According to a recent survey conducted by CNBC, 56% of small business owners are not concerned about the prospect of being the victim of a cyber-attack; yet, 28% of respondents indicated they have a cyber response plan in place and only 26% carry cyber insurance. Perhaps news coverage of cyber events, such as the Colonial Pipeline or CNA Insurance attacks, has contributed to the impression that small businesses are not in hackers’ crosshairs given the extreme ransoms extracted from major corporations. However, according to data published by Verizon, small businesses comprise 43% of data breach victims; meanwhile, hacking activity has surged with the expansion of remote work during the pandemic.
Our previous article on Data Privacy Liability explored what is and is not covered by a cyber insurance policy. As a builder, you may be under the impression that, since you do not store your customers’ sensitive information on your computer server, you do not need cyber insurance in place. Do you have a website? Do you conduct business over email? Do
you rely on a computer for design, estimating, and invoicing? If you answered yes to any, or all, of these questions, you may be the target of a cyber-attack. While cyber insurance was developed to address the third-party costs associated with data breaches, modern policies include coverages that go beyond the scope of liability.
Let’s take a look at two less commonly discussed claim scenarios: ransomware and social engineering. Ransomware, in general terms, is when a hacker infiltrates a computer system and threatens to shut it down, release or destroy proprietary or private data, or otherwise renders a computer system unusable until a ransom—ranging from the thousands to millions—is paid to a malicious actor. Meanwhile, social engineering is a term used to describe attackers posing as a trusted source to trick victims into providing sensitive information and/or payments. Both ran
somware and social engineering schemes are often conducted over email. Many consumers assume they are able to easily detect phishing attempts and virus-infected emails; but, while you may still receive the occasional email from a benevolent prince in an exotic locale, hackers have developed sophisticated techniques that are successful at fooling the untrained eye. Among the more common social engineering examples our office see involves hackers masquerading as our insureds’ vendors and ultimately tricking them into making payment on a fraudulent invoice, or posing as an internal colleague soliciting a seemingly normal payment via wire transfer. While some data breaches are obvious in the moment, many can go undetected for months at a time; that and the possibility that a hacker is able to convincingly imitate a colleague or vendor, after extensive study of their emails, speaks to the fact that a real-world data breach that has negative consequences is much less farfetched.
A properly structured Data Privacy Liability policy can provide much needed relief if you are the victim of a ransomware or social engineering scheme. Don’t wait until your data is being held hostage from a Moldovan basement to review your cyber insurance – you may be surprised at the relatively low cost of coverage, especially compared to the cost of an uninsured cyber-attack.