We have all heard it’s not a matter of if your organization will face a data breach, but when it will. Many people with bad intentions across the globe are looking for ways to get rich quick by defrauding organizations. Meanwhile, an organization’s most valuable assets, its people, fall prey to these bad actors.
Information At Risk and Related Costs
What are cybercriminals interested in? Almost everything. A recent study of insurance claims for incidents indicates the following data was at risk:
As reflected above, personal information such as social security numbers, birth dates, bank account information, credit card information and addresses tend to be highly sought after. Identity theft of individuals and businesses is the main goal for cybercriminals.
In 2018, the average breach cost was $604,000. These costs were spent on crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services consisted of forensics, credit monitoring, notifications, legal guidance/breach coaches and other related expenses.
A sample data breach calculator is available online through eRiskHub for you to perform your own calculation of a potential breach to your company’s data.
Industries at Risk
Small businesses and large businesses alike are all at risk. Cybercriminals see the value in attacking small companies with thousands of dollars available just as much as penetrating large businesses with millions of dollars. The insurance claims study identified businesses with revenue under $50 million to be the targets 49 percent of the time. Companies with less than $2 billion in revenue accounted for 85 percent of the insurance claims.
The following industries reported the most incidents for insurance claim purposes:
Data Breach Mitigation Tools
These criminals have stepped up their phishing, spoofing and social engineering game and have made it more difficult to detect fraud from reality. From nefarious business email addresses posing as business owners to ransomware, cybercriminals are working hard to deceive others. External threats are trying to penetrate your organization on a daily basis, and their plan often involves compromising your people and your computer networks. Knowing this, you should be considering how to mitigate your cybersecurity risks.
Many organizations of various sizes have been considering the following mitigation tools over the past several years:
Proactive cybersecurity assessments are important in order to identify weaknesses and opportunities to strengthen your organization. In addition, it’s helpful for organizations to have a formal incident response plan in place should an incident occur. Why? Because when an incident occurs, you don’t want to have a third party come in blind. Being responsive to an incident is critical, and clearly documented plans help skip the information technology background needed.
When it comes to mitigating cybersecurity liability risks, doing something is better than doing nothing. In a perfect world, your organization would implement and execute proactive and reactive cybersecurity plans. However, resource limitations are a factor, and organizations must consider insurance products to offset accepted risks.
More on Proactive Cybersecurity
Cyber Coverage Insurance
Odds are, if you have cyber coverage insurance, you may not know what is and isn’t covered. For example, do you have cyber liability business interruption coverage? In a 2018 survey of cyber insurance market trends, businesses are most interested in purchasing cyber business interruption insurance. Business interruption insurance covers the loss of income as a result of a disaster such as a data breach. It is important to note that not all cyber insurances include coverage for related business interruption.
The same can be said for extra expense coverage. This commercial property insurance coverage allows for covering additional expenses incurred above and beyond normal operating expenses. This type of coverage is critical when an incident occurs, as your organization will incur additional investigative, legal and crisis management expenses.
Other cyber-specific coverages can include:
You will also want to ensure your errors and omissions insurance covers data breaches to protect you from third party lawsuits.
In addition to what your cyber insurance may or may not cover, you will want to have discussions with your insurance contact regarding:
By further understanding your insurance coverage, possible premium reductions and having your incident team assembled, your organization will be positioned to immediately address an incident.
Businesses Purchasing Cyber Coverage Insurance
The 2018 survey of cyber insurance market trends identified small (less than $50 million in revenue) to medium size businesses ($50 million to $1 billion in revenue) were driving the growth of cyber insurance. The following industries represented the majority of the new purchasers of cyber insurance:
Drivers for Purchasing Cyber Coverage Insurance
Motivation for purchasing cyber coverage insurance is like fashion; buyers make decisions based on what they see in the news. The 2018 survey found news of cyber-related losses being the number one driver of businesses purchasing cyber insurance. Other motivating factors included experiences of cyber-related losses and requirements by third parties such as a customer.
Holistic Approach to Mitigating Data Breaches
Your business produces and runs off data, and it’s imperative that you keep this information secure. The goal of your organization should be to identify, implement and execute methods to protect this data at all times. This strategy should include strategies that are proactive and reactive as well as insurance to mitigate the inevitable.
Are you confident your cybersecurity investments are adequately protecting your organization?
About Eide Bailly
Eide Bailly, a top 25 CPA firm, provides professional and emergency response services related to mitigating and detecting data breaches. The Fraud & Forensic Advisory team at Eide Bailly is ready to assist organizations with their incident response investigations, cyber coverage and business interruption insurance claims.