Like all modern businesses, construction firms depend on electronic data, including contracts and credit card numbers. Emails contain potentially sensitive information, cruising the internet can leave you vulnerable to viruses, and new technologies mean new opportunities for cybercriminals to steal information or make trouble. From mom-and-pop companies to large corporations, the threat of damages from cybercrime is as real as that of physical crime.
Damage from cybercrime, however, is far more extensive – and expensive. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses fail after a cyberattack.
Cyberinsurance covers a business's liability for a data breach that results in the private information of the company or its clients being exposed or stolen by a hacker. While this insurance cannot prevent cybercrime from happening, it covers many of the expenses.
Who needs cyberinsurance?
It's easy to see the headlines about data breaches for big corporations and think your construction business is too small for hackers to bother with. In truth, 30 percent of all data breaches happen to companies with fewer than 250 employees, and another 31 percent to companies with fewer than 2,500 employees. If you store sensitive information, such as Social Security numbers, credit card information or proprietary company data like patents, then you may want to consider cyberinsurance.
Is cyberinsurance worth the cost? Consider a 2015 study that determined the cost of a data breach runs about $200 per exposed account. The costs include notifying your customers who may have had their data exposed, making restitution and putting in new defenses. The Ponemon Institute study suggests that the average cost of a data breach is $6 million, but keep in mind that includes attacks on major corporations as well as small businesses.
These damages are not covered by standard liability and property-casualty policies, which usually deal only with physical events. Cyberinsurance, on the other hand, deals with information theft and loss.
What does cyberinsurance cover?
Because a data breach can cause damages to your employees and clients in addition to your company, the expenses – and hence the coverage – are wider ranging. In general, cyberinsurance covers these six main areas.
- Business interruption: Losing income if your network is down as a result of the attack
- Reaction: Hiring a forensics investigator to find the flaws in your system and determine the extent of the damage; hiring a lawyer to advise you on your legal obligations
- Notification and customer relations: Letting all your customers know about the breach; offering the potential victims credit monitoring services
- Damage repair: Fixing the causes of the data breach, such as integrating a new program, getting a patch for current software or conducting employee training; hiring a public relations expert to handle negative publicity
- Fines: Paying fines if the data breach is the result of not following government regulations on securing data
- Lawsuit: Paying defense and settlement costs if you are sued because of the data breach
Some cyberinsurance may also cover expenses you incur from errors in the performance of your software, damages caused by copyright or patent infringement, or a data breach by a physical cause, such as employee error or someone finding private information in files tossed in a dumpster.
While cyberinsurance covers a wide range of damages and precautions that come as a result of a data breach, it does not cover the softer expenses, such as damage to your reputation, loss of future revenue, improvements in your internal technology or the loss of value of your own intellectual property.
What should you look for in a cyberinsurance company?
First, look for the same qualities in a cyberinsurance company that you would in a regular insurance company: good customer service, a strong reputation, a good balance of coverage and price, and agents who investigate and pay quickly. Also, be sure that the agency treats cyberinsurance on its own terms and not just as an addendum to a general liability. Any cyberinsurance policy should cover the key factors listed above.
In addition to a policy that covers the most common expenses associated with a cyberattack, look for a company whose agents understand the technology and evolving threats. Coverage has changed radically in the past few years in response to the changing threats and impact. With the growth of technology, such as cloud services and hacking schemes, there are more ways to fall victim. You want insurance that keeps up with the changing landscape.
Find an insurance company that can help you avoid being attacked in the first place. Many cyberinsurance companies have agents to help you assess your threats and suggest ways to protect against them. Some have online resources such as white papers and blogs to help your IT staff keep up on the latest concerns.
Questions to ask
- Do they assess your threats? A good cyberinsurance company takes time to understand the threats to your industry as well as assess your individual company's risk. After all, a small construction firm with a limited clientele does not pose as tempting a target as a regional retailer with an active online store.
- Do they take your current precautions into consideration? If you have strong cybersecurity practices in place, such as employee training about protecting sensitive information, password protocols and programs that guard your electronic assets, then you may get discounts for being a lower risk.
- How does making a claim affect your premiums, and what can you do about it? Most insurance companies increase your premiums after a claim because they deem you a greater risk. However, in the cases of cyberattack, it's likely a company becomes a lower risk because the actions they take to plug the leaks make them less likely to face attack in the future.
According to the Insurance Information Institute, the number of data breaches continues to grow each year, with at least 500 million in the first half of 2016 and damages amounting to at least $1.5 billion in 2016. While large corporations get the most attention, small businesses are also at risk. Just like with any insurance, cyberinsurance is a regular expense but could save you thousands or millions of dollars – and potentially your business – if you ever fall victim to a hacking or data breach.