How Does Cyber Insurance Protect Small Businesses?

How Does Cyber Insurance Protect Small Businesses?

How Does Cyber Insurance Protect Small Businesses?
Dec 1, 2020
LinkedIn Icon

In this three part series, Ben Grosser (Head of Carrier Partnerships, Pathpoint) interviews cyber insurance expert Michelle Chia (Head of Professional Liability and Cyber, Zurich North America) to learn more about the cyber risks most affecting small businesses today, the role cyber insurance plays as a risk management tool, and how to approach matching your small business client with right policy.

Read Part 1

Read Part 3

Once businesses have an awareness of cyber risk (for more information, check out Part 1 of this series), it is important to know the direct impact to their business. Non-technology based firms or businesses with few employees often have a false sense of security, believe that they are not targeted by bad actors, and believe that cyber insurance isn’t needed. However, this is not always the case. 

BG: We often hear from small businesses that they don’t understand what insurance policies they need. When it comes to cyber, we can explain the coverages, but the end firm representative will say “Back up even more - what risks am I transferring, why am I paying this premium, and what could I lose?” Can you explain what cyber risks small businesses have?

MC: Cyber risk fits into three main buckets:

  • Privacy: If you have employees at all, you probably have their sensitive information like social security numbers, home addresses, tax information, etc. That’s all called Personally Identifiable Information. Many times upon application for or at employment,  a company receives this information and has it in their care, custody and control. Local, state, and federal agencies may have regulatory oversight, and they may require the notification of parties effected by those data breaches. Additionally, those parties impacted may hold businesses accountable for their actions by filing suits in the applicable jurisdiction. 
  • Business interruption: Most of us rely on our computers, laptops and cell phones. In addition, most of us rely on BYOD (bring your own device) these days. Most of what we do in our personal and corporate lives uses technology. That will continue to evolve over time, and we will continue to rely on technology more and more. The inability to use laptops or other devices resulting from a cyber attack could lead to a business interruption or an inability to conduct business as usual.
  • Ransomware: It’s highlighted in the media. We learn about ransomware events that impact large, complex organizations, but many of the organizations that are also being impacted are small in size. 43% of cyber attacks are targeting small businesses, with up to 60 percent of smaller businesses going out of business within six months of being victimized.* These statistics shine a light on how important it is for companies to protect their balance sheets, more so than ever. 

BG: Why is there still a liability and need for balance sheet protection if small businesses are using third party providers for their computer systems? What if they use AWS(Amazon Web Services), or computers they don’t own?

MC: If your computer is turned into a brick because of a cyber event or locked due to a ransomware event, you won’t be able to connect to AWS anyway. The data on your laptop could be inaccessible or corrupted, which could be a challenge. How will you provide service to your customers?

BG: We do always get the question, “I read this thing on the news or on Twitter about GDPR or CCPA, it doesn’t apply to me, right?” What are these, and how do they change the landscape for what a SMB might be required to do?

MC: GDPR, which stands for General Data Protection Regulation, is quite complex. In short, it could apply to any company that has a website, because if you are soliciting any information, even cookies (collecting the fact that an individual visited your website), from individuals that reside in the EU, it may apply to you. Basically, any organization with a website that can be accessed by EU residents is collecting regulated data and could be subject to that regulation.

CCPA, the California Consumer Protection Act, is the private right of action: as a private citizen an individual can bring suit against any organization that lost that person’s information. The suit does not need to be brought by a regulatory agency. Instead of large class action lawsuits, which still can occur in conjunction, individuals can bring a lawsuit against a company based on any information that they lost with regard to that individual. If you are a nail salon in Florida, CCPA can apply to your business, even though it's called the California Consumer Protection Act, because it extends to organizations over a particular size that have California consumer resident information. If you fit that profile, then it applies to you. 

The way we use technology both in our personal lives and in a corporate setting has evolved very rapidly, and regulatory agencies are looking to protect consumers in any way possible. As our use of technology increases and these regulations continue to evolve, companies need to be aware of regulations addressing protection of information in their care, custody and control. 

Cyber insurance works to help businesses with these risks. 

*Steinberg, Scott. “Cyberattacks now cost companies $200,000 on average, putting many out of business.” CNBC. 13 October 2019.


The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Please consult with qualified legal counsel to address your particular circumstances and needs. Zurich is not providing legal advice and assumes no liability concerning the information set forth above. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, the sponsors remind you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

This article is not intended to provide specific legal or regulatory advice or suggest the adequacy or appropriateness of any particular insurance product.  Insureds are always advised to seek the advice of their own legal and risk management advisers with respect to potential liabilities or the adequacy of any insurance product.

More From Our Blog

Explore all posts