By: John Farley and Michelle Lopilato

Tragically, 60 percent of small to midsize companies that suffer a cyber attack are out of business within six months. Don’t make the mistake in assuming that your business is not as susceptible to breaches as large companies. In fact, 55 percent of 600 SMBs in a recent survey reported being hacked. 


Read on to find out how our experts address the most frequently asked questions regarding breaches among SMBs.  

  1. What type of cyber insurance coverage should an SMB purchase?

    Due to the fact there are at least 38,000 known cyber threat vulnerabilities, it would be prudent to purchase a complete and industry tailored cyber policy that covers cyber extortion, data asset loss, breach response costs, privacy liability, network security liability, media content liability, regulatory defense, payment card industry violations and business interruption. Since the marketplace is so competitive, the cost-savings would not make an impact to the overall premium versus the risk a company would be taking on, potentially affecting their balance sheet.

  2. In the event of a data breach, who is liable, the vendor or the business? 

    Privacy law applies to the “data owner” or the “storefront.” Any third-party service providers your company contracts with don’t have the responsibility or obligation (excluding the healthcare sector) to comply with privacy law if they disclose data while contracted with your company. 

    Be aware that if you are contracting with very large/brand name service providers, you are not receiving any indemnification for their errors, omissions, or negligence in the disclosure of your company’s data. In fact, in many cases, the service providers will require your company to indemnify them or hold them harmless. If your company is contracting with a smaller or regional service provider, you may have the leverage to secure some indemnification, but it will, likely, be capped to the value of the contract. Review the contracts that are in place.

  3. Who is legally responsible if customer information held in a third-party cloud service is hacked?

    If a vendor is hacked and their client data is compromised, both the original data collector and the vendor could face liability and incur costs. There are many factors that could determine liability, including: regulatory requirements, industry standards, contracts, jurisdiction, and the facts of the incident.

  4. If a hacker successfully accesses a company email and orders the bookkeeper to transfer funds to a third-party account, does cyber insurance cover the loss of those stolen funds?

    A cyber insurance broker can assist in this process to determine the best way to proceed, but generally the cyber policy can respond if the coverage is negotiated. However it is best to consult with a broker with cyber expertise who understands the endorsements and can determine if securing coverage on a commercial crime policy is the best option for this type of loss. The endorsements will provide a sub limited amount of coverage, and companies may be more successful securing coverage on a commercial crime policy with higher sublimit.

  5. Which cyber-insuring agreement receives the most claims?

    The most common are data breach responses. This includes costs to comply with privacy law, which could consist of legal consultation, data forensics, public relations, notification, credit card monitoring or ID theft monitoring, and also call center costs.


  6. Where do the involved regulatory bodies originate –from the state where the insured operates or where the victim resides?

    State privacy laws apply to where the victim lives and not where the breach occurs. If a breach affects clients or customers residing in several states, understand that the laws of each state are all different. You must comply with the various timelines for notification. Additionally, there are federal regulators that have laws to protect different types of data, such as HIPAA for healthcare, FERPA for education, and GLB/Red Flag Rules for financial institutions.

  7. If data is being held ransom, should a business owner pay off the hacker?

    The FBI recommends against paying hackers in ransomware attacks and explains it only encourages future cyber-attacks. There’s also no guarantee that a hacker will release your data after being paid. It is recommended that you regularly back up network data to quickly restore your files and avoid having to negotiate with hackers. 

  8. Even with technology and software solutions available, does human error remain one of the greatest risks if there aren’t training, protocols, and practices in place? 

    Yes, absolutely! While nearly half of all data breaches are due to malicious individuals, 25 percent of them are due to human error. These mistakes could include: lost or stolen laptops or thumb drives, employees clicking suspicious links, data entry error, improper delivery of data/records, and improper disposal. 

You may be small, but you can be mighty as long as you incorporate effective cyber security strategies. Listen to the Strike Back at the Hack! webinar to hear more on how to protect your business from a data breach.