Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.
Beazley quote some interesting research to support their release:
- According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
- Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)
Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.
Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”
Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:
- The cost of responding to impacted clients is simply a postage stamp per breached record.
- Our information is well-protected by our IT consultants.
- Our employees would not act maliciously and know how to protect our data.
- Security breaches are covered by our general liability policy.
Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.
Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.
Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.
“Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.
Beazley’s Reasearch Sources:
(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011
(2) Verizon Research PDF can he found here.
Beazley’s website can be found here.