When most people think of cybersecurity and data breaches, large government, financial, and retail entities typically come to mind. Since we tend to only hear of breaches with big-name entities, small businesses tune it out, thinking these are problems only larger organizations experience. The reality is quite the opposite. Tens of thousands of breaches occur each year and based on available statistics, more than 75% of breaches occur at businesses with less than 200 employees. More alarming is that over 60% of those businesses shut their doors for good within six months of discovering a breach.
One of the main reasons companies go out of business is the lack of proper insurance. Either the company doesn’t have enough coverage, or more often they don’t have the right coverage. When it comes to insurance, many people don’t realize there are a lot of different aspects to consider. Educating yourself on the types of coverage you might find in your policy and what they mean may make the difference in whether your company survives, or becomes another statistic.
First thing to note is there are generally three components on the types of coverage that should be focused on with cyber insurance:
- first-party expenses and the losses (the breached party),
- 3rd party (customer liability – wrongful disclosure of health, PII, CI), and
- regulatory proceedings (assessments, fines, penalties).
Some of the more common types of coverage include:
First-party coverage available:
- Theft and Fraud – Addresses destruction or loss of data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.
- Extortion Threats – This coverage commonly addresses ransom-ware type costs. Ransomware attacks are very common right now and highly susceptible to social engineering attacks. Whether ransom-ware is covered in this or via the replacement/restoration clause, your cyber insurance is not complete unless it covers ransom-ware and other extortion related threats.
- Forensic investigation – Covers the forensic services necessary to determine whether a cyber-attack has occurred and to assess the cause and impact of the attack.
- Business interruption – This type of insurance compensates the company in the event the network is down for any significant time. Down-time may range to a few days to a few weeks depending on the nature of the breach and how prepared your company is so you probably want to have some coverage here.
- Computer data replacement and restoration – Covers the costs of restoring your data in the event of a breach, which can be costly especially if you don’t have a good back-up and recovery procedures.
Common third-party coverages include:
- Cyber Breach Liability – Covers the costs from civil lawsuits, judgments, or settlements resulting from a cyber breach.
- Privacy Liability – Provides coverage for liability to employees or customers who have suffered a breach of privacy.
- Regulatory Response – This type of coverage addresses the services necessary in responding to governmental inquiries relating to a cyber-attack, including coverage for fines, penalties, investigations or other regulatory actions.
- Notification Costs – Covers costs to notify customers, employees or other parties affected by a cyber-attack, including notice required by regulation.
- Credit Monitoring – In the event of a breach, you will want to cover the costs of credit monitoring, fraud monitoring, and other related services to those affected by a cyber event.
- Crisis Management – Covers public relations expenses incurred to educate affected parties regarding a cyber event.
Cyber insurance is relatively in-expensive right now but as you see there is a lot to consider when tailoring your policy. In addition to your insurance broker, consider working with legal counsel and a cybersecurity expert when considering your cyber-related coverages. Equally important is to understand your insurance provisions and disclaimers. As more and more incidents are reported, carriers are continuously looking for reasons to limit claim amounts. Some policies have windows for notifying the insurance carrier of a breach (i.e. 45 days from discovery) to ensure the claim is fully covered.