Data breaches are a growing concern for today’s businesses. While large companies are often the ones that make headlines when they’re breached, small businesses are just as susceptible.
To combat this problem, business owners can take out insurance for the customer data they store, and this could be an incredibly valuable line of coverage because small business data security practices aren’t always the best. Independent agents, then, are in an interesting position where they can advise business customers on ways to protect company data — even though it may seem a little outside the agent’s jurisdiction.
Here’s how you, as an independent agent, can initiate these conversations, how you should approach talking to business customers about securing sensitive data, and how you can back up those security protocols with a line of coverage in case the worst happens.
Paint a Picture of the Current Data Security Landscape
To begin, it’s helpful to give small business owners a basic understanding of the issues they’re up against.
Nearly half (43 percent) of cyber attacks target small businesses, says technology writer Michael Guta. The main reason they’re more vulnerable is simply because they tend to lack the knowledge, resources and IT infrastructure of their larger counterparts. At the end of the day, cyber criminals usually go for the low hanging fruit and will target the companies they perceive as being the most lax about cybersecurity.
So far in 2019, 36 percent of small businesses have fallen victim to a data breach so far, according to cybersecurity company Kaspersky. So theoretically, an average small business has just over a one in three chance of encountering a data breach during the course of a year.
Another unsettling trend is the increasing number of data breaches. A total of 783 data breaches were reported in 2014, but there were 1,579 reported in 2017 — more than double, writes Julian De Groot at data loss prevention software company Digital Guardian.
Some business customers may have the misconception that cyber criminals only go after major organizations. But that’s simply not the case. A data breach can happen to nearly anyone, and this is something they need to be aware of. While you shouldn’t use fear tactics when explaining this to customers, it’s important that they have a clear understanding of what’s going on and how the overall threat level is rising.
Discuss a Business Owner’s Risk
Your customers should also know about the consequences that can result from a data breach.
“A full 41 percent of small businesses said they were hit by a breach that cost them more than $50,000 to recover,” explains technology writer Lance Whitney. “Further, almost 30 percent of the consumers surveyed revealed that they would never return to a small business that suffered a breach, up from 20 percent two years ago.”
So it’s a double whammy where a data breach is both costly from a financial standpoint and detrimental to a company’s long-term reputation. And unfortunately, 60 percent of SMBs that suffer an attack end up closing their doors within six months because they can’t recover from the losses, notes Dror Liwer, cofounder of cloud security company Coronet.
One of the biggest factors that determines risk level is a company’s industry. The five most at-risk industries in 2019 are healthcare, tourism, the public sector, retail and finance, writes the team at threat protection software provider Ekran System. These are all industries that tend to collect and store a lot of customer data.
The data most prized by hackers is personally identifiable information such as a customer’s full name, social security number and bank account number. This is because it paves the way for identity theft and banking fraud, according to the team at data privacy company CloudMask. Thieves also seek out a business’s intellectual property, legal information and proprietary information, which can be used for commercial purposes to achieve a competitive advantage.
Another major factor in how at-risk a company is how much technology it uses. For instance, a company heavily reliant on cloud storage and the Internet of Things would be at a greater risk than a company who primarily stores documents offline and uses very few devices. Beyond that, any business that sells online, stores digital customer information and communicates with customers through email, text or social media has at least some level of risk, says business trial lawyer Gregory Boop.
Perform a Risk Assessment
Looking at the industry a company is a part of and the amount of technology they use is a good first step in determining where a company is at. But to truly gauge their needs, it’s crucial that you perform an in-depth risk assessment.
“It’s up to the retail agent to assist in identifying their exposures,” writes Frank Tarantino, program manager of Charity First Insurance Services, Inc. “For example, do they keep credit card data on file, along with addresses and phone numbers? A determined hacker could infiltrate their computer system and obtain information on hundreds of customers, leaving the business at risk.”
Editor-in-chief of cyber security news publication Hashed Out, Patrick Nohe elaborates the six steps that should be taken when performing a risk assessment — a process outlined by the National Institute of Standards and Technology. They are as follows:
- Identify threat sources. Threats can come from hackers, malicious insiders or accidental negligence by employees.
- Identify threat events. These are events that can lead to a data breach such as finding publicly available information used to support an attack or installing malware.
- Identify vulnerabilities. This includes any areas that can be exploited and whether controls are in place to mitigate such an event.
- Determine the likelihood that attacks would succeed. Rate the chances of attacks being carried out.
- Identify potential impact. Examples include disrupting a business’s operations, harming their assets and damaging their reputation.
- Determine the risk posed. This is factoring the likelihood a data breach event and impact it would have on the company.
After going through these steps, you should have a pretty clear idea of what a customer is up against and the extent of their coverage needs.
Explain What’s Covered with Data Breach Insurance
At this point, you should fill a business customer in on exactly what they’ll get by purchasing this type of coverage. “As with other insurance policies, data breach coverage can have first and third-party provisions,” explains technology journalist Chris Brook. “First-party meaning coverages pertaining to the insured organization itself, and third-party meaning coverages for affected parties outside of the organization.”
Chris Murray, president of Caitlin Morgan Insurance Services, points out that some first-party expenses typically covered include business interruption costs, cyber extortion reimbursement and the money it costs to notify customers who have been impacted by a breach.
As for third-party expenses, this pertains to covering lawsuits that stem from individuals who sue for having their personal/financial information leaked as well as the fees that come along with helping customers recover lost data.
Given the costly nature of data breaches and the fact that more than half of all companies end up eventually going out of business, data breach insurance can be a smart investment. Although many customers might be reluctant to purchase another policy, the premiums are fairly minimal when you consider the massive out-of-pocket expenses that can arise if a data breach occurs, writes enterprise risk analyst Rachel Sonia.
Help Customers Choose Optimal Coverage
Assuming a business customer meets the criteria for data breach insurance and is interested, it’s your job to help them find the right solution at the right cost. As with buying any other type of insurance policy, those who are at a high level of risk will want to purchase more comprehensive coverage, while those at a lower level of risk can probably get buy with more basic coverage.
In terms of annual premiums, most small businesses can expect to pay somewhere between $1,000 and $7,500 in 2019, says insurance and finance writer Virginia Hamill.
However, very basic policies like a cyber liability add-on from Travelers can be found for as low as $150 per year. While it only offers $25,000 in coverage, it’s something that can make sense for extremely low risk companies. On the other end of the spectrum, there are far more robust policies available with coverage that goes all the way up to $2 million.
It really just boils down to sitting down with a business customer, identifying their risk level and figuring out exactly what they’re looking for. As long as you’re on the same page, you should be able to find a suitable policy that will protect them even in a worst-case scenario.
How to Support Small Business Customers Who Are Susceptible
Over six million data records are either lost or stolen every single day, says data breach statistics database Breach Level Index. That equals 69 records a second.
Unfortunately, it’s not a problem that’s going away any time soon and will likely worsen as technology becomes a bigger and bigger part of business operations. But as an independent agent, you can help safeguard your business customers in the event of a data breach.
By knowing how to broach these conversations, make insurance coverage understandable and assess a customer’s risk level, you can ensure they’re in good hands regardless of how serious cyber threats become.
Images by: piksel/©123RF.com, dglimages/©123RF.com, mavoimage/©123RF.com