During a recent webinar on cybersecurity, I wasn’t surprised to find that most of my fellow panelists had heard the following comment from a client: “Why do I need a cybersecurity plan? I have insurance for that!” Unfortunately, many of these business owners may be in for a rude awakening in the event of a data breach. Cyber liability insurance is a relatively new product. Many policyholders (and even some brokers) are a little fuzzy on what it does, doesn’t, or might cover, so let’s have a frank conversation about it.
The Proper Role of Cyber Liability Insurance
Every business that holds personal or confidential information on its customers or employees likely needs a cyber liability policy. This coverage, however, should serve as your last refuge in the event of a cyberattack, It should NOT be your first line of defense. After all, you don’t drive recklessly just because you have auto insurance, do you? You wouldn’t go off on vacation and leave all the doors and windows of your home ajar because you have a homeowner’s or renter’s policy.
Likewise, failing to take reasonable precautions to protect the information entrusted to your care can significantly influence whether your cyber liability claim is approved. It can also determine how much compensation you receive. Increasingly, state governments are setting the standard for “reasonable” by enacting laws and regulations for cybersecurity and data privacy.
Cyber Liability Insurance Coverage
As with any type of insurance, what losses are covered and under what conditions is determined by the policy language. Your policy should include address both first-party losses (by your business) and third-party losses (by your clients, employees, etc.) Ideally, your cybersecurity and incident response plans should dovetail with your insurance coverage, providing the financial resources needed to execute at each step of the way.
Your Losses
When it comes to first-party coverage, a policy should include the following:
Business Interruption
Even a suspected breach requires a huge allocation of resources to investigate. You may hire outside experts to handle the tech side of things, but they’ll still need participation from your subject matter experts to determine whether data has been lost or corrupted. Additionally, while the investigation is underway, your staff may not be able to access some or all of your systems.
Contingent Business Interruption
It’s not only your information systems and networks you need to worry about. A breach or data loss by a third-party service provider or even a key client can also bring your team grinding to a halt. That’s why the NAIC’s Insurance Data Security Model Law requires oversight of such entities’ information security programs. Thus, CBI reimburses you for losses suffered by this kind of external event.
Loss of Income
Both direct and contingent business interruptions can result in a loss of income for your company. Your cyber liability insurance policy should reimburse you for some or all of the lost income.
Data Retrieval & System Restoration
Mention cyber and most people immediately imagine an attack by a malicious hacker, but mechanical failure can damage or destroy your data just as effectively. Additionally, a well-intentioned employee may accidentally overwrite or delete information. Replacing damaged equipment and restoring data from backups takes time and money. In many ways, data corruption is more of a nuisance than lost data. In this case, you must verify every file before trusting it.
Ransomware & Cyber Crime
Cybercrime is on the rise – especially with more people than ever working remotely. Ransomware attacks, in particular, are becoming more frequent and severe. Even a modest ransom is several thousand dollars, and criminals often punish victims for delaying or refusing payment by doubling or tripling their demands. They may publicly shame victims on the internet or social media to create maximum reputational harm and bully victims into paying. Additionally, because criminals often copy data before encryption, it may be sold or shared on the dark web even if the ransom is paid.
Reputational Loss
Just as a homeowner’s insurance claim can’t necessarily replace lost family heirlooms and memories, providing compensation to injured parties doesn’t always fully restore trust and loyalty. Especially in the era of social media, embarrassing details of a cyber event can seriously damage your brand, costing you current and future business.
Court Attendance Costs
In the event of a lawsuit, you and any employees involved in the initial event or in investigation and recovery efforts may be called to give depositions, appear in court, or participate in mediation/arbitration. So that means more time away from work.
Third-Party Losses
A cyber liability policy should cover the following types of losses:
Privacy Liability & Notification Costs
The NAIC’s model law requires you to notify individuals and entities whose information is compromised of the attack whether it involves your information system or that of a third-party service provider. This involves gathering the required information, sending the notifications, and responding to inquiries. Notifications also typically offer some sort of identity theft protection services at the breached company’s expense and/or compensation for damages. Your cyber liability insurance policy should cover the time and expense of notifying the affected parties.
Regulatory Fines & Legal Defense
This one’s pretty self-explanatory. Today’s cybersecurity and privacy laws require companies to prove how they tried to protect their clients’ data and to notify them in a timely manner when such measures fail. (The United Kingdom and California have some of the most stringent protections.) But with the pandemic increasing our reliance on the internet, any company can find itself at risk. We live in a litigious society, and clients may not be satisfied with a settlement offer. As far as regulatory fines go, there haven’t been enough actions yet to estimate fine amounts; but most cybersecurity laws include wording that allows enforcement to the full extent of the regulator’s authority. Your cyber liability policy can cover fine amounts and pay for legal assistance. Remember, though, that any negligence on your part can be grounds for denying a claim. You should carefully review your cybersecurity plan with qualified experts.
Breach Management Expenses
Responding to an actual or even a suspected breach is a complex undertaking. You must identify the source of a breach, determine the scope of the damage, get hardware up and running again, and restore lost or corrupted data. All this takes time and often a level of expertise that companies do not have, so hiring experts to help with investigation and recovery can get you back in business more quickly. Your cyber liability insurer should direct you to the appropriate crisis management experts and attorneys and pay for their services. (This doesn’t mean that your cybersecurity plan should rely exclusively on solutions provided by your insurer, of course.)
Media Liability
It’s common for cybercriminals to publicly shame victims on the internet or social media to create maximum reputational harm and, in the case of ransomware, to bully victims into paying. Today, they even send false press releases announcing attacks. Regardless of their validity, such reports must be investigated. The expenses of your IT and legal teams should be covered by your cyber insurance. Also, if information stolen from your system is published on the internet, you may be sued for copyright infringement or invasion of privacy. Therefore, your policy should provide financial protection in this case.
It Covers What Other Commercial Insurance Policies Don’t
Most businesses carry some form of general liability and/or property liability insurance. But according to the experts at Professional Risk Solutions, these policies likely “focus on physical damage to your property and clients. In many cyberattacks, the physical structure of the computer system is unharmed, however, no longer fully functional. Some policies include coverage for data property; however, it does not cover the financial obligations associated with a violation of your clients’ privacy.”
When You Assume …
There’s an old saying that goes, “When you assume, you make an ass out of you and me.” Obviously, cyber liability insurance is a complex undertaking. Don’t make assumptions about what your policy does and doesn’t cover. Reading (and understanding) an insurance policy is always important; when it comes to cyber liability insurance, however, it’s essential. Don’t be afraid to keep asking questions until you are clear about your coverage.