There are two kinds of companies: those that have been hacked, and those that will be.

Despite high-profile stories of companies getting hacked, many still make the mistake of thinking it won’t happen to them. Here are a few common cyber myths—and how you can combat them when offering cyber coverage to your commercial clients.

MYTH: Cyber coverage is just about hackers.

“Cyber” is one of the biggest misnomers in the insurance world because it implies that this type of coverage only pertains to your network and the data on it. Not true.

“The forms we sell address any type of confidential information in your possession, regardless of format,” says Katie Wilson, CNA vice president, underwriting. “It could be paper documents, a lost laptop or an employee sending an email to the wrong place—none of which has anything to do with someone hacking into your network.”

MYTH: As long as your network is protected, you’re safe.

It’s not just about protecting the data—it’s also about educating your employees. In the cyber age, everyone is a risk manager. Nick Graf, director of risk control at CNA, notes that one of the carrier’s differentiators is the guidance clients receive on information security policies.

“Employees can be the strongest asset or the weakest link,” Graf says. “The majority of these attacks usually start with some sort of employee mistake—opening an attachment, sending a file unencrypted.”

That means training employees about cyber risks is critical.

MYTH: Technology and health care companies are the prime purchasers of cyber coverage.

The insurance industry needs to broaden its perception of which commercial clients need cyber coverage.

“In the last year, professional services—accounting firms, law firms, architects and engineers—have definitely increased the level at which they are purchasing coverage,” Wilson says. “We’re starting to see some manufacturers purchasing coverage as their network drives a significant part of what they do these days.”

Graf agrees, pointing out that manufacturing and construction are two fields which will see increased cyber exposure within the next five years.

MYTH: If you’re following privacy notification laws, you’re doing enough.

With the exception of HIPAA information, notification after a breach is regulated at the state level. But if a breach occurs and the law requires no action, can a business survive the reputational harm?

“The No. 1 thing that differentiates CNA’s coverage is that if you have personal information hacked, we give you the option to notify whether or not there is a legal obligation to notify,” Wilson says. “You don’t get that option with some carriers. And we also don’t tie in our definition of personally identifiable information to privacy laws. We certainly will respond as a privacy law requires. But if you have confidential information that has been breached and it doesn’t fall within the parameters of a notification law, a CNA policy allows for voluntary notification.”

MYTH: Only big companies are at risk of a cyber breach.

Ransomware continues to grow exponentially year over year, and it’s hitting all organizations—from those in government to the private industry to one- or two-person doctor’s offices.

“The bad guys really don’t care how big or small you are,” Graf says. “It’s very likely that they can extract some sort of financial compensation for their activity. Regardless of the size of your company, I can promise that you will be the target of one of these attacks soon. And a single event without coverage could very easily be a business-ending event.”

Note: Only the relevant insurance policy can provide the actual terms, coverages, amounts and conditions for an insured. All products and services may not be available in all states and may be subject to change without notice. CNA is a registered trademark of CNA Financial Corporation.