By Senior Vice President Scott Lyon
If it is a simple rider to your current business insurance plan, the answer is probably not. Today, good cyber risk policies are stand-alone policies specific to cyber incidents. They are still affordable and the price will vary depending on what your company does, its revenue, number of users, and other factors.
SBAM has identified Cybersecurity as a key business issue and we are approaching this on three fronts: Education, Member Benefits and Public Policy. We understand how dependent our members are today on data and all things IT. From simple things like your contacts to more complex systems, understanding the risk – and for this article transferring of the risk to a comprehensive insurance policy – is critical to your operation. Is your cyber-liability plan up to par? “Probably not” is the answer we get most often from professionals that understand the evolving world of cybersecurity. Like all forms of insurance, there are many considerations that you need to make along the way, including:
-
What policy limits are in place? Said differently – do you have enough coverage in place to cover the loss? What is your deductible? Are there things your policy will not pay for?
-
Does your policy cover your internal costs as well as the cost of hiring a third party to do the investigation and get your business back up and running? Generally, these are referred to as first and third party expenses. First party expenses are costs that your company directly pays.
-
Does your plan cover all attacks, including actions taken by employees, either intentional/malicious or unintentional actions? Is simple human error covered? Is the coverage territory worldwide? Today an incident can originate from anywhere in the world. Does your plan cover an act that originated in Russia, North Korea, Iran, China or anywhere else?
-
Are there any time limits to how soon after an incident occurs that you must report it to the carrier? Many policies require that you report the incident within 60 days of becoming aware of the incident. Is your policy a claims-made? Many times when phising is involved, the actual breach occurs many months prior to the attack. Make sure your plan does not limit the timeframe to make a claim.
-
What carrier are you buying the plan from, what kind of reputation do they have, and in the event of a breach, are they easy to work with?
Diving deeper into the various components of Cyber insurance there are many considerations that you will want to understand and make sure that your current cyber policy covers. Following is a quick overview that you can use to assess your cyber liability coverage.
Network Security
Network security covers your business in the event of network security failure including a data breach, malware infection, extortion demand, ransomware, or business email compromise. Network security coverage includes first party costs including: legal expenses, IT forensics, negotiation and payment of a ransomware demand, data restoration, breach notification to your customers, setting up a call center, public relations expertise, credit monitoring and identity restoration for your customers.
Business Interruption
If your company is like most you are very dependent on technology to operate, and would be at a loss without access to your contact emails and phone numbers. Network business interruption coverage provides an answer. When your network, or even the network of a provider that is critical to your operation, goes down due to a cyber-incident, you can recover lost profits, fixed expenses and the extra costs incurred during the time your business was interrupted.
Errors and Omissions
Due to a cyber-incident your IT System is down and you are losing productivity – the event could keep you from completing your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services. This can include technology services, like software and consulting, or more traditional professional services like consulting, attorneys, medical professionals, engineers, etc. E&O coverage addresses allegations of negligence or breach of contract should this occur, and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.
Privacy Liability
Privacy liability coverage protects you from liabilities arising out of a cyber-incident or privacy law violations. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement. Privacy Liability coverage is important for most companies. Customer and employee information is sensitive and valuable on the dark web. Breaches or violations that expose this information not only threaten the security of those compromised, but also expose your business to liability.
Social Engineering
Social engineering coverage is designed to protect companies from a mistaken funds transfer due to fraud. The most common example is one of your employees is tricked into sending money from your bank account to a criminal hacker. Take four minutes and watch this video from CISCO.
Reputational Harm
Reputational harm is the continuing impact to your bottom line of a cyber-event due to brand reputation damage – something that harms the good name of your company. Coverage is usually limited to a specific period of time and includes harm to your brand following a publicized cyber event. Think about Experian and the damage done in their cyber-incident.
Technology Replacement – sometimes referred to as “Bricking”
Bricking covers the replacement cost of technology equipment which is rendered useless by a malware attack. If your laptop or server becomes a very expensive paperweight or a brick, you’ll know where to look for financial help in the replacement of lost/broken/useless equipment. Some coverages will even go as far as helping you upgrade the equipment to become more safe from future attacks.
Remember, no business is immune from the risks involved with a cyber-attack or breach of your information system. If your business is connected to the internet, your business is a target. Data breaches are on the rise, just ask Target Stores, the DNC, The Lansing Board of Water and Light, Michigan State University and the cities of Atlanta and Baltimore. While these are examples we all know, there are dozens of attacks on small businesses for every one of these. Today, it is not really a question of if your company will be a target; it is a question of when. How well your information is protected through firewalls and other security features and how well your company is protected in the event of a cyber-attack by having the right cyber risk or cyber liability plan in place will determine if your company survives or folds following an attack.
Scott Lyon is SBAM’s Senior Vice President. He can be reached at (800) 362-5461 or via email.