Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The nascent cybersecurity insurance market can play an important role for smaller businesses, which remain a prime target for hackers and cybercriminals, witnesses and congressmen said at a House Small Business Committee hearing July 26.
Larger corporations have already begun to learn to shift and mitigate cybersecurity risks through insurance, but smaller companies need to get on board, they said. Companies should also follow federal cybersecurity guidance and understand that they must control cybersecurity risks when acting as third-party vendors to larger companies, witnesses said.
Large-scale cyberattacks, such as Petya and WannaCry, made larger companies take note of the need for insurance, witnesses and lawmakers said at the hearing. But 50 percent of reported cyberattacks are against companies with $50 million in revenue or less, Daimon Geopfert, national leader and security and privacy consultant at Risk Advisory Services in Southfield, Mich., said.
There needs to be a concerted effort from public- and private-sector stakeholders to provide guidance and get the message out to small businesses that are facing exploding cybersecurity risks, the witnesses said. Small business owner Robert Luft, president of SureFire Innovations in Cincinnati, Ohio, said small businesses need to understand that “there is a real cybersecurity risk out there.”
Committee Chairman Steve Chabot (R-Ohio) told Bloomberg BNA July 26 after the hearing that cybersecurity remains a top priority for the committee. Hopefully the hearing will alert small businesses to cybersecurity insurance as an important risk mitigation option, he said.
But cybersecurity insurance isn’t a “silver bullet” solution for small businesses to manage risk, Erica Davis, senior vice president at Zurich America Insurance Co. and a hearing witness, told Bloomberg BNA July 26. Even with insurance, small businesses should still implement cybersecurity best practices, such as adopting an incident response plan, she said.
There have been a recent string of data breaches and hacking attacks connected to the data security practices of third-party vendors. For example, the massive Target Corp. data breach that exposed as many as 60 million customers’ payment card data was attributed to a third-party vendor’s weak data security measures. A more recent example is the hack of post-production company Larson Studios, which led to the theft of Netflix Inc.'s ‘Orange is the New Black” before its scheduled release date.
Due to the cybersecurity risks associated with third-party vendors and partners, insurance may play an important role in keeping business continuity and limiting both reputational and bottom-line revenue risks, witnesses said.
Large companies often require their third-party vendors to incorporate cybersecurity standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework, and may increasingly make them buy cybersecurity insurance, Eric Cernak, cyber risk and privacy practice leader at Munich Re U.S., said. The goal of third-party vendor cybersecurity insurance is to protect the larger companies from unknown cybersecurity risks and from less technically savant partners, he said.
More complex companies will have more security tools and greater technical capabilities to defend themselves against cyberattacks, Geopfert said.
Davis said that larger companies generally have “more capital and resources” to defend against cyberattacks, and that means they are “locked and loaded when it comes to risk management.” However, smaller businesses are now involved in larger companies’ supply chains, and weak data security at the vendor level can sometimes go undetected, she said.
To help small businesses limit their cybersecurity risks and thrive in the larger supply chain, “insurance brokers, carriers,” and large companies should increase their efforts to “educate” smaller companies on the benefits of cybersecurity insurance and better data security protections, Davis said.
Small businesses might want to turn to more established insurance carriers that are able to devote resources and have the technical abilities to provide cybersecurity insurance products tailored to their specific needs, witnesses said.
Davis told Bloomberg BNA that, for the cybersecurity industry to thrive in the small business community, it will have to make a dedicated effort to understand the community’s needs. Some insurance carriers that lack the technical knowledge or understanding “won’t be able to dedicate the full resources needed to understand the exposures,” she said.
With assistance from Brandon Ross in Washington
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Further information on the hearing is available at http://src.bna.com/q67.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)