When data breaches hit Main Street

Everyone knows about the big data breaches that have hit Americans and their banks—the Targets, Home Depots, and others from the headlines. Most any banker can recite the names of the retailers or other firms whose infiltrations have cost banks big bucks and spawned lawsuits.

But what’s often lost is the local story, according to Timothy Francis, enterprise lead for cyber insurance at Travelers, citing industry statistics. There are 34,529 known computer security incidents every day in the U.S., Francis told attendees at a recent Travelers security briefing.

Many of these incidents—at least 62%—involve breaches of small- and medium-sized businesses, according to Francis, many of them Main Street firms that lack the technological sophistication that larger retailers and other big companies have (and still get hacked).

Further, they tend to not even know that they’ve been hit until they are told by an external party, often, a bank, according to Francis.

For smaller companies especially, “these things are stressful—they’re a wild pain in the butt,” said John Mullen, partner at Lewis Brisbois Bisgaard & Smith LLP Attorneys. Mullen specializes in privacy and data security issues and heads a team that serves as a collective “data breach coach” for firms hit by breaches.

And that’s just for starters. Mullen said that without cyber breach insurance, “it’s a small- and medium-sized company killer. In proportion to the size of the companies, the expenses can be pretty big.” Simply getting to the point of knowing that the company’s affairs are secure again can take time and expertise that may have to be brought in like paramedics. It is not unusual for attacks to occur on weekends and over holiday periods, experts at the event stated.

Mullen says it can take a while for even experts to tell management what got burned and what was spared.

To gauge the scope of the costs, Mark Greisiger, president of the NetDiligence consultancy, told listeners that the cost of recovering from a single breach customer record hit $956.21 in 2014. This was more than three times the cost for a breach in 2013, according to figures he cited from his firm’s own claims study.

Travelers released its 2015 Travelers Business Risk Index findings at the conference, recounted below. Next week more from the experts assembled by Travelers will be covered, including a recap of a simulated hack performed in a controlled environment right in front of the audience. (Read "Watching a Main Street data breach happen.")

Business risk survey data

Travelers reported that 58% of its survey sample worry about cyber risk today, versus 53% last year. Cyber security concerns have grown in magnitude, the study found. Now they rank as the second-highest concern, following medical cost inflation. In 2014, cyber worries ranked fifth.

(Among financial services companies, 80% cited cyber risk concerns, making this the top concern for this business segment. Costs of complying with laws and regulations came in second, at 65%, and legal liability came in third, at 63%. Interestingly, tech companies surveyed ranked cyber issues first as well, although only 56% reported that concern.)

“On the whole, businesses worry far more about malicious cyberattacks, such as viruses or hackers, than they do about system crashes or careless computing practices by employees,” according to Travelers’ report. “About one in 10 businesses believes it has been the victim of a cyberattack, including one in five large businesses.”

The report found that having sufficient financial resources to recover from data-related breaches was a concern among 43% of the sample. By business size, 39% of smaller firms reported this concern, versus 44% of mid-sized firms, and 45% of the largest companies.

Surprisingly, given what Francis cited above, while an industry survey found that one in five small businesses is targeted for a hack, smaller companies were least concerned about cyber security.

Only 45% of the smaller companies—those with fewer than 250 employees—worry about cyber risk, 60% of managers at mid-sized firms reported that concern. At the larger companies surveyed, 70% report cyber risk as a concern.

In spite of even the higher concern at larger companies, preparedness is relatively lacking. Only 33% of respondents have a cyber breach response plan in place. And only 39% have implemented programs of employee data protection or employee education in the risk and preventative steps.

Digging deeper into cyber concerns for the entire sample, 57% worry most about viruses. Other concerns: 51% worry about crooks infiltrating their bank accounts or financial control systems; 51% worry about systems crashing or otherwise being damaged; and 50% worry about hacks of their computer systems.

The greatest specific concern overall is about malicious and criminal attacks, at 55% of those reporting.