Cyber Insurance 101: Why You Need It

March 12, 2019 •
shutterstock_309691097

Your business is a ship. A fine, sea-hardened vessel with a hard-won reputation for providing safe passage to all aboard and timely delivery of cargo. Pre-digital revolution your greatest worry? Weather and piracy. Now, in this day and age, cyberattacks on your, your employees’ and your clients’ sensitive data are like an infestation of plague rats or termites hollowing the hull. They are unseen from without, festering from within.

Now imagine a ship made of steel with doctors aboard and antibiotics at the ready for the arduous voyage ahead. This is the equivalent of cyber liability insurance. It provides a safety net for the technologically unimaginable. Operating a business, on any scale, without adequate cyber security liability insurance is a mistake from which most do not recover.

Below, we’ll briefly define what cyber liability insurance is, outline what questions you should ask if this is right for your business and how to find the right insurance coverage.

So, How is Cyber Liability Insurance Defined?

As data breaches and security threats become more and more commonplace, the market for risk management products aimed at protecting a company’s digital assets has grown rapidly in the last two decades. According to the Journal of Cybersecurity,

Cyber insurance is a broad term for insurance policies that address first and third party losses as a result of computer-based attack or malfunction of a firm’s information technology systems.

This insurance product is a relative newcomer, with the first reported product launching in 1998. Adoption of cyber insurance policies has been mostly unenthusiastic and understandably so; pricing policies were opaque and hard to quantify—most believed losses would be covered by their general commercial policy, and few insurers offered services underwriting such assets.

But not any longer. Protecting your digital data is yet another arena businesses must have solid footing to thrive in today’s market. Here are some quick facts as to the current state:

A digital cornerstone is becoming vital to all businesses, small and large alike. The nefarious, ever-evolving threats to your company’s most private information become more nuanced and persistent year over year. Bearing these truths in mind, enacting an informed, secure cyber infrastructure is in all business owners’ best interests. We’ll detail further how cyber security liability insurance plays a role in that infrastructure.

Does My Business Need It?

You may be asking, what does a cyber liability policy cover and does my business need it? Short answer, yes. We’re living in a technologically transformative age. More services pop up every single day, in every sector, promising some new means of better living through technology. Racing behind this breakneck pace of innovation are the ways these services are protected. That constant mad dash to keep up creates a middle distance that hackers are becoming skilled at exploiting.

Chances are, your business takes advantage of at least one of those services (possibly offers it to others). So why not be protected against it? Per the Insurance Information Institute, here are just a few areas of potential risk:

  • Liability – Potential costs incurred by customers (and other third parties) you are deemed responsible for remunerating in the wake of an IT-related or cyber attack.
  • System recovery – Restoration of lost or compromised data, recovery of hardware and software, operational costs if your system was shut down or inoperable during an attack.
  • Notification expenses – In several states, including California, if you store customers’ data, you are legally required to notify customers in the event of a breach or even just a suspected one.
  • Regulatory fines – Both state and federal regulations require businesses and organizations to protect their customers’ personal data. Should a breach occur, your company’s failure to comply with requirements may incur substantial fines.
  • Class action lawsuits – Massive breaches have led to class action lawsuits on behalf of those whose privacy and data were violated.

A product to mitigate that risk in the event of an attack, whether to recoup your losses or the losses of your clients, is essential.

What Questions Should I Be Asking?

Answer the following to get a baseline sense of your cybersecurity posture.

  • What would happen if all our records were stolen tomorrow?
  • Do we have third-party site back-ups?
  • Are there any individuals responsible for the collective cybersecurity of the company?
  • Of all our assets, have we ranked them from most sensitive (either to our business or to our customers’ privacy) to least?
  • Could we function should something happen at each of those privacy levels?

After answering the above honestly, it should give you a realistic picture of your strengths and where there’s room for improvement. Bear in mind, most companies adopt a combination of services. A robust security infrastructure to limit cyberattacks—whether that be external malware protection, email decryption, redundant back-ups, or internally developed technology—that’s your first line of defense. In tandem with that, to cover your business in the unfortunate event of an attack, are appropriate policies aligned with your budget and scope.

Next Steps On A Policy

When you’re ready to start shopping for an insurance policy, there are a few things you should know and do prior to sitting down with an insurer.

Range Of Coverage

Most businesses believe that general commercial liability insurance is what protects them in the event of a cyberattack, however that is not always the case. Given that a cyberattack does not result in bodily harm or physical damage to a company’s assets, there are examples of claims not being fulfilled to cover the losses.

There are two general types of cybersecurity insurance, first and third party. Below is a list of what each type covers.

