The data breach at Anthem Blue Cross Blue Shield in February is only the most recent high-profile cyber attack in the last year.
Breaches at JP Morgan Chase, Home Depot and Target have also made headlines, as private account data of hundreds of millions of customers has been compromised.
Many executives are now scrambling to tighten cyber security at their companies, and that includes small to mid-sized firms.
Steve Hawkins runs the pest control company 5 Star Environments in midtown Manhattan.
Two years ago, Hawkins says hackers breached his company’s computers and stole credit card numbers of his customers.
“You’re violated, both personally and professionally thinking about what could they could be acquiring with the information they’re taking, the financials of both yourself and your clients,” said Hawkins.
Hawkins informed his clients and then put in place stronger firewalls to protect the data. But he says it came with a hefty price tag, and the alternative – doing nothing – could be far more expensive.
Vijay Basani, CEO of EIQ Networks, says companies can’t afford to ignore the rise in cyber attacks.
“The majority of companies have some compromise in their network. Forty percent of companies have been breached in the last year,” Basani said.
Large, multinational companies often have the resources to set up data encryption and monitoring, but Basani says the high cost of doing this can force small to mid-sized companies to rely on minimal security measures such as anti-virus software. He thinks this is a mistake and he adds, companies should have a strategy in place for how to react if they are targeted.
Increasingly, companies are doing this by turning to cyberinsurance. Industry researcher Advisen says the number of premiums paid for cyberinsurance was $2.1 billion dollars last year – up from $1.8 billion in 2013.
“If you went back 10 years ago and asked the risk manager of a corporation, ‘What keeps you up at night?’ they might say being involved in a mass tort or being in a big product recall where you’re being sued,” said John Farley, vice president at Hub International, an insurance brokerage firm. “Those are still valid concerns, but if you ask that same question today, cyber risk is always at the top.”
These policies typically cover attorney fees, regulatory fines and enough money to set up credit monitoring to affected customers.
But insurance carriers rely on years and years of data to set premiums in areas such as worker’s compensation and property liability.
“It’s much different in cyber,” said Farley. “In cyber, there’s really not a lot of claims data out there. It’s relatively new and it’s not readily shared.”
Former Federal Bureau of Investigations agent Ed Stroz advises clients on how cyber security and insurance through his firm, Stroz Friedberg. He says companies need to ask themselves how much risk they can really stomach.
“You have to look at the terms of the policy, the kinds of insurance products that are out there, and how well that aligns with the kind of coverage your clients seek to get,” warned Stroz.
Some companies want more insurance than carriers are willing to sell them. And underwriters themselves don’t entirely understand the risks.
The Obama Administration is trying to get companies to help each other and the government understand those risks by sharing information.
But experts say companies have been far from forthcoming, even when compelled to do so by industry regulations.
Meanwhile, they say hackers continue to stay one step ahead.