What to look for when buying a Cyber & Data Breach Liability policy

Posted by Matt Simon on Dec 10, 2015

Why is everyone talking about Cyber & Data Breach Liability insurance?  Why is it so confusing? The answer is simple: the cyber risks businesses face today, and the insurance coverage available to address these risks, is a whole new animal.  And most importantly, all Cyber Liability Insurance policies are NOT created equal.

First, it may help to understand where we are from an insurance industry perspective. The policies in use today are largely the exact same as they were 50 years ago. Minor changes have been made over time, exclusions added for things like mold and terrorism as these risks became more apparent, but by and large, mostly unchanged.

These policies have been court tested, time and time again, and nearly all insurance companies have adopted the same language as the standard in the industry.

Cyber, on the other hand, is anything but standard. Each company offering coverage has developed their own list of coverage options available and exclusions included, which is great for consumers because so many different options exist.

However, it presents a challenge in that no standard cyber policy is available that consumers, Insurance Advisors and even court systems can use as a benchmark.

The importance of actually reading an insurance policy has never been more critical.

Cyber insurance is hugely complex, and since each policy is different, only a Licensed Insurance Advisor is equipped to assist you in developing the specific policy to adequately protect your business.

Understanding cyber insurance coverage

Cyber insurance typically reimburses the costs you incur in the event of a data or information breach. Costs vary considerably depending on the circumstances, the types of perils involved and the extent of the damage caused.

For example, having your credit card transactions skimmed for a week is vastly different from receiving a lawsuit by a competitor for comments made by an employee family member on social media – which interestingly, has already happened!

As mentioned previously, there are no standard cyber insurance policies. Insurers offer a wide variety of options, but each is distinct.

We strongly recommend reviewing your basic exposures, as outlined below, and then matching your needs to the policy best suited for your business. A Licensed Insurance Advisor can help you with this process.

First party costs:

Coverage options in this section of a policy are designed to respond to losses sustained directly by the business (the first party – you).

Often times, when a business experiences a data breach, they also suffer loss or damage to their internal systems. For example, if a virus infects your email and it’s distributed to your entire network, you could be looking at two distinct exposures.

You could be liable for the damage caused by the virus to other networks (this would be a 3rd party exposure)

Your internal system would need to be repaired – which is referred to as a first party exposure.

Examples of first party exposures include:

  • Business interruption and extra expenses – a breach occurs that causes your business a loss of income until systems are fully restored. This coverage is designed to reimburse you for your loss of income (business interruption) during that period of time, as well as the costs you incur (extra expenses) to minimize your downtime such as the costs to repair, replace or restore your data.
  • Dependent business interruption – if you rely on the system of a third party to conduct your business, and you would suffer a loss of income if that system were unavailable, you might consider including this coverage in your policy. If you use a Cloud based system, check the contracts, it’s unlikely they will pay for your ‘loss of profits’ even if they eventually restore your data and your functionality.
  • Extortion – in this situation, your personal data is the hostage. You receive a threat demanding compensation or your compromised data will be released. A cyber insurance policy could pay the ransom amount so you get your data back.
  • Data reconstruction and system damage – costs you incur to retrieve, restore or replace your computer programs, systems or data.
  • Reputational harm and public relations – even when a data breach causes little damage to internal systems, public knowledge of the breach can have far reaching implications detrimental to the reputation of the business.
  • Regulatory actions and investigations – costs, expenses, fines and penalties resulting from a regulatory investigation.
  • Breach Notification Costs – expenses you incur to notify customers about a breach.
  • Computer crime – this is the fastest growing law enforcement issue… why? According to FBI Special Agent Corey Collins, “because it’s easier, safer, pays better and if caught, the penalties are significantly less.” For example, walk into a bank with a gun and get away with the average heist (about $2,000) and you’ll do a minimum seven years in jail. Conversely, steal $250,000 online from the same bank and your first offense is a measly six months in jail.

Third party liabilities:

In these situations, the insurance company is making a payment to someone else because of the damage they suffered, which was in some way caused by you.

In our previous example where your email is infected with a virus, and is distributed to your entire network, the damage caused to the systems of those who opened your email would be a third party liability.

