Better Safe Than Sorry: How Startups are Staying Protected in Cyberspace by Jason Ankeny

02/02/2015 07:40

Even business intelligence firms can learn a thing or two about doing business in the digital era. Just ask Bowman & Partners, a Roanoke, Texas-based startup that mines a wealth of brand and consumer data to create customer management strategies and marketing initiatives for clients that include Comcast Business, United Healthcare and Windstream Communications. 

Like many businesses, Bowman & Partners has shifted much of its workload to the cloud, and when principal Paul Bowman began chasing a contract with a major healthcare firm, he proposed a cloud-based dashboard to gather information straight from the company’s call centers, offering insights into medical activity and patient trends from across the country. 

Not so fast, the healthcare company said. “Because we would be collecting and housing personal health information in the cloud, they let us know pretty early into the negotiations that we’d need to expand our level of insurance,” Bowman says. “If anything were to go wrong, we needed to make sure we were covered.” 

Bowman & Partners discussed its options with Business Insurance Now, an online agent that had previously sold the company a general liability policy offering protection against injury claims, property damage and other physical-world concerns. Business Insurance Now put together a cyber insurance package safeguarding Bowman & Partners from the perils of the virtual world, such as data breaches, network attacks and business interruptions. The cyber risk policy, in tandem with other insurance upgrades requested by the healthcare provider, helped Bowman & Partners seal the deal. 

Bowman & Partners isn’t the only company looking to minimize its online risk in order to maximize financial reward. American businesses were expected to spend $2 billion on cyber insurance premiums in 2014, a 67 percent increase from the $1.2 billion they forked over a year earlier, according to Betterley Risk Consultants. While that’s just a fraction of the $1 trillion in net premiums the U.S. insurance industry wrote in 2013, experts forecast that spending on cyber insurance will grow exponentially in the years ahead. Security software developer McAfee estimates that cybercrime already costs the global economy $445 billion a year, a figure destined to surge as more companies and consumers across the planet connect to the web. 

It’s not just big-box retailers and other large corporations in the cross hairs. Forty-four percent of American small businesses have been victimized by cyber attacks, according to the National Small Business Association, which adds that each breach racks up an average of $8,700 in damages. 

“Cybercrime is in the news all the time, but there’s a huge misconception that it only impacts big companies,” says Ted Devine, CEO of small-business insurance provider Insureon, Business Insurance Now’s parent company. “The reality is that anybody that has forms of client data exposes themselves to cyber risk. Whether it’s a mom who owns a cupcake store that might take credit cards or a consulting firm that deals with healthcare data, the risk is incredible. Running any business without cyber protection is like jumping out of a plane without a parachute.”

Cyber insurance policies trace their origins to the dot-com boom of the late 1990s. “We saw that [the internet] was a fundamental change in the way companies did business, and that it was going to create a fundamentally new type of risk,” says Robert Parisi, cyber product leader at insurance brokerage firm Marsh USA. “Traditional property and casualty policies didn’t embrace these new risks, and there was a need for insurance that actually responded to them.” 

Few insurers offered cyber coverage prior to 2002, when California lawmakers enacted the nation’s first data security breach notification law, requiring companies statewide to immediately disclose a data violation to consumers. As of late 2014, 47 U.S. states had approved data breach notification legislation, with Alabama, New Mexico and South Dakota the lone holdouts. 

“[Data breach laws] created a whole host of additional costs that had to be borne by somebody. It typically falls on whoever lost the information. Those costs can be substantial,” Parisi explains. “Cyber insurance policies started to evolve to pick up those expenses, as well as providing what I call ‘crisis management coverage’—helping companies deal with the moving parts of dealing with a breach.”  

Cyber insurance policies and prices vary depending on a multitude of factors, including the size of the company purchasing the policy, the industry vertical it targets and the breadth and volume of data it retains. 

Robert Hartwig, president of the Insurance Information Institute, says the typical cyber insurance policy has three primary components. The first is loss prevention or avoidance: The insurer or an outside contractor partner assesses the client’s existing IT systems and the security measures already in place to defend them, pinpointing potential vulnerabilities and identifying solutions. 

