A cyber attack can take many forms, and businesses of all types and sizes are at risk. You may remember one of the worst data breaches on record when in 2017, credit bureau Equifax exposed the personal data and social security numbers of up to 145 million people and cost the company upwards of $700 million in penalties and compensation. That may be an extreme example, but according to a 2018 study by the Insurance Information Institute (I.I.I.) and J.D. Power, one in ten U.S. small businesses (most with fewer than 50 employees), had been affected by a cyber incident, but only 31 percent of them have cyber insurance. The average loss of these breaches was $188,400. Moreover, half of confirmed data breaches target small business and 60% of these fail within six months of the breach.

These types of attacks on small businesses can range in scope and damage; from hacked email accounts, to unauthorized wire transfers and credit card fraud, to personal data breaches and identity theft.

Consider these real-life cyber claim scenarios:

  • A residential contractor became the victim of a social engineering attack and wired $35,000 to criminals after receiving fraudulent instructions, believing them to be a vendor.
  • An employee of a professional services firm had a laptop stolen during a work conference. The laptop contained sensitive client information. The computer was password protected but information was not encrypted. The incident cost the firm more than $20,000 in forensics and notification expenses.
  • A restaurant in Washington was notified of a breach by MasterCard due to a high level of fraud committed on customer credit cards who patronized their business. They were required to immediately undergo a forensic examination which totaled $11,646.90. Six months later, the restaurant was notified by MasterCard that fines of $26,242 for Fraud Recovery along with a Case Management Fee of $8,000 were being assessed. Two months afterwards, Visa assessed a non- compliance fine for $5,000. The restaurant had a total cost of $50,888.90 due to this breach.

Sean Kevelighan, CEO of I.I.I. says “Understanding your business’ risks and taking proper precautions means a small business can spend more time charting its progress than responding to unforeseen emergencies. In particular, the growing threat of cyber intrusion on small businesses is growing rapidly.”

For this reason, NREIG is pleased to partner with AMWins Cyber and North American Data Security Risk Purchasing Group to offer the Enterprise Pro Cyber Liability Program which protects businesses for the cost of an actual or suspected breach that results in the unauthorized release of protected personal identifiable information (PII).

What does cyber insurance typically cover?

  • The cost to respond and recover from a data breach – This includes legal fees and fines or penalties, as well as expenses related to: forensic examination or investigation, data recovery, notification of those affected by a breach, crisis management, and public relations.
  • Recovery of funds stolen electronically or through fraudulent instructions
  • Ransom payment if your computer(s) is/are encrypted
  • Business interruption losses related to expenses or lost revenue resulting from a breached system

Why do you need to consider cyber insurance?

Almost every business stores or collects sensitive data, and is legally responsible for protecting any information collected. As a landlord or property manager, you may manage tenant leases, background checks and collect rent through an online system. As a lender, you store personal information about your clients. As a flipper, you may pay contractors through wire transfers. Most certainly, you rely on a computer system or network to conduct day-to-day business using email and web browsing.

These tools and practices are crucial to profitably and efficiently managing your business, but leave you open to a potential breach.

Cyber Liability is offered through our partnership with our commercial insurance partner at Sandstone Insurance.


Note: This piece is not to be construed as contractual. Applicable language specific to your policy supersedes it. Information contained in this post is intended to provide you with a brief overview of the coverages provided for reference purposes only. It is not intended to provide you with all policy exclusions, limitations and conditions.