We will discuss an issue that perhaps you haven’t thought of insuring – protecting your business against cyber attacks.
> Check out the “Buzzing with Bryson” podcast
With over 20 years of experience in the insurance profession, Guida Leyland balances being highly knowledgeable with a spryness that drives her to continue learning and growing.
Cybercrime will cost the global economy more than $10.5 trillion a year by 2025! As such, businesses must take cybersecurity seriously. Part of this is ensuring you have cyber liability insurance in place to protect you should a cyber-attack occur.
Do companies realize the real threat out there?
It is a topic that most businesses are still not taking seriously. The threat is accurate, and it can cost a company its future. Imagine being a business owner and deciding not to grow because you need funds to resolve a cyber incident or, even worse, the decision to shut your business down because the cost of the cyber incident is just that great.
Why do companies still object to cyber insurance?
The mentality that it will never happen to me – A few years back, The UK’s National Cyber Security Centre, Ciaran Martin, came up with the saying – “it’s not a matter of IF you will experience a Cyber Attack but rather when.”
Objections we hear include:
I’m too small of a business
Hackers target all, regardless of size. They don’t see you on a human level; it is just a transaction for them. Smaller companies tend to be more vulnerable – less IT support, less employee training, fewer protocols. These smaller companies do not make the news, but that doesn’t mean they are not being targeted
I have the best IT
We hear this a lot. Questions we ask:
- Have you received confirmation that your IT has sufficient insurance in place if something happens?
- How long will you have to wait for the IT company to provide financial support payments if an incident does happen? Would you end up having to sue them?
- Over 40% of cyber-related incidents are caused by human error (not IT issues), what protections do you have in place to mitigate this risk?
The cyber insurance application is too long
Some cyber insurance applications are surprisingly short. Determining the appropriate application depends on the situation.
The more specific applications can ask questions of which the business is unclear. Generally, your IT company or IT personnel would be the best person to complete the application, and they should be able to return this rather quickly.
If nothing else, the application is a tremendous cyber risk audit. Many companies learn simple things they can do to reduce their risk just by going through the application
The application can indicate protocols that you should have implemented or be implementing. An example of a new request is Multifactor Authentication. Many insurers are asking Clients to adopt
What cyber insurance does cyber insurance cover?
That’s where your insurance risk advisor (think of them as your business partner) gets to provide you with advice. Not all cyber insurance products are the same. Wordings vary between insurers, and more importantly, so do coverage and limits. What one insurer is willing to insure could be different from the other, and price should not always be the deciding factor.
We recommend an open dialogue between you, the business owner, and your insurance advisor to determine your specific insurance needs – not all businesses operate the same, so all do not require the same coverage considerations.
First Party coverages
This jargon can be confusing. Instead, think of yourself, the business owner, as the first party. What coverage would you want to protect your business if there is an incident?
Coverage under first-party includes:
- IT Security and Forensic Costs
Would you know where to begin post-cyber-incident? Where did the Cyber incident start? What was the source? What information has been obtained? Was it only encrypted locally, or did they steal the data from the servers? Do we need a forensic team to investigate? Who do we call?
- Cyber Incident Response Costs
As soon as a breach is identified, you can call a Breach Coach to guide you on the next steps.
- Fines, Penalties, and Assessments
Businesses can face hefty fines if they are found to be non-compliant with Privacy Laws, including reporting incidents/keeping logs of potential incidents where another party‘s personal information has been breached (something as small as inadvertently sharing one client’s information or file with another client)
- Business Interruption Coverage
What if your business couldn’t operate? We have seen this with shipping companies where their logistics software was compromised. Maybe you can’t take orders; your phones don’t work, you can’t open your doors, you are essentially shut down. This could go on for days, a week, or even weeks. Do the math — what would that cost you in lost revenue?
How do you even begin to figure out how to resolve this?
Think of your customers as one example of a third-party, a party other than you. Typically, you would want to evaluate your exposure as it relates to these third parties in areas such as:
- Privacy Breach Liability
- This is when you are sued due to your client’s personal information breach. This could easily cost into the millions
- Credit Monitoring Costs
- After the notifications have gone out to your clients advising of a breach of their personal information, they will be concerned about their personal credit being affected. Some policies offer this protection with a 24/7 credit monitoring call center.
I’m not even touching on several other important coverage considerations today. These coverages are also critical to the continuation of your business after a breach.
Are there specific cyber incidents that are excluded?
This is where your insurance advisor can help you navigate your needs and the many Cyber Wordings available. Questions to ask include:
- Does the policy insure us if all our information is in the Cloud or our IT company handles everything, including if the information is maintained in their server?
- Does the policy insure us if client funds held in our possession are transferred from our account?
- What if one of my customers pays a fraudulent invoice – is this covered?
- What if the Cyber incident was caused by a Rogue Employee – is there coverage for this?
Not all policies are the same, and what is excluded with one insurer may be available with another insurer.
What are the costs of a cyber incident?
This question is hard to answer as it varies depending on the Cyber incident. Standard expense lines include:
- Forensic investigations
- Notification Costs to your clients
- Replacing Computer Hardware
- Fines, Penalties/Assessments
- Lawyers’ Fees to defend a lawsuit
- Lost Revenue
- Employee Salary to name a few
One way to get an idea of what a cyber insurance policy would cost is to go through an application. You can then decide if the premium is worth it for the potential risk. If it isn’t, you can start to budget as a future expense.
Businesses need to be able to make an informed decision, and I believe an informed decision includes knowing the costs.
Can the insurance provider modify coverage due to the changing nature of cyber attacks?
Yes, insurers can modify coverage due to the changing nature of Cyber Attacks, and you want them to. Cyber incidents have changed since this insurance product became available many years ago. Insurers are modifying coverage as incidents change.
Some great examples of coverage modification that some insurers are offering are pre-Breach Services.
These services provide a check on your business’s “cyber health,” such as employee training and assessments.
Some insurers offer Post-Breach Services. Post-breach services provide you with information on what you can change to avoid a future loss. If coverage is being modified, the insurance company will advise you – again; this can be a good thing.