Cyber insurance is a hot business topic.
Have you considered a policy before but were nervous because you did not understand the coverage? Are you worried about the cost of a cyber insurance policy?
You are not alone.
The insurance industry has not yet standardized this type of coverage as it has with general liability and workers compensation.
Your family and employees rely on you. You understand business risk and using insurance to mitigate that risk by having a general liability, property and workers comp coverage.
I want you to seriously consider adding a cyber policy to your insurance portfolio. I applaud you for not ignoring this emerging risk.
If your business is a technology-based business then the cyber risk is approached a little differently. Please see my article on how to cover your technology business.
I started paying attention to cyber insurance in 2016 when two of my clients had data breaches. I was nervous. Coverage was in place for both but I had never been through the cyber claim process.
Here is what I learned:
A Data Breach is Disruptive. Normal operations slow down. Access to systems and data is locked down while forensic investigations happen and data is reconstructed. Employees shift focus from day-to-day tasks to helping with the breach.
Time and Money. The process may take twice as long and costs twice as much as you expect.
The Pre-Incident Plan is Critical. Much like a fire escape plan, it works better if you make and distribute the plan BEFORE the fire. Creating a plan is critical. The good news is that a stand-alone cyber policy can help you develop and implement that plan.
I hope this provides some insight into why you should get a cyber insurance policy.
Cyber incidents introduce risk that is not covered by traditional insurance policies, like your General Liability policy.
You Need a Cyber Liability Policy.
What Does a Cyber Insurance Policy Cover?
- Breach Response and Mitigation Cost
- First Party
- Third Party Liability
FACT: Your Company is responsible for data given to it.
The number one rationale I get for not getting a cyber liability policy is that the company uses X cloud service - (Amazon Web Services, Azure, and Onedrive) - therefore, it is the clouds service responsibility.
In truth your customer or client entrusted you with their data. You made the decision to use a 3rd party.
You do not escape liability when you use 3rd parties to store and manage data.
Three Types of Data For Which Your Company is Responsible
Personally Identifiable Information (PII) Social security numbers, drivers license numbers, date of birth, bank account information, etc.
Protected Health Information (PHI) Information relating to the provision and payment of health care that could be used to identify an individual.
Payment Card Information (PCI) Debit and credit card information
Your company may have contractual obligations to protect certain data with key clients. I recommend a review of any statements of work or master service agreements for data breach or confidentiality requirements.
- Design plans if you are an architectural firm.
- HR files if you are a consultant.
- Business plans if you are a venture capitalist or executive consultant.
- Accounting Files.
Now let's turn to the coverage itself to explore how a stand-alone cyber insurance policy will protect and benefit your company.
What do Data Breach and Mitigation Coverage Cover
When a data breach happens to a company, there are actions that must take place. For example, a company must comply with notification laws. If the breach is criminal in nature, the company might also need to report the incident to law enforcement.
48 states currently (2017) have notification laws.
Key Point. You must comply with state law where the affected person is domiciled, NOT where your company is domiciled.
Cyber Insurance Coverage
Forensics: Cyber insurance covers the cost of determining the scope of the breach and putting an immediate halt to it.
Notification: Once the forensic team has completed their analysis work , the next step is to notify the affected people. This is generally done via email and in compliance with state laws.
Credit Monitoring: State law requires that a company offer credit monitoring as a remedy following a data breach. A cyber insurance policy will offer this service as well as provide call center support to field any calls from the affected people.
Public Relations: It is important communicate with your clients and customers. It is even a better idea to have an advocate help you write your communications. These may include your email list, social media, or formal communique to your best client.
A cyber policy will offer all these services. Plus the carriers that I represent have negotiated rates with service providers that your company can leverage saving you time and money from the selection process.
First Party Coverage
This helps mitigate expenses that you might overlook, but that impact your business.
Data Restoration: Generally, companies must lock down their data while forensic investigations happen. Then data is reconstructed and restored.
Extortion Expense: If a threat involves attempts to fraudulently transfer funds, destroy data or disclose electronic customer information the policy will cover these costs.
Business Interruption Expense Coverage
Cash is oxygen to a business.
Following a data breach business operations stop or slow down, but your need for cash does not. This covers that gap, it is based on the previous years profit-and-loss statements.
You might already have business income or business interruption expense coverage on another policy. However. you should be aware a cyber event is generally excluded as a trigger for this coverage on your general liability policy.
Third Party Defense and Liability Coverage
This coverage is what separates a quality cyber insurance policy from the rest. Broad third party is generally found in stand-alone cyber insurance policies. That is why I recommend a stand-alone cyber insurance policy for most businesses.
Liability can come from several areas
Network & Information Security Liability
This is most important 3rd party liability coverage to have. It provides coverage for claims that arise from unauthorized access to data. For example, a judgment, civil award or other settlements following the data breach.
It provides coverage for failure to notify of a data breach when required by law.
It provides coverage for transmission of a computer virus.
Regulatory Defense Expense
Provides coverage for governmental claims made as a result of network and information security liability.
Communications and Media Liability
Provides coverage is for claims that arise from copyright infringement, plagiarism or defamation, libel and slander in electronic content.
These are value adds and can be negotiated in the policy. Here are the most important ones.
Pre-Incident. It is critical to have a cyber event plan. Where do you start? Who do you trust? The carriers I recommend offer pre-incident planning with 3rd party experts.
Vendor Negotiated Rates When a breach happens you need resources. Another huge benefit to a stand-alone cyber insurance policy is negotiated rates.
Harm to Corp Reputation Need to write a company-wide communication? Communicating the incident both internally and externally is critical. You will have access to a public relations firm that has experience with cyber events. They will help you and provide peace of mind.
What Does It Cost
The short and honest answer is it depends.
But this is where it gets interesting. My guess? Not as much as you think. And finding out is easier than you think.
A small company might start in the $1,500 range.
Depending on the type of business, the type of data you collect and your control measures the price can go up from here.
In 2017 the average cost of a cyber policy in Texas was between $5,000 and $6,000.
The good news is that I can work with you to get an estimate with as little as 4 pieces of information.
My Bottom Line
Cyber incidents happen everyday. The days ignoring this business risk are over.
A cyber incident is a legal issue. (FTC)
A cyber incident can be a criminal issue. (breaking into your network or ransomeware)
A cyber incident can be a breach of contract with your best client.
A cyber incident can be grounds for action against the board of directors.
As with all business risk, you can self-insure, meaning not carry insurance to mitigate this risk.
I hope that I have explained in enough detail the different types of coverage that you will take the next step with me.
I look forward to hearing from you.