It’s a business owner’s worst nightmare and the stuff of sci-fi movies: the cyber breach. You’ve worked hard to protect the integrity of your data through strict protocols, password encryption, and the latest antivirus software. Still, no one is immune to the threat of a security breach. And while it might be common sense to purchase general liability insurance for your company, that is not enough to protect you from a potentially devastating loss, should your information get into the wrong hands. In this blog, we have a Q & A with Brittany Mohr & Rachel Vicknair, on what cyber insurance is, how it works, and why you may need it more than you think.
What are the types of cyber or privacy insurance that a business needs to consider, and what does this insurance include?
Brittany: Most cyber insurance policies includes network and information, communications and media, crisis management, security breach, and your defense. This includes hiring a PR firm, as well as the cost of notifying everyone whose record could have been breached. In the case that your company has been hacked, this insurance will also cover the computer fraud and it’ll pay to restore your data if it’s been lost or encrypted. They will also offer credit monitoring for a year. But the biggest part would be your defense, the cost of restoring your data, and notifying everyone whose records have been stolen.
Some people might think that this is all covered under their general liability insurance. Is there anything you can say to dispel that?
Brittany: Yes. There’s a few specific exclusions for cyber liability that can be found on almost every single General Liability policy. It’s usually completely excluded; that’s why it’s imperative to get it separately. For example, one form says “Access or disclosure of confidential or personal information and data related liability” - that’s the exclusion that’s on General Liability policies. So unless you purchase this separate policy, there’s no way it’s covered.
Many businesses probably think, “Oh, we don’t have that much customer data. Do we really need this?” Do you think cyber insurance is important for all companies to have or only those in certain industries?
Rachel: Everyone faces this exposure. Now, there are some industries that are more expensive than others just because of the type of records that they have, but, like I mentioned earlier, this can happen to anyone at any time- It can start with an email address that looks exactly like the one you would email Brittany from, and there’s just one letter of your email that changes and this person clicks and opens the email and all of a sudden, their files are exposed. No one is free from a data breach. In fact, the odds a company suffers a data breach this year is more than 1 in 4. That’s a pretty high number, and they’re actually starting to target the smaller companies more than the bigger ones- the data says that small to medium sized businesses account for sixty one percent of targeted hackers.
Brittany: No one is free from this exposure. Some of the main targets from thieves are Wage and Tax statements (W-2s, 1099s, 1095c) and also ACH transfers. Every business has these. As we mentioned before, the exposure is not limited to information shared on the computer – paper is also susceptible to be stolen.
What are some of the important things for someone to look for in a cyber liability policy?
Brittany: There is a long list of what coverage is available but some highlights to look for are network and information security liability, communications and media liability, regulatory defense, breach remediation and notification expenses, crisis management and PR, business interruption, computer program and data restoration, and fraud. Another coverage to consider asking about is the third-party liability and also the worldwide coverage. Different countries may have different regulatory requirements and your cyber liability exposure does not stop when you travel, especially if you use email on your phone.
On the flip side, whenever a company comes to get coverage, what does an insurance company look for in that company?
Rachel: The biggest indication for price is number of employees and annual revenue. Those are pretty much your two driving factors to develop your premium, but they also want to know what type of policy and procedures you have in place, such as if you backup your system, if you have a secondary server, that type of stuff. Also, they look at your procedures for hiring people, and their background checks, because a lot of the exposure is relative to your employees. Twenty three percent of cyber incidents are the result of negligent employees and human error.
Do you see the need for cyber liability insurance growing in the future and, if so, why?
Rachel: Absolutely, especially with the targets being 1 in 4 right now and the cost increasing. We share everything online. More companies are starting to switch to paperless and, to be honest, the hackers are getting smarter than the technology to combat it, and that just makes everything so much harder. It’s harder even to trace them now because they want to get paid in bitcoin. I can also see the laws changing, as big breaches like Target and Equifax are starting to affect so many people at once. I can see new, stricter requirements for these big companies to let people know sooner about breaches. There are huge penalties as it is, if you don’t let people know by a certain time, but I can see those laws driving up the expense, and the need for cyber insurance to continue to grow.
Can you make a business or financial case for a company to get cyber insurance? Why does it makes sense in the long run?
Brittany: Recent studies for 2017 show that data breaches cost organizations an average of $225 per record compromised. And I think people have a misconception of what this all is- it’s not just data that’s sent over the internet; it’s paper, too. And that’s who the hackers are targeting: the people who don’t have proper firewalls or security or even processes for shredding paper. Imagine somebody being in your store and you leave a box lying around and they just take it. Well if there’s a name and address, a social or driver’s license number, that counts as a breach of data. Or what if they get lucky and grab a box of your W-2 records? You’re now legally responsible to notify all those people who could potentially be involved.
So that falls under cyber liability?
Brittany: Yes, for sure. It’s not just what you’re communicating over the internet, and it’s as easy as your name, your address, social, or your driver’s license. And when you look at the cause of losses, there are a lot of options. There’s employee theft, human error, you lose a flash drive, your server was hacked, your suitcase stolen, your car jacked, you lost paper. Cyber insurance also covers loss of revenue, especially in the type of kidnap and ransom of data schemes, where your computer will get encrypted and no one can work for that day, so you just lost two full days of revenue while also paying your employees even though they could not work.
Is there anything else you would like to say to help people better understand cyber insurance policy?
Rachel: The ultimate purpose of cyber coverage is to protect data. That’s what it’s about- cyber is protecting your data. Another reason these policies can be so beneficial is they also offer pre-breach services. So before you even have a hack, these insurance companies will help you monitor your existing systems and help put new procedures and protocols in place. They will offer security checks, they have consulting available, and they can give you a readiness assessment. All of this helps because it’s all about mitigating your loss. And that’s what insurance is all about. Doing your best to prevent a loss before it happens.