Is Cyber Insurance Worthwhile For SMBs?

The increased attention being paid to insuring businesses against cyber crime, disaster and related losses and costs isn't all coming from companies that sell cyber risk coverage.How large a risk is cyber crime or other digital disaster for your business? Large enough to justify -- or require -- a specific cycbercrime policy or rider? One that protects you from devastating losses incurred by security breaches, unauthorized funds transfers, digital disasters, privacy compromise and other risks.

Cyber risk insurance questions questions were explored in some detail by Robert Lemos for Dark Reading recently. I'd recommend you read his piece -- and then begin exploring the questions yourself and in terms of your business.

The risk of cybercrime affects all of us, and the Dark Reading piece makes very clear the risks any business or institution can face if its bank account gets cyber-siphoned.

But particularly in tight economic times, you might want to thin about the nature of your business and the data you handle as a way of starting your cyber insurance considerations.

An insurance professional I know pointed out that for many small businesses -- contractors, for instance -- digital resources serve primarily support functions, bookkeeping, banking, and other financial information among them, and among the risks. But transaction processing isn't part of the the primary business.

While a breach of these companies' networks would be serious, perhaps devastating in the case of a funds-transfer that's not fully covered or reimbursed by a financial institution, that risk doesn't generally extend to a large customer base with that base's confidential transaction-related data on file.

Of course, there's more to cyber risk -- and more at cyber risk -- than credit card numbers and other transaction information. If you have a service business that deals with medical records or databases that include Social Security and other identity-related information, a breach could clearly expose you to the consequences of failing to protect your customers' data, as well as any losses caused by the breach itself. Litigation costs -- and bad publicity -- from such confidentiality, privacy and identity breaches can quickly overcome even healthy businesses.

And there's also disaster recovery cyber insurance, and its evaluation, including budget impact of premiums, should be part of your regular disaster recover/business continuity review process.

For those companies where the risk is mostly business (and possibly business-owner) related, cyber risk insurance is still worth considering seriously -- but considering in terms of the amount of the amount of risk you're comfortable with, measured against the level of security and defensive expertise and tools you have in place to minimize it.

And there are budgetary considerations as well. Some small business observers estimate that $1 million in cyber risk coverage (with a deductible in the $5 thousand dollar range) would run between $3- and $4 thousand dollars a year.

That's no small expense for most small businesses, and, like many specialty insurance investments, it's one of those expenses that you don't really have to make.

Until, of course, it's too late to get the coverage because you've already been breached or compromised.

My advice is to take a solid look at your business, your in-place defensive measures (including your disaster preparation and business recovery plan, and their costs, and then have a talk with a knowledgeable insurance professional who has experience with cyber risk.

Shouldn't be hard to find one. My friend in the business noted that security and cyber risk are topics that he's running into more and more frequently.