What is Cyber Insurance and Why do You need it?

There's a lot of talk about cybersecurity these days. 

Security breach scandals of giants such as TJ Maxx and Equifax get lots of attention. They put cybersecurity in the spotlight. 

The risk is the new reality of our century. Think of the sheer amount of personal data stored online or on computers across the world.  

All this data coupled with the lengths the criminals will go to acquire it spells trouble.

Cyber Insurance

One of the most effective tools to protect your business is a cyber insurance policy. This kind of policy will shield you from the financial consequences of a cyber attack. Insurers design these policies to cover costs associated with mitigating the breach.

A cyber insurance policy seems like a no-brainer. But many business owners still doubt the necessity or effectiveness of such a policy.

Has insurance agent ever asked you if you want to buy a cyber insurance policy? If so, it's likely at least one of the following popped into your head: 

  • Nobody will go after a small business like mine.
  • We don't keep any personal data criminals would want.
  • We trust a third party provided to protect any personal data we do have so no need to worry.
  • The cost of the breach can't be that bad. The cost of the policy is not worth it.

Unfortunately, all these are common misconceptions. Many believe that criminals won't target small business. 

In fact, 90% of all attacks specifically target small businesses. We're just less likely to hear about it in the media.

Huge corporations like Apple devoted whole departments to data security. Yet even they are not immune to a data breach.

Small and medium-sized businesses often have no cyber insurance. They may have few if any protection measures in place. They may, for example, rely on antivirus software, which is often not enough.

A study conducted by the Ponemon Institute in 2017 revealed a staggering statistic. They found that an average cost a data breach to small or medium-sized business is a little over $2M. 

No wonder that many companies shut their doors within six months of a breach. They simply don't have the resources. It's too much to cover all the costs stemming from the breach and keep the business running. 

So what kind of business is at risk when it comes to a cyber attack?

Almost Everyone!

Short answer - almost everyone.

Do you - 

  • Sell your products online thus collecting payment information?
  • Store employee/vendor information including medical or Personal Identifiable Information (PII). Or other information that is protected by law, such as birth date, address, etc?
  • Does an international customer have the ability to purchase your products? A recently adopted European GDPR law comes into play in this case.
  • Are you located in a US State with a mandatory data breach notification laws?
  • Store personal information for past, current or prospective customers?
  • Issue company laptops or phones that have access to a confidential company? This includes any personal data.

Carefully consider whether any of these scenarios apply to you. If so, then you should consider a Cyber Liability Insurance policy.

Almost all businesses collect and keep some kind of sensitive information. It could be credit card information, passwords, or even something as simple as a full name and a date of birth. 

Cyber Insurance Coverages at a Glance

First, let's take a look at what exactly a cyber policy covers. The two primary coverage categories are first party and third party coverages.

First Party Coverage – 

First party coverage covers the costs resulting from a data breach incident. Below are the main costs your policy would cover:

Notification Costs: When a breach happens state laws apply. You must to notify everyone exposed to the breach. Even if you're not sure, you must notify those who might have been affected.

The laws identify the businesses that must comply and what they must disclose. As of right now, nearly all states have enacted mandatory notification laws. South Dakota and Alabama are the only exceptions[1].

It’s important to keep in mind what limits your carrier sets. Your policy may limit the number of individuals it will notify. Limits may also apply to the methods of notification and associated costs.

Create a plan with your agent to evaluate how many records you store and any growth projections. Make sure you update the insurance policy to minimize those possible out of pocket costs.

Data Breach Response: This coverage includes the above-discussed Notification Costs coverage. In addition, it includes forensic investigation cost and data restoration costs. It also covers the cost of a PR firm to mitigate negative publicity following the incident. 

H4 Business Interruption: This coverage pays for the income loss caused by the data breach incident. Typically Business Interruption coverage has a separate sub-limit. It is also subject to a waiting period before it kicks in.

We can't discuss Business Interruption coverage without touching on a Contingent Business Interruption coverage. This coverage becomes essential if you do not store any sensitive information yourself. You still face liability even if a third party hosts your data.

