When Should SMBs Invest in Cyber Liability Insurance?

Small and medium size businesses (SMBs) generally have limited capital and resources, and successful SMB owners scrutinize every proposed business expenditure to determine if the benefits will exceed the costs. This analysis can lead an SMB owner to reject expenditures for cyber liability insurance when the benefits of this insurance are poorly explained or understood. Before making that rejection, the SMB owner should satisfy himself that he or she understands exactly what is liability insurance, and how does the SMB benefit from it.

At its most basic level, cyber liability insurance can compensate an SMB for property losses and liabilities it incurs when it suffers a data breach that compromises its customers’ personal or financial information, such as bank account numbers and passwords. Those losses and liabilities might include expenses for notifying customers of the breach and providing credit monitoring services, defending against lawsuits and making payments for damages and regulatory fines, and replacing lost or damaged equipment or digital assets. Cyber liability insurance might also cover cyber extortion costs related to ransomware attacks, and fraud losses associated with phishing attacks and other cyber scams.

During the first few months of its startup phase, an SMB might see no reason to procure cyber liability insurance as it will likely not have developed a large database of customer information that would be at risk in a cyberattack. As the SMB grows, the SMB owner should do regular risk assessments and impact analyses. The SMB should buy cyber liability insurance as soon as an assessment suggests that its risks have grown significantly and the potential impact of a data breach would be deterring the potential for future growth.

The impact analysis will necessarily be a function of the industry in which the SMB operates. SMBs in more regulated industries, for example, might face fines and penalties for failing to implement better protections over customer-specific data. Companies that provide cyber liability insurance can help a new SMB to assess risks and impacts properly and to determine how much cyber liability insurance they need. They can also audit an SMB’s operations and make recommendations and suggestion as to how the SMB can reduce cyber-risks with technology solutions, employee training, and solid cyberattack response plans.

The biggest problem with a slow and measured approach to procuring cyber liability insurance is that an SMB can experience rapid growth that overwhelms all efforts to do any risk assessment and impact analysis before it is too late. This problem is more than just idle speculation. In 2012, the website OnlyHonest.com, a startup that fostered political debate and that was barely one year old, suffered a hacking attack that cost the website’s owners hundreds of man-hours and thousands of dollars that they spent to rebuild and re-create the site. They ultimately lost the financial backing of their investors when they were unable to bring the site back up.

OnlyHonest.com’s experience points to the wisdom of procuring cyber liability insurance as soon as an SMB begins operations and before the impact of a data breach becomes so onerous that it threatens the very existence of the business. SMB owners are often willing to invest in firewalls and other technology-based defenses against cyberattacks while foregoing the protection that cyber liability insurance provides. This is analogous to installing expensive locks and security systems in a building, but failing to cover the building with theft loss and liability insurance. Given that cyberattackers are far more likely to target SMBs than they are to go after large companies, cyber liability insurance should be a budget line item in every SMB’s business plan from the onset of the business.