Technology is often viewed as an efficiency driver, but it also opens lawn and landscape companies up to significant financial risk if they do not have a cyber insurance policy in place.
“We have a lot of our clients’ vital information from emails to credit cards and knowing that in the event of a hack or other nefarious action we have some financial coverage provides a lot of comfort and peace of mind,” says Brian Mark, owner of CMS Landscape, based in Pocasset, Massachusetts.
Candace Funsch, a cyber underwriter who works with the Hilb Group of New England and their clients, notes that companies that serve commercial clients or high-net worth homeowners may be viewed as more attractive because attackers assume those clients have greater financial resources.
“Many experts consider cyber insurance essential once a company stores customer data, processes electronic payments, uses cloud-based software, and has more than five to 10 employees with email access,” Funsch says. “At that point, the exposure from phishing, ransomware, or payment fraud becomes significant enough that insurance is strongly recommended.”
Common Cyber Threats
Using systems like scheduling software, invoicing and cloud services all open your organization up to cyber exposure. Some of the common cyber threats that landscape companies are vulnerable to include phishing attacks, ransomware attacks, and data breaches.
Beau Bechelli, vice president of Evolve, a cyber insurance specialist, says the biggest exposure is business email compromise where fraudulent payments take place. This is where cybercriminals impersonate vendors or executives to redirect payments.
Another threat is when vendors or software providers have breaches themselves. Funsch says credential theft can occur when employees utilize weak or reused passwords.
“Landscape companies are often targeted because they tend to have fewer cybersecurity resources than large enterprises, but still process payments and store client information,” Funsch says.
Even with cybersecurity measures in place, social engineering can trick employees into providing credentials or clicking on a malicious link.
“The majority of cyberattacks generate from human error,” Bechelli says.
The Cost of Going Without Coverage
Cyber risk is now one of the fastest-growing threats to small and mid-size businesses. Funsch says attackers tend to target companies during busy seasons when staff are processing a high volume of invoices and payments.
Falling prey to a cyberattack could look like phishing emails tricking office managers into sending wire transfers or ransomware locking scheduling, billing or accounting systems, grinding your work to a halt.
Funsch says other common scenarios include email account takeover, redirecting customer payments or sending out fake vendor invoices through compromised email accounts.
“Even relatively small incidents can cost tens or hundreds of thousands of dollars,” Funsch says. “For smaller businesses, that level of unexpected expense can significantly disrupt operations.”
Without cyber insurance, businesses must pay for all cyberattack-related costs out of pocket, including:
- IT forensic investigations
- Data recovery and system restoration
- Legal and regulatory costs
- Customer notification and credit monitoring
- Public relations services
- Ransom payments (if applicable)
- Business interruption losses
“All it takes is clicking on a dubious email to plant the seed,” Mark says. “We work with a very good IT company to keep us up-to-date, but the security of the insurance is welcome.”
Shopping for Cyber Insurance
Mark recommends that fellow landscape companies invest in this form of insurance and not avoid it in an effort to cut costs.
“In this rapidly changing cyber world, the threat and vulnerability is always present,” Mark says. “Protect yourself just like you would for liability, auto and other critical insurances.”
When reviewing cyber insurance policies, key features to look for include:
- Ransomware coverage – Includes protection for ransom payments, negotiation services, and recovery costs.
- Business interruption coverage – Replaces lost income if systems are shut down due to a cyber event or system failure.
- Social engineering/funds transfer fraud protection – Covers scams involving fraudulent invoices or payment redirection.
- Incident response services – Immediate access to breach coaches, forensic experts, and legal counsel.
- Data breach response coverage – Pays for notifications, credit monitoring, and regulatory compliance.
- System restoration and data recovery – Covers rebuilding IT systems and recovering encrypted data.
While cyber insurance policies typically cover aspects like reputational harm, hardware replacement and forensic investigations, common exclusions include natural disasters, acts of war, state-sponsored attacks, known security vulnerabilities that were ignored or failure to maintain required security controls.
Bechelli notes that normal operating expenses are typically not covered by cyber insurance. For example, payroll during outages is not included under business interruption coverage.
Bechelli says a solid starting point for coverage is a policy with a $1 million limit.
“These policies are best placed ‘stand-alone’ versus added onto a policy via endorsement,” Bechelli says.
Funsch notes that as companies grow in size their cyber risk tends to scale as well so coverage for mid-size companies may range from $1 million to $3 million while large multi-location operations coverage is more in the $5 million plus range.
“The goal is to ensure coverage can handle both ransomware recovery and business interruption, which are often the most expensive components,” Funsch says
Mark says he currently pays around $4,500 a year and all the major areas are covered by Hilb Group of New England. Each year they are asked for their yearly revenue before renewing and they provide answers about many technical aspects of their IT system.
Similar to other forms of business insurance, most insurers require certain baseline cybersecurity controls to be in place.
Practices like having multi-factor authentication for email, secure password policies, antivirus software, regular data backups, and employee cybersecurity awareness training are all examples of safeguards insurers look for. Without these in place, coverage may be limited or declined.
Bechelli says one key mistake is assuming that all cyber insurance policies are the same.
“Work with your insurance professional to secure the cyber policy that fits your business,” Bechelli says. “Ask questions to help better understand your policy.”
Some of the restrictions to be mindful of include policies that exclude social engineering losses, low limits that don’t cover ransomware recovery, high deductibles that reduce practical value, and coverage that only applies after lengthy waiting periods.
What to Do If a Breach Happens
If a breach does occur, follow your insurer’s specific incident response procedures. Taking too long to notify them is a major mistake.
“It’s important that there is prompt notification so that the carrier is able to intervene timely and address the early critical needs,” Bechelli says.
Funsch says hiring outside IT or negotiators before contacting the carrier or paying a ransom without insurer approval can create coverage issues. It is also critical to preserve evidence for forensic investigation and accurately represent the security controls you had in place.
“Cyber insurance should be viewed as part of a broader risk management strategy,” Funsch says. “Even small companies are increasingly targeted by cybercriminals, and the combination of strong cybersecurity practices and appropriate insurance coverage can significantly reduce both operational disruption and financial loss.”