Examples of third party coverage options include:

  • Cyber liability – a loss arising from a hacking attack or a virus that originated from, or passed through your computer system.
  • Privacy liability – a breach of any personally identifiable information, including credit card information, personal healthcare information and employee personal information.
  • Breach notification costs – if you incur a breach that results in one of your clients being responsible for notifying all affected individuals.
  • Multimedia liability and advertising injury – defamation, emotional distress, intellectual property rights infringement or invasion of rights of privacy.

Tailoring a Cyber Policy to your business

Although there are no official industry standards for cyber insurance, there have been major strides in recent years to establish some.

The National Institute of Standards and Technology (NIST) offers a comprehensive overview of the current state of cyber risk management.

Adherence to these standards is currently voluntary, but many experts believe that the NIST recommendations have become the unofficial industry standard for cyber risk management.

Still, with the breakneck pace of technological evolution and increasing pressures to digitize data, most businesses are already vulnerable.

The best way to protect yourself and your business is to conduct a risk assessment and identify any gaps in your coverage. Here are a few things worth looking for:

Understand the coverage that you have, and the coverage that you don’t.

Many people might make the mistake of assuming that a Commercial General Liability (CGL) policy covers losses in the event of a cyber-attack. However, assumptions like that can be dangerous and costly, as many CGL policies specifically exclude electronic data.

Take the time to review your current coverage and identify any exclusions that might leave you vulnerable.

Understand your company’s specific needs.

Companies vary in their use of, and dependence on data. For instance, customer data held by financial or health care businesses is comparatively more valuable to criminals.

Other companies, like online merchants, may potentially suffer greater losses as the result of an attack that crashes their website or interrupts service.

Different policies have different limits, sublimits and exclusions for different types of losses, so it’s important to work with an expert who can find exactly where you’re vulnerable, and what type of coverage best meets your needs.

Consider retroactive coverage.

Unfortunately, cyber breaches often go undetected for a long time. As a result, a policy that only offers coverage for breaches occurring on or after the date of inception (which is a fancy way of saying ‘the date your policy begins’) might leave you vulnerable to a cyber attack that hasn’t yet been discovered.

To mitigate your liability as much as possible, get coverage with the earliest possible retroactive date, or even better, a policy that provides ‘prior acts coverage.’

If you’re able to accomplish this, you will have coverage for breaches that occurred prior to the date that you actually purchased the policy, as long as you weren’t aware of the breach at the time you started your policy.

Obtain coverage for third-party vendors.

Many businesses outsource their data processing or storage to a third-party vendor. This is a smart move, especially if you aren’t equipped to handle the IT side of your business.

Unfortunately, it may leave you liable for damages if the actions of that third party are responsible for a breach.

One of the most common mistakes we find when working with clients is the belief that when their data processing & storage (from data stored in the cloud to credit card payments that are handled by a 3rd party provider) is outsourced, they’re relieved of any liability.

Not so.

Even if the breach occurs to your vendor, and not to you directly, you still have federal, state and local laws with which you must comply regarding notification of your clients, credit monitoring, etc.

Make sure you have coverage for the actions or omissions of third parties with whom you do business.

Curious about what you can do to prevent Cyber Crime?

ohio-cyber-crime-prevention

We can help

Regardless of the amount of time dedicated to security, or the sophistication of controls, data breaches continue to occur at an alarming rate. Hackers are increasingly targeting small businesses that may not have robust security measures in place.

Standard insurance policies in existence for decades were never designed to provide coverage for these new types of losses. Most polices provide no coverage at all, and even if coverage is provided, it’s extremely limited.

What’s the solution?

A standalone policy dedicated to Cyber Liability and Data Breach risk ensures there is coverage not only for legal expenses and liability, but also direct costs you incur to address the breach such as damages to your system or even extortion.

If cyber insurance still seems confusing or you want to speak with a Licensed Insurance Advisor about getting a policy, just give us a call or Request a Proposal. We’ll be happy to discuss your options and help you design a Cyber Liability insurance policy that's right for you.

And if you need more information about the risks businesses are facing, as well as strategies you can implement today to help reduce your risk of a breach, download our eBook.

 

Cyber & Data Liability Insurance eBook

Additional articles that may interest you:

Cyber Liability Claims Examples

I'm a cyber breach victim, now what?

A lesson from the Sony Data Breach

Cyber Insurance Coverage: Why Commercial General Liability isn't enough

Category: Cyber Liability Insurance (1)