I know some of you will think I am sending too many emails about the risk to small businesses from a security breach but if only a few of you take steps to protect your business I will accept the criticism. Please see below an email I received from Bill Zachary VP of Risk Management for Safeway. He makes a great comment about looking at an insurance companies application for cyber liability coverage. Even if you are not interested in purchasing coverage this is as Bill says it's “an excellent template for small employers to explore their own exposure”
Thank you Bill for sending this.
Small Business California
2311 Taraval Street
San Francisco, CA 94116
I have a good friend who had a small business that used to do permanent disability evaluations. His company took data and medical reports from workers compensation claims administrators and did the analysis to determine the final workers compensation Permanent Disability rating. In December, some thieves broke into his offices and stole a couple of desk top computers and a laptop. I believe that information in the computers was backed up. However the information in the laptops includes social security numbers and other personal identifying information of injured workers. The lack of his financial ability to do the needed credit monitoring and the lack of crisis skills needed to respond to such a data breech, sunk his company. His reputation was severely damaged. He is now looking at personal bankruptcy.
I know that small businesses can not afford extra expenses. This economy has been a very difficult time for all small businesses. However if the small business owner does not look into this issue, it is a decision by omission rather than a decision made on facts. It is better for all business owners to make decisions based on rational facts than to assume they have no exposure or that cyber insurance is too costly for them. Many cyber insurance policies respond to a data breech with both financial and crisis management processes.
I would suggest the following:
When filling out an application for cyber insurance coverage, the information that is required for underwriting usually also provides an excellent template for small employers to explore their own exposure. The keys to exposure are cyber points of weakness and personal and financial information, (such as web usage, website management, social security numbers, bank numbers, addresses, birthdates, credit card numbers etc.) If the small business owner cannot eliminate or mitigate the points of weakness or all of the private or financial information from their internal systems, then they seriously have to consider what protection they can get from an insurance policy.
By going through the exercise of applying for the insurance, and knowing the cost of the insurance, the small business owner will then be able to make a conscious and informed decision of his/her exposure and the cost of insurance. Failure to act may result in the loss of their business and livelihood just as my friend who had his business wiped out through no real fault of his own.
VP Risk Management