How much will a data breach cost you? Why even small businesses should consider cyber liability insurance.
All the news you hear about business security hacks comes from the big companies—remember the Target breach from late 2013 and the Home Depot hack a year later? So what does that mean about safety for a smaller business?
Cyber crooks don't really care about the size of the business. If there is money to made by hacking into a business, they're ready and willing to strike.
If your venture accepts credit or debit cards or electronic funds transfers or collects Social Security numbers, you're sitting in a dangerous spot, regardless of size. In fact, some hackers may focus on smaller businesses, using the theory that the breach could take longer to discover without a dedicated IT department monitoring transactions.
How much can a data breach cost? The big ones cost big bucks.
Related Article: Does Your Business Insurance Cover Cyber Attacks?
The Big Target
According to Fortune magazine, hackers attacking Target stole 40 million payment cards and 70 million other records, including email addresses and phone numbers for customers. The expense of cleaning up all that was about $252 million.
Even with insurance payments, tax deductions, and other mitigating factors, the Minnesota-based retailer lost more than $105 million.
The Strike Against Home Depot
The hardware retailer reported losing 50 million customer credit card numbers and email addresses during its hack, according to Fortune. That turned into an estimated $43 million in pretax expenses to remedy the situation. That expense was partially offset by $15 million from its insurance provider.
So your company, obviously, operates on a decidedly smaller scale than those massive retailers. That doesn't mean, however, that you aren't vulnerable. The Ponemon Institute reported last year that 43 percent of all companies had suffered a data breach.
In fact, nearly 90 percent of breaches affect small businesses, according to e-commerce technology company First Data. The average cost: more than $36,000, First Data said.
The Role of Cyber Insurance
As devastating as the Target and Home Depot attacks were, it's worth noting again that they could have been much worse for both if not for their insurance hedges. While Home Depot, as mentioned above, recovered $15 million of its loss through insurance, Target recovered $90 million from its coverage.
The bottom line: Those losses seem staggering, but they reflect a very small percentage of the annual revenue of each company.
That wouldn't be the case, of course, for a smaller venture, where a $36,000 loss easily could devastate its finances.
Cyber risk policies typically cover both your business' losses and your customers' losses, including some legal costs, up to your policy’s limit.
One warning: Because of the youth of the cyber liability insurance industry, policies can vary widely. If you're considering coverage, talk it over with your agent to make sure you know what you're buying.
Right now, many companies continue to take the risk that they won't be one of the 43 percent of companies that suffer data breaches each year. Less than 20 percent of all large companies carry cyber liability policies, and fewer than six percent of small businesses have it.
According to the Internet Crime Complaint Center, the following states were the most vulnerable to cybercrime in 2014.
- California, with 12.5 percent of the incidents reported to the ICCC.
- Florida, 7.6 percent
- Texas, 6.9 percent
- New York, 5.9 percent
- Pennsylvania, 3.3 percent
- Illinois, 3.1 percent
- Virginia, 2.9 percent
- New Jersey, 2.9 percent
- Washington, 2.6 percent
- Ohio, 2.5 percent
Related Article: Cyber Attacks & Data Leaks: Do You Need Data Breach Insurance?
What It Costs
All this leads up to the big question: How much does it cost?
The answer, of course, is difficult to pin down. It depends on the size of your business, your level of exposure, and many other factors. Even smaller health-care businesses, for example, can expect higher premiums than some small companies because of the sensitivity of the information they keep.
In general, however, you can count on paying between $12,500 and $15,000 per year for $1 million worth of protection. If you don't need that much coverage, and few small businesses do, you could expect to pay less.
Don't judge the value of a policy just by what you pay, however. Remember those huge losses that could occur—again, it averages $36,000 for small businesses—weigh that against the nearly 50 percent chance of suffering a breach, and you might see those premiums in a different light.
What you spend now, in other words, could be much less than what you would spend later. It's up to you to decide if you want to take that gamble.