But there are many important differences between large and smaller companies when it comes to cyberinsurance needs. Large corporations are more likely to be targeted in hacks, buy coverage directly from insurers, and have their own legal, public relations, and technology expertise. Smaller companies are becoming cyberinsurance buyers when they work with larger corporate partners, usually shop through agencies, and typically need outside crisis management help.
SEE: Information security incident reporting policy (Tech Pro Research)
So it may be a sign of the times that United Parcel Service debuted cyberinsurance coverage for smaller firms through its UPS Capital division last week.
"We are a full financial services provider," marketing vice-president Dave Zamsky said of the Atlanta-based shipper's unit, which opened in 1999. "We think basically because of our skills in supply chain management, particularly in the transportation form, we're well-served to help our customers. We do a lot of research, and we stay current in what's happening with small and medium-sized businesses."
Owners of smaller companies sometimes mistakenly believe that general business insurance covers cyberattacks, Zamsky said. It doesn't, and a cyberattack can easily cost a small business from $80,000 to $150,000, which could be avoided with a $1 million plan costing around $3,000-$5,000 per year, he said.
"That's really what got us focused on it is we found that many of these small and medium-sized businesses don't have the protection that they need," Zamsky explained. "The impact of a cyberattack is going to get larger and get more devastating to their business as they start to grow." UPS can share its attack response experience and resources, not just offer standalone insurance services, he noted.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Businesses of any size may get tax breaks for having cyber coverage in the near future. Rep. Ed Perlmutter (D-CO) intends to re-introduce his Data Breach Insurance Act sometime in the current 115th Congress, spokeswoman Ashley Verville told TechRepublic. The bill ended in committee during the last term.
But in many cases, what pushes small businesses to buy cyberinsurance coverage is when they don't have a choice—larger partners of small companies often require it. Zamsky said UPS is probably involved in similar conversations with its own smaller partners. "I'm sure at some point, or if not already, those are conversations that are being had," he said.
It's definitely happening in telecommunications. Liza Navarro, in San Jose, CA, owns a Sprint authorized reseller called Wizardrix. She has just a few employees. "It is required by Sprint because technically we are Sprint in front of the customer," she said.
Navarro bought a $1 million plan for $1,383 from CyberPolicy, of San Francisco, earlier this year. The plan covers liability, regulatory claims, breaches, and extortion. She was previously turned away by Hartford Financial Services for being too small. Her advice for fellow small-business owners is straightforward. "I think the best thing would be to understand the coverage that you are required [to have]. I would have loved to have a couple of quotes. I didn't have a chance to do that," she explained.
Working in highly regulated fields such as law, banking, or healthcare can make your decision for you. Kurt Long, CEO of FairWarning, explained that his company in Clearwater, FL advises major hospital systems on cybersecurity and cyberinsurance. The clients have to obtain coverage because they possess sensitive data, and they require FairWarning itself to have a policy. FairWarning has about 120 employees, and its own policy is in the low eight-figure range, said Dan Singer, VP of Finance. The company originally bought coverage through Travelers and now uses a Hiscox policy, Singer said.
"What we did, and what I highly recommend, is that you also hire an attorney to help you negotiate it," Singer said. "What is different about cyberliability coverage is all policies are not created equally," unlike general liability insurance, he explained.
"You can't simply just buy it and assume that everything you need is covered," Singer continued. "You need to make sure the cyberliabilty policy will respond to the specific needs of your business."
Singer noted that insurance companies often negotiate their policies, and that subcoverage amounts may differ, such as only covering $1 million for forensic investigations out of a full $10 million policy. It's vital to clearly define your business activities, he said, so that interruptions to your customers can be properly measured.
- The Four Volume Cyber Security Bundle (TechRepublic Academy)
- Why the Equifax breach could force executives to finally take cybersecurity seriously (TechRepublic)
- Report: 71% of SMBs are not prepared for cybersecurity risks (TechRepublic)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- Gallery: 10 apps to help you prepare for, respond to, and recover from a natural disaster (TechRepublic)
- As hackers lurk, companies turn to cyber insurance (CBS News)
- Ransomware: Why it's a really big problem for small businesses (ZDNet)
Evan Koblentz began covering enterprise IT news during the dot-com boom times of the late 1990s. He recently published a book, "Abacus to smartphone: The evolution of mobile and portable computers". He is director of Vintage Computer Federation, a 501(c)3 non-profit and can often be found running marathons or having deep conversations with Floppy Disk Cat.