By Scott Lyon, SBAM Senior Vice President
How does your company use technology in its day-to-day operations? If you are like most, you buy and sell products or raw materials, intellectual property is stored on-line, you communicate with customers and vendors and promoting your business via social media are simply part of your day. Unfortunately, each of these actions provides hackers, cyber criminals and others looking for information on your products or services and your customers with a gateway to your private information.
We know that each of you are in the “risk management” business. Daily, you are identifying, evaluating, prioritizing and making decisions on where and how to spend limited resources including your time and your money. Many are also transferring risk via an insurance policy that will provide a level of financial protection in the event of a loss. This is done through various types of insurance including auto, fire, workers’ compensation, errors & omission, your business owners plan (BOP), etc. Today, cyber risk insurance is becoming more and more popular, with a forecast to reach $7.5 billion in premiums by 2020.
According to PwC, roughly one-third of all companies in the United States purchase cyber risk insurance. This number grows every day. If you have thought about this or currently buy cyber-risk/cyber-liability insurance for your business, this article intends to help you examine what sets various policies apart from one another. Many insurance carriers offer cyber coverage either as an extension to an existing policy or as a stand-alone policy. Generally, the level of risk will dictate what is best for your business, the higher the risk, the more you should consider a stand-alone plan.
Because there are so many variables, we will set this up via a series of questions that you can then review with your insurance professional, check against your current plan, or look for in a plan you consider purchasing. With that said, how does your plan cover:
- Forensic Investigation – Your business has had a cyber-incident, now what? Sure, you want to get back up and running, but it is very important to understand how the breach occurred and how it can be prevented in the future. Will your plan cover the costs of an investigation by a third-party firm?
- Notification – If you have suffered a breach of your customer information, every state requires notification to your customers and vendors, whose information was compromised, some require credit monitoring. The notification requirements vary by state and you are required to follow the requirement of the state in which your customer resides. How does your cyber policy cover required notices?
- Lawsuits and Extortion – Today, one of the favorite tricks of cyber criminals is to hold your system hostage until you pay ransom. These ransomware attacks are becoming more prevalent and many of the attacks are on small businesses. Combine this with the cost of legal representation and settlements associated with the release of confidential information and maybe even fines. Does your current policy cover these risks? If so, how and to what extent? Are there any limits?
- Business Continuation and Losses – The worst possible outcome following a cyber-attack is the business closes due to lost revenue, lost customers, etc. Most cyber insurance plans sold today will include items similar to your errors and omissions policy, monetary losses due to your information systems being down, data losses, costs due to data recovery and general business interruption, including the hit to your business’ reputation all should be covered expenses. You should have a firm handle on how these are covered in your policy.
- Negligence – Check for language in your policy that would limit the coverage in a case where your company has not followed a prescribed or inferred set of cyber risk prevention techniques. These could include vulnerability testing, proper installation of firewalls, employee protocols and other methods to limit the damage of an attack. Does your plan limit the coverage if any one of these is determined to have not met the standards laid your in your policy?
Like most all forms of insurance, there are other considerations that you need to make along the way, including:
- What carrier are you buying the plan from, what kind of reputation do they have, in the event of a breach, are they easy to work with or are they a pain?
- What is your deductible? Can you afford the deductible?
- Does your policy cover your internal costs as well as the cost of a third party hired to do the investigation and get your business back up and running? Generally, these are referred to as first and third party expenses.
- Does your plan cover all attacks, including actions taken by employees, either intentional/malicious or unintentional actions? Is simple human error covered?
- Are there any time limits? Many times when phising is involved, the actual breach occurs many months prior to the attack. Make sure your plan does not limit the timeframe to make a claim.
Remember, no business is immune from the risks involved with a cyber-attack or breach of your information system. If your business is connected to the internet, your business is a target. Data breaches are on the rise, just ask Target Stores, the DNC, The Lansing Board of Water and Light, Michigan State University and the City of Atlanta. While these are examples we all know, there are dozens of attacks on small businesses for every one of these. Today, it is not really a question of if your company will be a target; it is a question of when. How well your information is protected through firewalls and other security features and how well your company is protected in the event of a cyber-attack by having the right cyber risk or cyber liability plan in place will determine if your company survives or folds following an attack.