In light of the recent cyber incidents, small and medium sized business owners should be looking at their cyber readiness and asking “Am I safe from cyber attacks?”.
Unfortunately, for many businesses, the answer is no. The Huffington Post wrote an article on the issue and I think that some of the points that they made are worth repeating.
According to the National Cyber Security Alliance, one in five small businesses fall victim to a cyber attack each year. Of those, 60 percent go out of business within 6 months.
There are likely a few reasons for this. First, small and medium businesses are likely to not have a cyber risk plan, are less likely to have good security controls, are less likely to focus on good security hygiene and are less likely to have a plan in place if a breach occurs.
Second, small and medium businesses likely don’t have cyber risk insurance and if they do, the limits are inadequate. The costs of dealing with the breach put them out of business.
Using my poster child as an example, Sony, here is what is being said. Scale the numbers up or down for your business size, but the results are the same.
The had a cyber and media liability policy but because of previous claims, their current insurer declined to renew it. They went to Lockton and obtained a $20 Million policy with $10 million in self insurance (meaning Sony pays the first $10 Mil, then insurance covers the next $20 Mil. Above that Sony is on the hook).
This year, they got a new $10 million policy from AIG and then a month later they hired a different broker, Marsh, to review their options.
They selected a $60 million policy with $5 million in self insurance.
Given Sony’s size, $60 million is WAY undersized and as we are seeing from the events of this month and last, Sony is going to be writing a large check out of their checkbook.
The article reports on a business impact analysis at Sony done in 2008 – hopefully they have done one since, but maybe not – and it reports that various systems have an impact of any where from $2 million a day to $6 million a day for outages. Almost all systems were down for a week and even if you exclude weekends, the four systems listed in the article, if down, cost Sony over $13 million a day. Times 5 days for that first week. That is a $65 million impact.
Those numbers are from 2008 and Sony is likely more dependent on technology now, so those numbers are likely low, possibly very low.
Add to that the cost of remediation, the fact that many of those systems were down for more than a week, the P.R. impact, loss of sales, replacing employees who leave because of the incident, lost ticket revenue, lawsuits and fines and you can quickly see that $60 million is not enough.
The moral of the story is that every business should be doing a cyber risk/business impact analysis and planning exercise on an annual basis and then doing remediation as needed. Nobody wants to be in that 60% of businesses that fail after a cyber breach. Plan ahead.