I think I’m covered by my insurance policy for that…(pause)…you scramble and try to find your policy documentation.
It’s here somewhere. I’m sure I’m covered…I mean, I think we’re covered. I better make sure.
You email your insurance agent…wait for the declaration page. Try to sort it out line by line.
Give up, call them, and ask “We have business insurance, so we’re good to go if we have a breach, right?”
Insurance coverage can be confusing. And there’s an assumption that when you buy one policy, it covers anything that falls under the business. Cybercrime is likely not in there. Not only is it a relatively new issue, it probably is not covered by the policy that you have in place.
So, do you really need it?
Yes. And here is why.
You are a small to mid-size business. You know everyone at the office by name. They aren’t going to do anything to jeopardize your business and you know that they are all careful. Besides, you are a small accounting firm and just deal with local businesses – nothing that a hacker wants…they are going after the big guys.
Let’s say that one of your employees is going through their email and receive a link to update their word processing software. You don’t have an onsite computer department, the group that does your network and computer support has a weekly stop in, but that’s not for a few days. Besides, she doesn’t want to incur any fees by calling them to find out if this is legit. It says Microsoft and so it must be ok. She needs to get a letter out today, so wanting to be efficient, she clicks on the link and will update the software so she can continue on with her work.
That email was a phishing email which distributed ransomware to her system. But she doesn’t realize this and keeps working. All the while, entering more passwords, giving more and more access to hackers. The malware is slowly spread out to each workstation at your office.
The next morning, you come in, everything is on lockdown and you’re being asked to pay a bitcoin ransom to access any files. What’s Bitcoin? You ring your managed service provider to have them in to fix it, but they can’t get in until tomorrow. They have an emergency crew which will come onsite but it’s going to be three times the normal hourly rate.
We could stop right here and you’re likely going to pay in one day more than you would have for annual cybersecurity insurance coverage. Unfortunately, the costs are just beginning to accrue.
Factor in the lost revenue from being unable to access your client records. You can’t ship, sell, or manage what you can’t see. Your customers need to run their own business, so they find another vendor. More lost revenue. This could go on for days. Those clients liked working with you, but they now have taken their business elsewhere and it’s working out fine, so they don’t return. When asked who they do business with, they tell this story. Is there a price to put on restoring a damaged reputation?
One week later, you’re still not back online. The ransom amount was unobtainable and even if you could pay it, there’s no guarantee that it won’t happen again next week. You now have to get all new systems, plus the time to input all of the lost data – if you can find it, and hopefully salvage all of the lost business. Should we mention the investigation, notification process to your clients about what happened (cringe) and the required credit monitoring you need to offer in order to restore your business and good name?
Does that annual cyber insurance premium seem unreasonable now?