Like most small businesses, your company probably utilizes electronic data. Maybe you use email to communicate with customers, vendors and other business associates. You may also store customer files on your firm’s computer system. Those files might include credit card numbers, product information and other sensitive data. These activities may be vital to your business, but they may also make you vulnerable to a cyber-attack.

If you are a small business owner you might think your company is an unlikely target for a cyber-attack. After all, who’d bother attacking a little firm like yours when they can go after a big bank or insurance company? You may be more vulnerable than you think. Large companies generally have more money and personnel to devote to security than small firms. Thieves take the path of least resistance, so they are more likely to strike a small company.

A cyber-attack may involve a hacker, a virus, malware, phishing or other activity on your computer system. Attacks can come from outside your company; examples are a virus attached to an email entering your system and computer code used by a hacking group to access your computer. Attacks can also come from within say, by “rogue” employees. The effects of such attacks can be devastating and widespread. A single event may result in any of the following:

1. Loss or Damage to Electronic Data A cyber-attack can damage electronic data stored on your computers. For example, a virus damages your sales records, rendering them unusable. Recreating them is a time-consuming process that involves sifting through old invoices.

1. Extra Expenses A cyber-attack may cause you to incur extra expenses to keep your business operating. For instance, after a hacker damages two of your computers, you are forced to rent two laptops for your employees to use while your computers are being repaired.
2. Loss of income An attack may also cause you to lose sales. For instance, a denial of service attack makes your computer system unavailable to customers for two days, shutting down your business. During the shutdown, your customers go to your competitors, causing you to lose income.
3. Network Security and Privacy Lawsuits A cyber thief may steal data stored on your computer system that belongs to customers, vendors and other parties. These parties may sue your firm. For example, a cyber-thief hacks into your system and steals a customer's confidential file that reveals his sexual orientation. The hacker makes that information public and your customer sues you for invasion of privacy. Alternatively, a hacker steals information about a customer's upcoming merger. Because of the theft of the data, the merger falls through. The customer sues you claiming your failure to protect its data caused your customer to incur a financial loss.
4. Extortion Losses A hacker steals sensitive data (yours or someone else's) and then threatens to post it on the Internet unless you pay him a $50,000 ransom.
5. Notification Costs Most states have passed laws requiring you to notify anyone whose data was breached while in your possession. You may also be required to tell the victims what steps you are taking to remedy the situation.
6. Damage to Your Reputation A cyber-attack can seriously damage your company’s reputation. Potential customers may avoid doing business with you because they think you are careless, your internal controls are weak or that an association with you will damage their reputation.

Risks of Using the Internet

Many small businesses utilize the Internet. Perhaps your firm maintains a company website that it uses for advertising purposes or for educating potential clients about your industry. Maybe you sell products online or allow customers to sign up for your services on the Internet. Information you post on the Internet may be a source of lawsuits against your firm. For instance, a competitor alleges that you committed libel when you posted certain content. Alternatively, a competitor claims that you infringed on a copyright, trademark or other intellectual property right.

Little Coverage under Standard Property and Liability Policies

Most standard property and liability policies provide little coverage for the types of risks described above. A major problem with property policies is that they exclude electronic data under the definition of “covered property.” While some policies add back some coverage for damage to data, they may not cover damage caused by cyber-attacks.

General liability policies (like the standard ISO policy) mainly cover claims alleging bodily injury or property damage. Most cyber-attacks do not result in bodily injury or property damage, as these terms are defined in the policy. In addition, liability policies contain exclusions that eliminate coverage for many potential cyber claims. For example, Coverage A (Bodily Injury and Property Damage Liability) excludes damage to electronic data. Coverage B (Personal and Advertising Injury) excludes infringement of copyright, patent, trademark or trade secret.

As you can see, relying on standard property and liability policies as your main source of protection against cyber-attacks is a bad idea. A better course of action is to purchase a cyber liability policy.