Smaller, private companies have just as much reason to fear security breaches as larger corporations — perhaps more if they don’t have the budget or resources to devote to preventing hacking attempts, according to speakers during a panel discussion at Advisen’s recent Management Liability Insights Conference.
“If you were going to rob a store, are you going to go after Toys “R” Us, knowing they’re going to have better cybersercurity, or to the mom-and-pop shop?” said Richard Bortnick, senior counsel with Traub Lieberman Straus & Shrewsberry. “If you’re going to go after the big public guys, you’re going to have to go through a real endeavor.”
David Lewison, financial services national practice leader at AmWINS, agreed, citing the risks that cyber extortion and reputational harm present to smaller companies that might look attractive to hackers. Private companies might be more willing to pay an extortionist to go away, he suggested.
“If I’m a hacker, I’m going to fly under the radar and keep taking money from somewhere no one’s paying attention,” he said.
Risk of Loss
What do private companies stand to lose in the event of a data breach? Short answer: everything, according to Chad Hemenway, managing editor at Advisen, who moderating the panel on why directors of private companies should be concerned about cyber risks.
Jeff Grange, president of specialty insurance at QBE North America, asserted that companies fall into three categories –those that are hacked, that have been hacked, or that will be hacked. Everyone is vulnerable, he said, but the stakes are higher for small businesses. Grange cited the private businesses along New York City’s seaport that are still recovering from Hurricane Sandy.
“These are small businesses, the vanguard of the economic recovery,” he said. And in most cases, small businesses are increasingly dependent on technology services provided by third parties.
“Their vulnerabilities are your vulnerabilities,” Grange said of third-party vendors.
Lewison also noted that the data breach at Target has been widely publicized, but the hackers accessed the system via a smaller HVAC vendor working with the retail giant.
Bortnick noted that many small private organizations don’t have the budget for cybersecurity or cyber insurance – a problem that will come back to the board of directors in the event of a problem. A business could find its finances in trouble, or its regulatory compliance called into question by a growing number of federal and state agencies.
Help from insurance
The panel agreed that for companies that do opt to buy cyber insurance coverage, other cybersecurity and risk issues can also be addressed.
Lewison noted that the industry has developed threat assessment programs, risk management portals, mobile applications and more to help insureds. However, many businesses simply don’t understand or don’t see the need.
“Any broker in the room that’s selling cyber liability is frustrated, because we do the math on the number of records that could be lost,” he said. “We look at all the expenses you pay out in the first three weeks and think, ‘What’s wrong with you? How come you don’t see it? How come your board doesn’t see it?’”
Grange commented, “The vast majority of private companies are uninsured today. They’re non-buyers.”
A broker attending the Advisen event asked the panel to comment on whether brokers should be selling differently, highlighting the value-added services rather than limits and coverage.
Bortnick advised use of the rarely used services, noting that he gives a free hour of consulting to his broker clients.
“Avoidance is as important, if not more important,” he said.
Grange urged the insurance industry to develop a product that will truly appeal to private companies and address their total risk.
“I can’t tell you over time the number of insureds who’ve said, ‘Insurance is less and less relevant to me,’” he said. The current cyber offerings only cover a portion of their risk. The premiums being collected for cyber insurance, relative to the coverage and services offered, are not sustainable, either.
“Somebody has to come forward to model this business, if we want to provide a solution that covers more than 5 percent of our customers’ risks,” he concluded.