Key cyber insurance considerations for startups
11 July 2017
What’s my cyber risk?
Startups tend to be less concerned about their technology/cyber risks than their publicly traded counterparts. How is this possible? It may be due primarily to a limited understanding of the scope of risks that they face.
According to the Verizon Data Breach Report, approximately 61% of data breach victims are businesses with less than 1,000 employees. With this in mind, let’s address some of the common misconceptions among startups:
- We’re not a target for attackers because we don’t have valuable data: Any startup that processes data and is connected to the internet has cyber risk. It’s that simple. While startups often don’t have large ‘troves’ of data, they still have data. Attackers view access to startup networks as a ‘path of least resistance.’ Compared to large publicly traded companies, startups may not have significant resources invested and dedicated to protecting their critical assets. As such, it is easier for a hacker to infiltrate a high volume of startups than one large organisation with stronger controls.
- We outsource the storage/processing of data: Most startups think outsourcing data storage and processing will completely transfer their risk and potential liability to the outsource provider. This is NOT true. The organisation that owns the data ultimately has responsibility for it. While there may be some shared liability with outsource providers, most have limit of liability provisions in their contracts. Further, determining liability is a lengthy process and something an organisation will be challenged to devote time to while responding to a breach.
- We have adequate technology security controls: While technology controls are important and part of the solution, cyber risk at its core is a people risk. According to our research, 69% of cyber breaches are due to an organisation’s employees and can stem from a lost laptop, a disgruntled employee, inadequate cyber awareness training or hiring non-qualified employees. Therefore, it is important to also devote attention and resources to people solutions, such as employee engagement, awareness and hiring the appropriate IT talent.
Which startups should buy cyber risk insurance?
It’s still important for startups to consider cyber insurance even if they aren’t isn’t providing a technology professional service.
Both Business to Business (B2B) and Business to Consumer (B2C) organisations should understand their cyber risk and consider cyber insurance as a method of risk transfer.
If an organisation is providing technology professional services, it’s important for them to put together technology professional services coverage with cyber liability insurance, as there’s an overlap in coverage. If an organisation isn’t providing a technology professional service, it’s still important for them to consider cyber insurance, which can provide balance sheet protection for both first-party coverage (out of pocket expenses – i.e., business interruption, data restoration, and cyber extortion) and third-party liabilities (lawsuits alleging financial harm as a result of an organisation’s errors or omissions).
The Bottom line:
Startups need to be as proactive as their larger counterparts by:
(1) conducting proper risk assessment and quantification;
(2) investing in a cyber-savvy culture;
(3) insuring cyber threats they can’t mitigate and;
(4) allocating enough capital to technological cyber defenses.
Would you like an insurance quote for your startup? Visit here for a free and instantaneous quote.