Canadian Underwriter

Fewer small businesses buying cyber liability insurance since Target breach

July 24, 2014   by Canadian Underwriter

Print this page

Businesses outside the information technology sector seem less likely to seek cyber liability insurance since news broke last December 19 about the breach involving Target, suggests Insureon, an insurance provider for small business.

In a statement Wednesday, the company notes that in the months before information came out on Target’s data breach, 9% of non-IT insureon applicants requested cyber coverage. In the months since, only 5% have made the request.

Insureon cautions that it appears media portrayals of breaches are giving small businesses a false sense of security.

“The reality is that small businesses get hacked far more often than big ones,” Ted Devine, CEO of Insureon, says in the company statement. “But you’re not going to turn on the evening news and hear about the florist on the corner getting breached. You’re going to hear about Michael’s and Neiman Marcus and P. F. Chang’s,” Devine continues.

He suggests that assuming a business will not be hacked because it is small is like assuming a bully will not steal another kid’s lunch money because there is a bank on the corner. “There are small-time hackers, too,” Devine warns.

Insureon cites Verizon’s 2014 Data Breach Investigations Report (DBIR), released in April. It found that 92% of the 100,000 security incidents analyzed over the past 10 years can be traced to nine basic attack patterns that vary from industry to industry: miscellaneous errors such as sending an e-mail to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial of service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.

“Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months, while penetrating an organization can take minutes or hours,” Wade Baker, principal author of the DBIR, said in a statement at the time.

Devine argues that from a frequency standpoint, hacking “largely remains a small-and-medium business issue.”

Insureon does point to one bright spot in the company’s data: although small businesses have been less likely to buy cyber insurance since the Target breach, they have been more likely to choose higher coverage limits.

Before Target, 93% chose the minimum policy limit, while in the months since, that has shrunk to 85%, the company adds.