Written by David Castellon
These days, most every business uses a computer, from billing customers to storing client information to keeping personal information on employees.
And as principal and vice president of SBA Accounting and Tax Solutions in Fresno, George Leddicotte is acutely aware of how important it is to protect data from hackers.
“We need to do the best job we can to protect people’s information,” which means investing in security software and updating it regularly, ensuring that passwords are protected, making sure if employees leave the business they can’t still access the system and setting up redundancies and backup data, to name a few of the tasks, he said.
“And we have alert messages that say, “We think we’ve thwarted a suspected attack,”” sent by the protective software, said Leddicotte, who noted that such messages occur pretty much on a weekly basis, though hackers have yet to breach his security.
And while the list of data hacks among big companies has grown long — with some of this year’s big reported data breaches involving Arby’s, Saks Fifth Avenue, UNC Health Care, Kmart, Blue Cross Blue Shield/Anthem, Verizon, Chipotle and even the IRS — some in the tech industry say cyber attacks on small- to mid-sized businesses are growing more common.
Because of that and the liability businesses can face if their data is stolen and used to hurt their customers, clients or their own employees, the insurance industry has responded by offering “cyber” insurance plans offering financial reimbursement and some other services to hacked companies.
Such insurance, sometimes called “breach insurance” has been offered for about a decade, but the industry currently is making a big push to market it, as cyber attacks on businesses have become common, said Cliff Dunbar, chairman of the board and CEO of Visalia-based Buckman-Mitchell, Inc. Financial and Insurance Services.
“When client information is breached, the business has a responsibility to those clients’ privacy to protect them from the [stolen data] being used to hurt their financial stability and their credit ratings. There is the cost to identify and protect the usage of private financial information,” which can involve hiring credit check companies to monitor if anyone is trying to make purchases, obtain loans or do other things using the victims’ personal information, Dunbar said. “And that is a very expensive proposition.”
There is also the threat of fines from the federal government, in some cases, if businesses are hacked, and they can be worse if it’s found that the businesses took inadequate actions to protect their data.
And then there is the potential of lawsuits against businesses from the people and businesses damaged by data breaches, and “A data-breached company not only faces the expense of complying with regulatory investigations and defending litigations, but also has to repair the leak,” notes an article in Metropolitan Corporate Counsel, an online legal magazine.
It noted that after the hotel chain Wyndham Worldwide Corp. was hacked three times between 2008 and 2010, and credit card information on 619,000 was customers was taken — resulting in more than $1.6 million in false charges on their accounts — company officials estimated that the work just to comply with information requests by Federal Trade Commission investigators would have cost more than $5 million, the magazine reported.
“Couple those expenses with remuneration, potential FCC fines, remedial cyber defense measures, [Securities and Exchange Commission] filings, business disruption and reputational loss, and the data-breached company faces a hefty charge,” the article continues.
But the risk isn’t just to big companies.
“A lot of big companies are paying attention to cyber security and keeping their systems and servers secure from hackers. And a lot of the smaller companies are not paying attention to that,” said Rocky Pipkin, owner of Pipkin Detective Agency in Visalia, whose services include investigations of cyber breaches and thefts.
“In our humble opinion, eventually any business can be a target for a hacker,” whether it involves theft of data or ransomware attacks, in which businesses and individuals are locked out of access to their computer data, Pipkin explained.
“And the only way to get in is to pay the people who developed this ransomware,” said Frank Zellers, a computer forensic examiner and information technology consultant contracted with the Pipkin agency.
And these thieves aren’t just attacking firewalls and using viruses. Some of the most common breaches involve employees clicking on emails or visiting web and social media sites they shouldn’t that allow hackers alternate entry points into their computer systems.
And there are far less high-tech methods that include people calling businesses asking for Social Security numbers and other information on customers under the guise of needing it for legitimate reasons, said Leddicotte.
He noted that a client of his recently came in with what looked like an authentic IRS letter requesting personal information, but a call to the federal agency revealed it was bogus.
“A disgruntled employee is one of the highest risks for data breaches,” and the employer could face financial liabilities if clients and customers are financially damaged by ex employees using that data for illicit reasons, said Jesse Molina, general counsel for FocusVision Worldwide, Inc., a Fresno technology company providing market research software and collecting data for several Fortune 500 companies.
With all these risks to business data, Dunbar said that obtaining insurance to help pay for some of the expenses makes sense.
The Insurance Insider online magazine reported in May that half of larger U.S. firms have some sort of cyber security insurance, but that data doesn’t include smaller businesses.
Dunbar said that while large businesses are buying cyber insurance in large numbers, among smaller and mid-sized businesses, “There’s still reluctance to spend the money on it.”
And while cost likely is part of the reason, another big reason is “They haven’t been touched by this yet. They think it’s the larger businesses like Target” being hit by hackers,” he said.
“The reality is it’s happening more than people realize because it’s not news for a small to a mid-sized businesses to be hit.”
Leddicotte has some provisions for cyber security breaches in his company’s general liability insurance, but not a separate cyber policy.
“I know that it is out there, but I have not seen much of a marketing effort to educate the small businesses about the pros and cons of that. I mean, I have good friends who are agents, and they haven’t come to me with that,” he said.
“And small businesses don’t have clue about the costs.”
Dunbar said those costs can run about $2,500 a year for smaller businesses up to millions a year for big corporations.
He conceded that this type of insurance can be confusing, and his industry should do more to educate smaller businesses about it and the risks of cyber attacks and the benefits of cyber insurance.
In addition, Dunbar noted, “The insurance industry is increasing the availability of policies for small to mid-sized industry, and they’re starting to tailor them more to specific industries than they have in the past,” so a policy for a restaurant, which takes a lot of credit cards, could be different from a jewelry store that might have fewer customers.
“The advantage is to spend your money where the risk is for your entity,” and some policies may contain extra features, which can include money to pay for marketing to help a business repair its reputation if a breach of its system becomes publicly known, he said.
“You need to call your broker and ask him to educate you on what claims are possible for my industry and my company in particular,” as well as what liabilities a company could face as a result of a data theft.