The second component is traditional insurance coverage—i.e., protection against catastrophes. “You may be held liable to the costs of customers whose credit card information was lost or held liable for credit monitoring for a year, for example,” Hartwig says. “Or you could suffer from lost income if you’re hacked and your server goes down, or if the hack leads to the loss of copyrighted or trademarked information. You can be insured against these potential losses.”

The third component is resolution coverage, which assists businesses if and when a breach occurs. “In other words, an insurer will come in, find out what happened, remedy the situation to the extent possible and then work with you to make sure it doesn’t happen again,” Hartwig explains. 

More than 50 U.S. insurance carriers now offer cyber insurance policies. While insurers have traditionally focused on the enterprise market, a growing number of firms are specifically targeting the small and midsize space. New entrants include Ridge Insurance Solutions, founded by Tom Ridge, the first secretary of the Department of Homeland Security. The firm offers customized risk-assessment tools and insurance coverage designed for businesses with market capitalizations south of $500 million.

“The world is about risk management. Capitalism is about risk management. Homeland security is about risk management,” Ridge says. “The new dimension in the world in which we operate is what I call ‘the digital forevermore.’ The digital sun will never set; the challenges are only going to get greater. We felt this was an opportune time to create an insurance company focused on cyber insurance for the small and midcap space. The intellectual property in these companies is America’s future—this is where a lot of R&D is going on, and we have to protect it as best we can.”

Businesses are slowly but surely coming to grips with the threats looming over them. Thirty-three percent of small and midsize U.S. employers surveyed in 2014 by risk management and insurance brokerage firm Marsh & McLennan report having a cyber liability policy installed, up from just 16 percent in 2013. The increase follows a rash of high-profile data breaches suffered by brands like Target, Home Depot and J.P. Morgan; the infamous “Backoff” malware package that compromised tens of millions of Target shoppers’ credit cards in late 2013 also affected the in-store payment systems of more than 1,000 American businesses, according to the Department of Homeland Security.  

“The small-business market was underserved until recently, but we’ve seen a huge increase in demand for our cyber products driven by a critical mass of incidents happening very publicly to large companies,” says Tim Zeilman, vice president at Hartford Steam Boiler Inspection and Insurance Company. “The issue is awareness—not only at the risk-manager level of people buying the insurance, but also at the level of senior management. They have the attitude that ‘This happens to the Targets and Home Depots of the world, but it isn’t going to happen to us.’ But these things happen to small businesses in quite large numbers.”  

Cyber criminals assail the small-business space with 3.5 new threats every second, according to security software company Trend Micro. Experts say assaults will only multiply, diversify and intensify in years to come, especially as hackers find the enterprise sector all but impenetrable.  

“It’s going to be increasingly difficult to hack into very large organizations, because they’re spending amounts that small businesses can only dream of in terms of upgrading the protections in their systems,” says Hartwig of the Insurance Information Institute. “Cyber criminals are going to find targets of opportunity and targets of least resistance, and that means moving down to smaller and smaller businesses, because their systems are not as strong or resilient.” 

Small businesses may not be able to match the cyber security investments made by their deeper-pocketed competitors, but they can still purchase cyber insurance policies without breaking the bank. Devine says Insureon sells cyber risk endorsements—written attachments to an insurance policy that add protection not included in the original coverage—for as little as a few hundred dollars per year, with stand-alone cyber policies (recommended for retailers, consulting firms and other businesses overseeing large chunks of customer data) offered for a median annual price of less than $1,200. 

“When you consider that there’s a 44 percent chance you’re going to get hacked and a 60 percent chance that if you lose client data you’ll go out of business, it’s a pretty good investment,” Devine chuckles. 

Bowman & Partners is already leveraging its cyber insurance investment to bring in more new business. “I’m working with a very, very large telecommunications firm now, and we’re doing their marketing analytics,” Bowman says. “Part of the deal with them is having this coverage. If you’re dealing with any kind of personal identification information, in this new day, you have to have it. You can’t do business without it moving forward.”