trust.
A cyber breach is a complex event that few businesses can manage on their own. With a cyber insurance policy, business owners are still in the driver’s seat when it comes to decision-making, but the insurance representative can often assist with ensuring they have the right information and access to the right people. An appropriate cyber insurance policy might cover some or all the costs of a cyber incident, from prevention, to containment, to recovery.
All business owners should review their risk management strategies and their current commercial insurance coverage to determine if it addresses their level of cyber risk. Cyber Savvy Canada, by Insurance Bureau of Canada, offers a free 10-question self-assessment to help business owners learn more about the cyber security protocols that most cyber insurers want them to have and ways to reduce their business’s cyber risk. This assessment offers some questions that cyber insurers may ask. It also provides helpful resources such as a cyber insurance checklist, a template for a cyber security plan and a checklist of steps to help safeguard your business from cyber risk.