Now imagine that they got hacked. This coverage will cover any income loss you suffer as a result of that attack because your business' income is contingent on their operations.

Other notable coverages include ransomware extortion coverage and social engineering coverage. Please consult your agent to discuss your unique business risks and what coverages would be best for your situation. 

Third Party Coverage – 

Let's imagine that a house collapsed injuring someone due to a faulty design.

Now imagine that you were the architect who designed that house.

As a person responsible for designing that house, you would need a liability policy to cover a lawsuit that is likely coming your way. Third Party coverage component of Cyber Liability policy protects you in a similar way that a liability policy does. 

Where First Party coverage covers the costs to your business due to a breach incident, the Third Party coverage covers you against the lawsuits from those whose data you were responsible for keeping safe.

If you are a Tech or an IT company this coverage is critical for you. IT consultants should also have this coverage as they will be held responsible in the event of a data breach. 

A few other notable coverages are included in Third Party coverage component:

  • Data Security and Privacy - covers lawsuits that allege that you failed to properly protect the sensitive data of your employees, vendors or customers while in your control. The data could belong to your employees, customers or vendors.
  • Regulatory – covers civil or administrative fines and penalties stemming from breaching the regulations set forth by HIPAA, GLBA or PCI and so on. 

 

Non-Coverage Benefits 

 A Cyber Liability policy will help your business get back on its feet after a breach. This is a big reason to consider such a policy in the first place. 

However, it is not the only one. A Cyber policy provides a few critical non-coverage benefits that are worth mentioning. 

 

Evaluation and Maintenance of Security Standards: 

An underwriter will carefully evaluate your application. He or she will pay particular attention to the security measures you have in place. 

The underwriter may reject your application if you've failed to take specific measures. The process forces you re-evaluate and adjust your security measures. You need to do this on a consistent basis.

Proper security measures are the best way to prevent an attack from happening in the first place. Insurance is extremely important. But as the old saying goes, an ounce of prevention is worth more than a pound of cure!

Loss Control Services:

Many Cyber insurance carriers provide loss control/prevention services to their insureds. 

A loss control consultant can be invaluable in assessing your security and risk management plan. He or she will identify security gaps. Providing information on the latest ways to secure your data, etc. 

The two following benefits are the most important one. These are the ones that once the breach happens, make your life immensely easier and allow you to focus on running your business amidst the chaos of a claim. 

Experienced Attorneys

If a loss does happen and records are compromised, you might be facing lawsuits from the affected individuals. 

Depending on your policy wording, the insurer will provide you with an attorney. Or with a list of attorneys to choose from or suggestions of attorneys you could use if desired. Whatever option you negotiate,  an experienced attorney that knows cyber claims inside out.

Data Breach Response Resources

Besides an attorney, you will have a whole checklist of tasks that need to get done. A quick and nimble response will help you mitigate the disaster. 

You will need to notify affected individuals and appropriate regulatory authorities. You will also need to set up credit monitoring. At the same time, you must swiftly launch a PR campaign to combat bad press and countless other tasks. 

Your insurer will help guide you through this complex process. He or she will help make sure you complete all task promptly and correctly.

Conclusion

As you can see a Cyber Liability policy is essential. You poured your blood, sweat, and tears into your business and want to protect it. It's hard to imagine a cyber attack directed at your, but statistics tell us it's a real threat. 

Unfortunately in the digital day and age that we live in, a data breach incident is not only possible but is likely. 

An experienced insurance broker will help assess your unique exposures. Together you can find the right cyber policy to protect your business and give you peace of mind.

Do you keep any sensitive data in your computer systems? What measures do you take to protect it?

[1] Ref: BakerHostetler Law has put out a helpful document with all the laws broken down by state. https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf

Kernan Insurance Agency

9932 Brewster Lane

Powell, OH 43065

 
Main office: 614-764-0121
Toll free: 800-718-2663
Fax: 614-764-0310
 

Office Hours:

Monday - Friday: 7:00 AM - 5:00 PM

Weekends: By Appointment