We’ve all been notified by a company we patronize that our personally identifiable information (PII) has been hacked. It can be a real headache for us customers.
(PII can include customer names, birth dates, Social Security numbers, driver’s license numbers, credit card numbers, bank information, and more. In the case of healthcare businesses, add medical records to the list.)
But when you’re the business that has been hacked, there can also be tremendous impacts.
This apparent breach of trust can cause customers to take their business elsewhere, for one, which can affect the bottom-line.But more importantly for the hacked business, they are obliged to remedy the situation by notifying all the people affected, which can incur a hefty cost. There can also be legal penalties and fines from the government, particularly when healthcare information is involved.
On top of that, the affected customers have a right to claim compensation if they suffered material or non-material damage. More money out of the hacked business’s pocket…
And even if you use a third-party provider, like a payment processor, and that company is hacked, your company is still liable because your customers provided their sensitive data to you.
Then there are things like ransomware, in which hackers threaten to release your data, shutdown your website, or block access to your systems, essentially hold your company hostage, until you pay… the ransom.
Take, for example, the famous Colonial Pipeline case from a couple years ago. This company operates the largest refined oil pipeline in the U.S. and its smooth operation is an important component of that industry, if not the U.S. economy itself.
That’s why it was so serious when a ransomware gang, using a compromised password purchased on the dark web, to gain access to the Colonial’s systems and steal data that impacted the company’s billing operations. This caused Colonial to shut down the pipeline, causing fuel shortages and a price spike. The federal government even declared a state of emergency around the issue.
In the end, Colonial paid $4.4 million to get their data back.
Finally, sometimes hackers can even gain access to and drain your bank accounts…or even point your receivable to their own accounts instead of yours. They can steal valuable IP… The list goes on of ways cyber crime can impact your business in a serious way.
Every Business Is Vulnerable to Cyber Crime
You might believe only large retailers or Fortune 500 companies need to worry about cyber crimes like hacking or ransomware. But the truth is that any business that is connected to the internet is vulnerable to cyber crime. And hacking is a “growth industry” that impacts more and more businesses each year.
- Cybersecurity Ventures expects cybercrime to cost a collective $10.5T worldwide by 2025 – that’s up from $3T in 2015. This takes into account lost productivity, stolen money, theft of IP, theft of personal and financial information, reputational harm, and the cost of restoring hacked systems.
This makes hacking and similar activities more expensive than natural disasters – and more profitable than the illegal drug trade.
- IBM estimates that currently the average cost to businesses for fixing a data breach is $4.35M. And it could easily reach $5M.
- In the case of PII, the average cost to your business is $225 per each stolen confidential record.
- All to told, cyber security experts believe that 30,000 websites are hacked daily, and 64% of companies globally have experienced at least one cyber attack.
A very disturbing part of cyber crime – and part of the reason it is so widespread – is that these criminals don’t have to be master hackers. These days there are hacking kits of software and other tools for sale that allow just about anybody to launch cyber attacks.
That means you need to take steps to protect your company and its digital assets and systems. Having a robust cyber security protocol in place is important, of course.
But you must also prepare for the possibility of being hacked. And the best way to do that is with cyber liability insurance.
The Insurance You Can’t Do Without in Today’s Always-Connected Age
As with many things in life, you get what you pay for when it comes to cyber liability insurance.
It’s also important to note at this point that one type of company is particularly vulnerable to cyber crimes: midmarket acquisition targets. These startups are flush with cash. And, as startups, they often don’t have the level of cyber security necessary to fend off these attacks. This makes them attractive targets to hackers.
A potential Buyer is going to sniff this out during their due diligence at best. At worst, you could be hacked before you ever get acquired… which might take you out of contention for acquisition.
Many of these smaller companies, many of which are in tech, figure they can sidestep these scenarios by buying cyber liability insurance. They figure their cyber security is good enough.
That’s a good first step. But buying a cheap, off-the-shelf insurance policy is simply not enough. There are significant gaps in coverage and significant restrictions in what the insurer will pay out on.
Again, Buyers will see these gaps and shy away.
That’s why I recommend that after you get your next round of funding beyond seed, that you commit to getting a robust, broadly worded cyber policy. And you need more insurance than you probably think, with at least a $5M limit of liability.
That’s because by the time the company is acquired, you are going to be worth significantly more than you are today. And also, it is very difficult – and expensive – to upgrade later. That’s because if you had, say, a $1M limit policy and then tried to increase it to $5M, Underwriters will see this as a big red flag. In fact, they may even think that the policyholder is hiding something…
So, it’s important to get as much coverage as you can from the outset. But it’s also key to get broader coverage rather than the do-it-yourself policies you find online. Broader – and, yes, more expensive – policies will cover things like ransomware, social engineering cyber crime, and more… things that off-the-shelf policies simply don’t cover.
With these broader policies, insurance companies will figure out ways to circumvent hackers and unlock your system in case of ransomware attacks. They also provide risk mitigation services, such as back-ups of your systems, as well as background checks and security checks on your networks and systems. In the case that you do have to pay the ransom, insurers will pay it for you.
Finally, having this coverage in place makes you that much more attractive an acquisition target. M&A Buyers these days are very concerned about cyber security risks. And when you can point to a robust cyber liability policy in place, it’ll give them a good feeling.
But it doesn’t stop with the standard policy. Buyers are insisting these days on cyber liability tail coverage. This means the Seller’s cyber policy will run for at least two to three years post-closing. And that’s generally not available with off-the-shelf cyber insurance products.
With the tail coverage you have extra time to make claims for acts that happened after the retroactive date in your policy – but before the end of your policy period.
The extra protection tail coverage provides is indispensable in cyber liability. That’s because the impact of hacking and other cyber crimes can take a long time to become evident—long after an acquisition and the standard cyber liability coverage has ended. And in a case where a Buyer discovers their new company has been hacked soon after they bought it, while they’re still learning the ropes, so to speak… that Buyer is on the hook to clean up – and pay for – the mess if they didn’t require the former owners to secure Cyber tail coverage.
It can be difficult for companies that have never had cyber insurance to get tail coverage as well.
But there is a workaround. However, it takes someone who knows how to make it happen and who is experienced in this area to secure a tail policy for cyber liability insurance.
I have such experience, and I’m happy to help you navigate the process of not just finding the right cyber liability coverage for your business but also tack on a tail policy as well.
Please contact me, Patrick Stroth, for more information and potential insurance options for your specific needs at pstroth@rubiconins.com.