Once you’ve been hacked – it’s already too late. If your firm or business has not proactively taken the key steps to deal with your cybersecurity up front, recovering from a hack is expensive and time-consuming, and could cause irreparable damage to your business. For most larger businesses, cybersecurity has been a critical risk management challenge for more than a decade and significant resources are dedicated to preventing and, just as importantly, recovering from such attacks.
But what about smaller businesses, like small to medium sized companies? Unfortunately, many such smaller concerns often don’t realize how vulnerable they might be to a cyber incident and assume that “it can’t happen to us”. Sadly, if that’s what you think, by the time you read this article, it could be too late.
Just recently, a number of small businesses were reported to have been sued for failing to protect customer information from a cyber-attack. Stories like this can be found almost any week of the year. What to do?
At this late date, there are two primary concerns. The first is how to better protect confidential information from cyber bandits. The second relates to having proper insurance if such a breach occurs.
On protection, “best practices” for cyber security have evolved rapidly in recent years and become a cottage industry unto itself. Basic items like:
- password protection,
- encrypting data
- recovery of frozen or lost information by building backup and redundancy into your systems,
- training staff on how to identify suspicious activity
- having up to date virus, spy and ransomware protection installed on computers and your systems,
are just some of the essential steps you must take. Many firms no longer maintain their own servers and outsource data management to third parties on “the cloud”. If you do so, which is a perfectly appropriate strategy, make sure you review the contracts to properly shift risk and liability to the provider. One thing that should be considered is that many cloud-based providers locate servers in countries – like Uzbekistan and Belarus – that could be unstable geopolitically.
So, what is the risk when a breach occurs? While still evolving, firms have been exposed to liability for negligence, breach of contract and trust, class actions, possible claims under state and federal consumer protection and privacy laws, and even the Federal Trade Act provides bases for claims. In addition, depending on the state in which you operate, there are specific duties to disclose to clients and customers the nature of the breach, and what information might have been exposed, along with deadlines for such disclosure. You need to be aware of all of these requirements. The greatest risk is disclosure of personal identifiable information – e.g., social security numbers, financial data, medical records, credit card information, just to name a few.
The second thing you can do is procure appropriate insurance. Over the last decade, most insurers have scrubbed their general liability, property, and D&O policies to affirmatively exclude technology-related losses. Realizing that they had not taken into account the risk of cyber losses in underwriting policies in more traditional lines of business, but also recognizing new business opportunities, insurers now offer specific cyber insurance products. These policies cover such things as the cost to restore service, repair and replace damaged hardware and software, the cost to investigate the loss, costs related to complying with state and federal notification requirements, as well as some limited liability for lawsuits, business interruption, and other damage to property caused by the breach.
It is essential you discuss with your broker what insurance products best suit your needs. There are insurance products to address these risks, too.
What was once an exotic, ill-defined consequence of the information technology revolution is now a very real risk and business factor for ALL businesses. Don’t get caught with your “cyberpants down”.