The Last Mile in Cybersecurity: Buying Cyber Insurance
For several years, I’ve been urging accountants and their staff to have cyber insurance. Unfortunately, your standard business policy doesn’t cover it. (Please tell me that you’ve been reading New Jersey CPA magazine and have followed my advice.)
With the new year in full swing, now is the time to implement two vitally important initiatives for protecting your data: One is DYI, and the other requires broader protection.
When IT experts caution users about the increase in threats, we sense the warnings are unheeded. If you doubt the importance of growing cybersecurity threats, mull over my experience. A few years ago, the application for cyber insurance was about two pages. Now it’s more like seven pages, and the specificity of the questions is far more pointed. “Do you have a backup?” was a simple question years ago. Now insurance companies want to know the precise nature of your backup and whether you have a plan if your backup fizzles.
What has happened should be apparent. Insurance companies have hired some very smart IT firms to navigate the terrain and ensure that the best safeguards are in place so they are less likely to pay out on a policy.
Small Business Statistics
Source: Parachute Technology
- The average cost of a data breach for small organizations (less than 500 employees) fell to $2.35 million in 2020, compared with $2.74 million in 2019.
- One in every five small businesses has no endpoint security in place, while one in three relies only on free cybersecurity solutions.
- 28 percent of all data breaches involve small businesses.
- 30 percent of small businesses consider phishing attacks to be their top cybersecurity concern.
- Electronic Data Liability Insurance average premiums range from $619 to $3,297, with the highest premiums going up to $55,500.
And please, don’t even consider not getting the best cybersecurity insurance. With the exception of IT companies, no one holds the keys to the data vault of their clients more than accountants. You are directly in the firing line of accountability if hacked. You have access to bank accounts, financial statements, Social Security numbers, even passwords. It’s a hefty responsibility.
The potential nightmare if you’re a multistate accounting operation gets worse. If a hacker breaches you and a lawsuit emerges and you have clients in 10 states, your legal team must be familiar with each state’s law. Think of this potential cost.
If all of this sounds like an IT scare tactic, it is. Because if a savvy hacker hacks you, it gets ugly trying to fix the damage.
Now that I’ve scared you, here is what you can do almost immediately.
It’s on You
Two-step verification is the starting point. I repeat this constantly because it is literally the easiest, most effective way to protect you. Is it irritating? Yes. But the potential protection is more than worth the 20 seconds of annoyance.
Next is virus control. Built-in virus protection programs are not enough for accountants. You need front-line virus protection. We recommend Barracuda (barracuda.com) and Sentinel One (sentinelone.com). (We have no financial stake in either company.)
Another important step is to ensure that your staff understands phishing attacks and how to both recognize and halt them.
It’s on Them
After you’ve incorporated these three DIY approaches to cybersecurity, it’s time to find a cyber insurance provider. Remember that basic business policies, like general liability, don’t hack it (forgive the pun).
Here are tips on securing cyber insurance.
- Shop around and get a least three price quotes. It’s a new frontier for insurance companies, and now everyone is an expert.
- Ask for a customized policy. That’s what everyone promises. Make them prove it.
- Find out how long they’ve been a cyber insurance provider.
- Request referrals.
- Do a minimum background check on the insurance company. Then, see what others say about them.
- Ask specific questions that address these areas:
- Network security issues that affect hardware and software
- Business interruption because of a cyber breach
- Public relations and crisis management expertise if a hacker hits your company
- Legal expenses that might arise out of a cyber attack, including your liability vis-à-vis the need to inform state and federal authorities
- Who pays for the forensic investigation that will determine how the invasion occurred and how to safeguard your data in the future
The one truism in your business is that, sooner or later, someone will try to breach your IT security. Pay the price now with common-sense security rules and a comprehensive cyber insurance policy or pay more dearly later.
This article appeared in the Spring 2022 issue of New Jersey CPA magazine. Read the full issue.