The price of being connected
Sensitive new age … few small and medium-size businesses carry cyber insurance, although IT is central to most enterprises. Photo: Jim Rice
In the heat of the moment after losing a contract, an employee tweets a derogatory comment about a competitor, putting his firm at risk of legal action.
A company uses a photo on its website without realising it doesn't own the copyright, sparking a demand for compensation from the photographer.
A fire rips through a small business office, destroying the firm's computers and a customer database built up over many years.
Few small and medium enterprises (SMEs) take out cyber insurance, even in an age where IT is central to almost every business.
According to a recent report by risk advisory company Marsh, ''Cyber risks present new and different challenges and can have serious implications to a company's bottom line.
''Insurance coverage for cyber risks should be a significant and growing concern for companies.''
The managing director of loss adjuster LMI Group, Allan Manning, says cyber insurance is a relatively new type of policy and so is often overlooked by both businesses and insurance brokers. ''People just think 'it won't happen to me ' or 'it's just another insurance cost', and they don't really appreciate the risks,'' he says.
It typically covers two types of risks: technical, such as the loss of data; and content, such as the inadvertent breach of copyright or defamation on the web. Zurich and Chubb both offer policies in this area.
An account director at MGA Insurance Brokers, Andrew Faber, says small businesses should check their policies to see if they are covered. Computers themselves, worth just a couple of thousand dollars, are usually insured against loss or damage but the more valuable client and business data they contain often is not.
''It's what's on those systems and what's on the computers that's going to be more valuable,'' Faber says.
Small businesses can get cover to help recover lost data, such as the cost of a technician to try to restore a corrupted hard drive or, in the worst-case scenario, of having client data manually re-entered.
Companies can also be insured for content risks - information or comments that appear on their websites. For small businesses, this insurance is often included in management liability cover and will indemnify them against their and their employees' internet activities.
Small businesses often don't have full control of what appears on their website. The rise of blogs and social media means companies are at risk of posting defamatory comments and potential legal action. Small businesses don't have the resources to conduct legal checks on everything that goes online.
Faber says a client recently received a cease and desist letter from a solicitor representing a photographer whose work had been posted on a blog on the company's website. The company had not realised it breached copyright and took the photo down before further action but the case highlights the risk of a company website.
Small business insurance policies usually don't cover malicious programming, such as the introduction of viruses or data theft.
Because cyber insurance is a relatively new type of cover, insurers are still struggling to price the risks involved. However, that is likely to change as the policies become more prevalent in the coming years.
In the meantime, businesses need to manage risks by regularly updating virus software and backing up data, as information lost because of virus generally isn't covered.
''Most small businesses don't have the resources that a large business will for backing up records and having off-site storage,'' Faber says.
The director of broker Webber Insurance, Chris Webber, says when a client in the IT sector approached him recently seeking insurance against data breaches and the loss of client details, he struggled to find cover for them.
The businesses most at risk are online retail businesses that collect credit card, banking and other personal information. But Webber says adequate, affordable cover against malicious programming for SMEs is three years to five years away and businesses holding valuable and sensitive client information need to take their own security precautions.
The stakes can be very high. Electronics giant Sony estimates last year's breach, when hackers stole credit card details of more than 12 million users of its PlayStation Network, cost it $US170 million.
Questions to ask about internet liability
Does your company have a website?
Does your company collect personal information from visitors to the website?
Is any of the content of your company's website derived from third parties?
Could your website possibly include remarks about your competitors that could be perceived as unfavourable?
Could your website possibly include copyrighted material owned by another party?
Source: Chubb Insurance