The news of cyber related incidents continues to grow every day. At the time of this writing the news of the Equifax breach is about a month old and it’s still in the news every day with new revelations as to the extent of the potential damages. If it’s not Equifax, it’s a big retailer, credit card company, or bank in the news for releasing confidential customer data. Now more than ever, Cyber Insurance is a topic of conversation when it comes to business insurance.
I find that in the minds of small and medium sized business owners when these breaches occur there are two different thought processes. The first is “hackers only go after the big boys – I’m fairly safe. After all, what would hackers want with my data?” The second thought process is: “Holy cow this is scary, I better have the right protection.”
I’m not sure which category you may fall into, and maybe you’re somewhere in between, but it’s times like these that burying your head in the sand is NOT a good idea. The facts are clear, over 60% of data breaches happen at smaller firms. Hackers ARE interested in small and medium sized companies because they are easier to infiltrate. Smaller companies don’t have the most sophisticated IT infrastructure to prevent a data assault. Large companies have entire departments of IT professionals constantly monitoring their systems, firewalls, and detection points to prevent a breach.
The other thing that happens with small and medium sized businesses is that they don’t have the resources to thoroughly train employees on the best practices of cyber hygiene, which leads to data “leakage” or other disasters like opening a phishing email that explodes into a network lockdown like a cryptolocker virus.
While insurance can provide protection for a variety of first and third party risks which we’ll identify in a moment, we believe that getting your digital house in order is the first priority. Security and education are paramount. In fact, in order to get cyber insurance you’ll probably need to make sure you have at least the bare minimum of security in place before applying for coverage. While we are not experts in IT infrastructure and security we do have resources that we can refer you to to help advise, test, and build out that security, scaled appropriately to your sized firm. When it comes to training and educating employees on the digital risks we have a library of documents, flyers, and policy/procedures we’d be happy to share with you to make sure your team isn’t leaving the door open to hackers and digital thieves.
If you’re ready for Cyber Insurance, let’s look at some of the basics:
1. First, no two cyber policies are identical. There is no standardization of cyber insurance forms within the insurance industry so it’s critically important to work with an expert in this field to help customize the right protection for you.
2. Most all cyber policies are broken into two parts: First Party Protections and Third Party Protections.
3. First Party Protections as the name implies are coverage parts designed to protect you and your firm. Included in many policies will be coverage for:
a. Protection for your digital assets.
b. Protection against loss of business interruption should a digital event shut down your operation (think crypto-locker or wanna-cry virus); or shut down your website and prevent digital commerce.
c. One of the “big deals” in first party protection is the costs you incur following an event or breach; including costs associated with notifying clients as required by state and federal law; hiring a public relations firm to protect your brand and reputation following a breach. Other costs that are often covered are the expenses of a forensic examination of how hackers got into your network and closing up those access points, and other IT related expenses.
4. Third Party Protections are going to be the big ticket items like lawsuits which often follow a breach or notification of a breach. Often, these lawsuits are formed as class actions which become terribly expense to defend against and can lead to multi-million dollar costs. In our litigious society, these sorts of legal events have the capacity to bankrupt a company for even a minor data occurrence/event.
What about my General Liability or Umbrella Policies?
Now you may be saying what about my general liability or umbrella policies, don’t they cover me? The answer is NO, they don’t. There are some BOP (business owner’s policy) forms which can include some Cyber insurance, but typically at very low limits and for limited perils – don’t be confused by one of these endorsements without reading it. But in general your liability and umbrella policies will not respond to a cyber event, that’s why you need a separate cyber policy to cover you for these hazards.
The good news is that Cyber Insurance is very affordable for the breadth of risks they cover. Most firms will purchase limits of $1M, but we recommend looking at what $3M or $5M may cost as well depending on the size of your company. We also recommend taking a high deductible, and by high we mean at least $2,500 but you should look at $10,000. This will help keep the premium in check and give you more “skin in the game” to help prevent cyber losses. In fact, by increasing your deductible you may be able to afford higher limits of liability.
Have questions? Wonder what it would cost? Want to know more about what it covers? Let us know, we’d love to hear from you.