A data breach can be crippling to a small business.
The average cost of a corporate breach increased 15 percent in the last year to $3.5 million, according to the Ponemon Institute, a Michigan-based private research group.
With large cyber breaches continuing to make headlines weekly, more companies are considering cyber insurance policies to protect against financial fallout.
"Cyber insurance continues to be the fastest growing type of insurance today," says Rick Betterley, president of Betterley Risk Consultants Inc., a Sterling, Massachusetts-based risk management consulting firm that publishes an annual cyber/ privacy insurance market survey. Nationally, businesses are expected to spend around $2 billion on cyber insurance premiums in 2014, up from $1.2 billion last year, according to Betterley.
The insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption and network damage, according to the Department of Homeland Security.
"The initial demand for this product was driven by larger corporations," explains Robert P. Hartwig, president of the Insurance Information Institute, a Manhattan-based industry trade association. "It began to move down to mid-size corporations, and eventually it will make its way down to smaller and smaller businesses."
That's what Steven Browne, president of Insureatech Agency in New Hyde Park, a broker for cyber liability insurance, is banking on.
Last year, he started Insureatech as a separate division of Sachem Insurance Agency, because he saw breaches becoming more prevalent in the news. "We saw a big need for it," says Browne, who works with about six insurance carriers including Travelers and Hartford.
Many businesses think it won't happen to them, or that their general liability coverage will protect them. But general liability typically covers physical loss or damage, not the data side, he explains.
Cyber insurance can cover liability incurred by the insured, including defense and settlement costs, remediation and response costs such as customer notification and credit monitoring, costs related to regulatory fines and penalties and in some cases credit card fines and penalties from card issuers, according to Betterley. It can also cover loss of business income post-breach, adds Browne.
These costs can add up.
Pam D'Apuzzo, president of RR Health Strategies LLC, a health care consulting firm in Uniondale, recently took out a cyber insurance policy. The company provides consulting to clients including private health practices, hospitals and teaching facilities, and routinely reviews medical records for compliance.
D'Apuzzo noticed more clients putting language in contracts asking if she had cyber insurance. "At some point what I'm doing now proactively will become a requirement from our clients," says D'Apuzzo, who worked with Insureatech to secure the policy. "I think we'll be ahead of the curve."
Even though she takes necessary security precautions when dealing with sensitive data, she wants to makes sure she's protected. "This added layer of cyber insurance is an extra safety net for me," says D'Apuzzo.
And as more breaches make headlines, more smaller firms will likely follow suit.
"Demand is picking up," says Marc Schein of Chernoff Diamond & Co. LLC, a benefits and risk management advisory firm in Uniondale. "Two years ago, people weren't even speaking about this."
Now about 15 percent of the firm's clients are purchasing cyber policies, he says. "Companies have come to realize it's not a matter of if they're going to get breached, but when they're going to get breached."
Products vary, so work with a broker to understand your risk and coverage needs. Premiums generally run $2,000 to $5,000 a year depending on the industry and company size, estimates Browne.
As part of the process, insurers will do a risk assessment and make recommendations, Hartwig says. "It's not simply pure insurance," he notes. "It involves elements of prevention."
Browne partners with outside cyber-security consultants to perform risk assessments. "We want to make sure certain systems are in place and they're protected," he says, adding insurers after the fact may not cover a breach if the insured was lacking in some of these protections.