  • First-party coverage – Covers direct financial losses to the business. Examples include:
    • Loss of transferred funds
    • Lost income due to business interruptions
    • PR costs
    • Reputation management expenses
    • Costs repairing or recovering corrupted or stolen electronic data
    • Extortion costs for ransomware attacks
    • Cost of repairing software or hardware
    • Cost of replacing systems
    • Cost of notifying customers
  • Third-party coverage – Covers indirect losses that result from third parties being impacted by the cyber breach. Examples include:
    • Negligence claims
    • Breach of contract claims
    • Libel
    • Slander
    • Defamation
    • Copyright infringement
    • Fines and/or fees from regulatory boards
    • Network privacy claims
    • Network liability claims

Generally, policies will present themselves through 5 umbrellas of protection. They are:

  • Privacy Liability – This is important for businesses that electronically store employee and customer information. A cyber breach might expose their personal data without their permission, which could create both first- and third-party costs. Privacy liability coverage shields you from being on the line for the costs arising from violations of privacy law or cyber incidents.
  • Network Security – One of the most fundamentally critical aspects of cyber liability insurance, this covers a business in case of network security failures caused by ransomware, data breach, or malware.
  • Media Liability – If you use online, social, or print advertising of your services, media liability covers intellectual property infringement as well as patent infringements caused by advertising.
  • Network Business Interruption – If your business is reliant upon technology and digital systems to operate, this is a must-have. An interruption to such operations could result in massive financial losses due to an inability for the enterprise to run as usual, or at all. So, when either your or your provider’s network goes down, you have the opportunity to recover lost profits, extra costs, or fixed expenses incurred from the interruption.
    • Some policies come with addendums for 24/7 services where a technical security expert will fix issues within hours of reporting a security incident.
  • Errors and Omissions – When you do business, you may enter either a tacit agreement or an outright one to provide your customers with your services in a timely manner. If you are considered to be a consultant and you make “promises” but are unable to keep them, E&O protects you from such failures.

Now that you’re aware of the five tentpoles, here are some tips for securing the best policy.

How To Secure The Best Policy For Your Business

As mentioned above, first you must understand the current state of your cybersecurity defenses. Ask the questions honestly and then, based on what you find, go back and do the following:

  • Itemize your digital inventory – Try to price out each asset and what its loss could do to your bottom line. The more specific you can be, the better you’ll know what limits of liability your plan should cover.
  • Identify your unique risks – Even after evaluating your cybersecurity as it is, dig into where certain risks could occur within your business model. Are there touchpoints in your pipeline where external parties control access to your assets? Could social engineering extract information at points in the workflow? Be specific.

When you speak with an insurer, they’ll begin by asking you to fill out a questionnaire to determine the current state of your cybersecurity. Answer it truthfully, but don’t be thrown if they assess your posture as weaker than it really is. This is important because it helps your insurer answer your question, what is the average cost of cyber liability going to be?

Being aware of your actual risk gives you a much stronger position when negotiating for adequate coverage options at a decent premium. Be sure to know your liability limits and sub-limits. McGuire Woods states,

Perhaps the most important step a company can take to assess the value of cyber insurance is to compare the anticipated costs associated with a data breach with limits of liability available and the related costs… Estimates vary, but in 2011 the average cost of a breach was $5.5 million, and the cost per lost electronic record was $194.

Other areas to look out for when negotiating a policy are:

  • Coverage start date – Make sure you get a policy that covers retroactive attacks. As the adage goes: it is not if you are attacked but when you find out the attack occurred.
  • Incident reporting – This is a language clarification. Ensure that your policy covers losses from the moment of attack, not from the moment it is reported. The potential losses to your business could be substantial as most attacks are not discovered until much after the fact.

NOW Insurance as a Solution

After taking the steps noted above, you’re ready to speak to a provider like NOW Insurance. With your exposure in mind and areas of coverage you want, you can find a policy that fulfills your needs without crushing your margins.

Our team is standing by and ready to find the best policy for your coverage needs today.

Sources:
  1. Journal of Cybersecurity. Content analysis of cyber insurance policies: how do carriers price cyber risk? https://academic.oup.com/cybersecurity/article/5/1/tyz002/5366419
  2. Memphis Business Journal. Why you need cyber insurance and what you should know. https://www.bizjournals.com/memphis/news/2019/10/11/why-you-need-cyber-insurance-and-what-you-should.html
  3. Insurance Journal. As Breaches Rise, So Do Cybersecurity Pros’ Paychecks. https://www.insurancejournal.com/news/national/2019/08/08/535211.htm
  4. Insurance Information Institute. Cyber liability risks. https://www.iii.org/article/cyber-liability-risks
  5. McGuireWoods. A Buyer’s Guide to Cyber Insurance. https://www.mcguirewoods.com/client-resources/alerts/2013/10/buyers-guide-to-cyber-insurance.aspx
  6. Insurance Journal. Cyber Insurance Will Reshape Cybersecurity. https://www.insurancejournal.com/news/national/2019/10/11/545228.htm
  7. Istituto di Informatica e Telematica. A Survey on Cyber-Insurance.