In the modern world, almost every business uses some type of network to store information- even if it’s as simple as housing their email. Even companies hosting their email with outside providers (gmail, yahoo, and other private email hosts) are at risk.
Many small businesses believe that the information that they have is not sensitive, important, or attractive to thieves. These businesses- no matter how low-tech they may think of themselves, there is probably sensitive information saved somewhere. Sensitive information includes any customer information.
A customer list in a spreadsheet, a mailing list saved in your contacts, and correspondence with a customer in your inbox: this sensitive information is everywhere. Now, the information that you collect and save may not be dangerous on its own, but stolen customer lists are popular targets for social engineering scams. Your customers could be contacted based on the information that is saved about them (age, location, name, relatives, etc). Adopting a position of authority, armed with some information about a target, a scammer can easily gain a victim’s trust where more sensitive information could be exposed.
Companies maintaining customer information over networks need to audit their network security systems and internal controls to protect this information. Additionally, companies may want to consider auditing their vendors and their vendors' controls for security to further protect themselves. Finally, companies need to consider purchasing cyber liability insurance.
As companies move more and more toward cloud computing, these risks only increase. The offer of having someone else maintain the security of your customer’s information may be tempting, but also not be ideal either. When choosing a supplier, question them about security policies including password strength, what information other clients typically save with them. Be sure to confirm if the data will be encrypted, how your company’s information will be isolated from other people’s data, and ask about additional steps you can take to secure the information stored with them. (Two Factor Authentication, login notifications, etc.)
Losses from cybersecurity breaches are significantly increasing.
State governments are increasingly tightening laws on cybersecurity. This includes making businesses responsible for notifying consumers of data breaches and placing fines on failure to comply. Cyber liability insurance can help protect businesses from these and other types of losses. Specifically, cyber liability insurance can help cover not just the repair of a company's network after a breach but also help cover loss of income during down-time. It can also help cover liability arising from privacy invasion lawsuits and the need to comply with privacy regulations.
For the unexpected, your business will need cyber liability insurance. You may think that your company’s general liability policy will cover data loss or theft. Be sure to confirm this with your agent. If you already have some type of coverage, be sure that it is complete.
Cyber liability insurance typically provides three types of protection:
This includes damage resulting from authorized users not having access to the system, service interruption of the network, and unauthorized access and destruction of third-party information.
This coverage will allow your business to keep running while working through a data problem. This could include being locked out, the data being inaccessible, and you damage someone else’s data or property.
Security breach coverage protects against the failure of a network to identify and authenticate the party user, failure to protect and secure data, and failure to protect against viruses and denial of service attacks.
If your account is hacked into, if an employee accidentally shares information, or if someone else damages the data, you will have coverage.
Privacy coverage exists to protect against claims made for failing to comply with regulatory requirements regarding the privacy of individual and confidential information resulting in third-party claims and the expenses incurred to comply with breach notification requirements.
If information is leaked, you will have a responsibility to your customers to notify them and protect their identity. You will need to determine a way to contact your customers. You may also have a responsibility to offer them identity protection services. This step may be required by law, but it may also be a good-faith gesture that your business does for your customers.