Cyber Insurance – What Does It Cover and Why Do You Need It?

click here for pdf

by Jeff Cavignac, CPCU, RPLU, ARM, MLIS

Introduction

Twenty years ago, no one had heard of Cyber Insurance and a hacker was someone with a cough.  As recently as 10 years ago, many people still did not know how exposed they were to clandestine attacks on their data.  Today, however, just about every business owner knows that their data is at risk and that the costs can be huge.  Data breaches occur every day, and not only to large companies like Yahoo, eBay, JP Morgan and Home Depot.  Every company is at risk, big or small.  Small Business Trends estimates that 43% of cyber-attacks focus on small businesses (those with 100 employees or less) and that 60% of small businesses go out of business within six months of a cyber-attack. These are scary statistics!

Unfortunately, the “it won’t happen to me” attitude is still prevalent and many businesses, especially small ones, are not allocating any dollars toward prevention or insurance.  The good news is that insurance is available, coverage is fairly broad, and costs are reasonable.

Cyber Insurance – What Does it Cover?

The term cyber implies coverage only for incidents that involve electronic hacking or online activities, when in fact, this product is much broader, covering private data and communications in many different formats – paper, digital or otherwise.  While all cyber policies are different, a well-constructed policy will include a number of first-party and third-party coverages.  Ideally, your company would want its cyber policy to provide protection for the following:

Privacy Liability or Security Breach Expense – Privacy Liability coverage should include the unauthorized release of Personally Identifiable Information (PII), Protected Health Information (PHI), as well as corporate confidential information and programming errors that result in the disclosure of another’s PII.  Covered expenses would include costs incurred to notify others that their personal information has been compromised, including overtime salaries paid to employees dealing with the issue, fees and costs of a company hired to operate a call center, post-event credit monitoring services, and other reasonable expenses.

Security Breach Response Coverage (aka Public Relations Expense) – This is a first-party coverage that reimburses an insured for costs incurred in the event of a security breach of personal, non-public information of their customers or employees. It might include the hiring of a public relations consultant to help avert or mitigate damage to the insured’s brand.  It could also include things such as IT forensics, customer notification, and first-party legal expenses to determine the insured’s obligations under applicable privacy regulations.

Security Liability Insurance provides coverage for:

  • The inability of an authorized third party to gain access to the insured’s computer systems;
  • The failure to prevent unauthorized access to or use of a computer system, and/or false communications such as phishing that result in corruption, deletion or damage of electronic data, theft of data and denial of service. attacks against websites or computer systems of a third party; and
  • Liability associated with the insured’s failure to prevent transmission of malicious code from its computer system to a third party’s computer system.

Privacy Regulatory Coverage – extends coverage for both legal defense and the resulting fines or penalties emanating from a regulatory claim made against an insured alleging a privacy breach or a violation of a federal, state, local or foreign statute or regulation with respect to privacy regulations.

Multimedia Liability Coverage – provides coverage against allegations that include defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patents excluded) in the course of the insured’s communication of media content in electronic (website, social media, etc.) or non-electronic forms.

Cyber Extortion and Ransom – protects insureds from expense and payments to a “bad guy” in order to avert potential damage threatened against the insured such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information.

Business Income Loss and Digital Asset Restoration Coverage – provides coverage for lost earnings and extra expenses incurred because of a security compromise that leads to the failure or disruption of a computer system, or, an authorized third party’s inability to access a computer system. Often this is one of the most significant costs.  Costs to restore or recreate digital (not hardware) assets to their pre-loss state are provided for as well.

Website Publishing Liability – Nearly everyone has a website these days. This coverage protects you from liability arising out of information posted on your website, which might include actual or alleged misstatements, infringement of another’s copyright, trademark, etc., or violation of a person’s right to privacy.

“PCI-DSS Assessment” Exposures – The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions. Merchants and service providers must adhere to certain goals and requirements in order to be PCI compliant and under specific agreements, may subject an insured to an assessment for breach of such terms.

Cyber Deception or Social Engineering coverage – provides coverage for the intentional misleading of the insured by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic communication and that is relied upon by the insured believing it to be genuine. This is commonly known as spear-phishing.

Computer Fraud and Funds Transfer Fraud – both of these coverages pertain to theft of your assets by manipulation of your computer system or the computer system of your bank.  These should be included as part of a comprehensive crime program; accordingly, they will not be discussed in detail here.

Final Comments

Another advantage of a quality cyber insurance product is the Help Line they provide.  Most businesses that are hacked have never been hacked before and the ability to speak with a consultant or attorney who specializes in data breach events is a huge benefit.

As mentioned before, the cost of cyber insurance is fairly modest.  While costs vary depending on the type of business, most small businesses can expect to pay from $3,000 to $6,000 a year for a $1,000,000 policy.  Costs for medium and larger businesses will gravitate higher but are still considered reasonable based on the exposure.

Data breaches, privacy violations and other hacker-generated losses are not going away.  Cyber thieves are getting more sophisticated and every business is exposed.  At a minimum, your company should complete a cyber insurance application and obtain a quote.  Even if you elect not to buy the coverage, completing the application (click HERE for a sample application) will provide insight on how you can manage the exposure.