How are you evaluating your risk to loss from cyber crime or from the loss of your client’s personal & protected data? Accountants should be taking a two-pronged approach to protection: prevention and mitigation through cyber security and training; and insurance for when front line security doesn’t stop an attack or a breach.
In today’s post, I’ll review a common gap in insurance coverage for many Accounting and CPA Firms: Cyber Insurance. I’ll touch on ways to mitigate your risk, provide an overview of the different types of Cyber Insurance policies, and why having a rock solid program is important to the future of your firm.
Before that, however, here’s a short explanation of what cyber insurance is:
Mitigating Your Risk
Risk Mitigation and Prevention is a cornerstone of any Risk Management Plan. There are a couple of reasons why mitigation and prevention is important.
First, your policy might require that you have practices in place for coverage to even apply. There are cases where not having the right practices and procedures in place may preclude coverage.
Second, even if your loss is covered, there is more than just the direct financial loss that comes with it. Indirect costs of being subjected to cyber crime or a data breach might include:
- Losing clients
- Long term reputational harm
- Decreased revenue
- Having to lay off employees
- Lost time
Finally, a good risk management program supports organizational objectives. By taking a holistic view of your risk, you may just find more efficient operations and ultimately, increased long term profitability.
What is Cyber Insurance?
Cyber Insurance is a way to transfer the risk your business faces in regard to a laundry list of exposures related to privacy and the internet. While not comprehensive, common areas of risk covered by the more robust Cyber Insurance policies include:
- Privacy Liability
- Data Breaches
- Damages to 3rd Party Systems
- System Failures
- Cyber Extortion
- Business Interruption
- Regulatory Fines & Damages
- Reputational Harm
There are two primary types of Cyber Insurance you can get: as part of another insurance policy, or as a standalone, specialized policy. In MOST cases, adding coverage as part of a package will provide inferior coverage, as compared to what you can get on a standalone specialty policy.
It’s important to remember that Cyber Insurance isn’t just about the limit of coverage you get, but about the range and breadth of coverage included.
Many Accounting Firms don’t have any cyber coverage – and those that do often have inferior coverage by simply adding the coverage as an endorsement to their Business Owners Insurance Policy.
A good comparison between the types of coverage would be in thinking about how well prepared a company might be for an audit if the business owner with no accounting training completed their books vs. having a licensed CPA complete it.
Why do Accounting Firms need Cyber Insurance coverage?
Most of the cyber attacks or data breaches you hear about are for big companies. Target. Equifax. Sony. Your business isn’t anywhere near as big as these companies – are you really at risk?
There is a widespread and mistaken belief that small businesses are unlikely targets for cyber attacks. The fact of the matter is that small businesses are prime targets for cyber crime because they don’t have the same protections larger corporations have.
Here are some important statistics* that illustrate why you need this coverage:
- 43% of cyber attacks target small businesses.
- 60% of small businesses that are victims of a cyber attack go out of business within 6 months.
- 47% of small businesses have no understanding of how to protect themselves against a cyber attack.
- Human error and system failure account for 52% of data breaches.
- Small businesses spend an average of $955,429 to restore normal business following a successful attack.
In addition to these statistics, think about the types of data you have in your system. Beyond the often private financials of your business clients, you’re holding Names, Dates of Birth, and Social Security Numbers. And not just for your clients, but for the employees and vendors of your clients.
Finally, it’s not just data breach that you have to be worried about. If you are subject to a ransomware or denial of service attack, your systems might be down for an extended period of time. What if a technology vendor you use gets attacked?
How much money would you lose if you’re not able to communicate with your clients – or if your employees aren’t able to work?
At-Bay, one of the cyber insurance providers that we work with, has a tool to help you estimate how much it would cost you if you had a data breach: You can run your own scenario here.
How much would it cost you if you were exposed to cyber crime or a data breach? Would your business be able to recover from that loss if didn’t have insurance coverage for it?
Protecting your business
The right way to protect your business is through a combination of controlling and transferring your risk. At Stillwell Risk Partners, we not only help you transfer your risk through an insurance policy, but we can help you put practices in place to reduce the likelihood of having a claim.
Some of the services we can provide to our clients include:
- Developing a Cyber Security Planning Guide
- Employee Training & Education
- Coordination of Risk Management Services
- Business Continuation Planning
If you’re interested in working with us or in learning more, please contact us when you’re ready to get started:
Or give us a call at (610) 671-3500