It may seem counterintuitive to invest in robust cybersecurity protection for your business and to also purchase a cyber insurance policy. But, think about this – when you buy a home that includes a security system, fire alarm systems, and other safety measures, you’ll also purchase homeowners insurance to cover theft and fire, among other events.
Cybersecurity insurance operates along the same line of thought. You are tasked with doing everything possible to avoid getting hacked. However…if cybercriminals do breach your network and exploit your digital assets, a secure cyber insurance policy will cover your losses and could even save the reputation of your business.
Unfortunately, not every business owner is familiar with cybersecurity insurance policies or how they work. A recent study indicates that 64% of small business owners remain unfamiliar with this type of coverage. While 69% of decision-makers are worried about a cyberattack, 48% purchased a cyber insurance policy after they’ve had a breach.
Knowledge of cyber threats and how they may impact your business can help you to determine the cyber insurance coverage that you actually need. Even the Federal Government is taking steps to improve cyberattack awareness and its far reaching consequences so that you have the information you need to make informed decisions and to protect your clients.
A recent White House executive order now requires Federal agencies to revise the terms of government contracts to improve cybersecurity information sharing in ways that include the following:
- Service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation.
- Service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems.
- Service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product.
The Executive Order on Improving the Nation’s Cybersecurity states, “To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties.”
With this better visibility, and by understanding cyber insurance, along with critical coverages and cybersecurity compliance requirements, you will be able to make informed decisions about protecting your digital assets and not get bankrupted by a hacker.
What is Cyber Insurance?
Sometimes called “cybersecurity liability” insurance or “cyber insurance,” policies involve a legally binding contract that helps mitigate financial risks involved with online enterprises. Like a homeowners policy or other types of business liability insurance, a company selects coverage options that transfer risk.
Be Ready for the Next Audit
Download your free cyber insurance compliance checklist today.
Monthly or quarterly payments are usually made to maintain a cybersecurity liability policy. When compared to other types of coverage, cybersecurity liability is considered relatively new, and pricing varies. And because hackers tirelessly invent schemes to steal digital assets and level attacks against organizations, specialized coverage areas continue to evolve.
It’s important to understand that cybersecurity is an ongoing challenge that pits managed IT cybersecurity professionals against online criminals. Hackers typically focus on small and mid-sized outfits with relatively weak defenses. Considered low-hanging fruit, cyber thieves generally prefer easy data harvesting scores. Businesses invest in cybersecurity deterrents to make things as difficult as possible so that lazy hackers move on. However, sophisticated cybercriminals are not easily deterred, and they relentlessly devise new schemes every day to overcome your cybersecurity defenses.
This is the cat-and-mouse game being played out on the global internet that helps put cyber insurance in context. A determined and sophisticated cybercriminal can penetrate many systems if they wish to invest the time and resources. Should that occur, your fallback position is cyber insurance.
What Are Basic Cyber Liability Insurance Coverage Areas?
Cybersecurity insurance policies are generally understood to protect three areas of loss. These involve data breaches, business interruption, and malicious software. The first two are comparable to long-standing liability coverages. Data breaches are a lot like theft coverage and business interruption insurance, which have deep roots in power outages and natural disasters. Malicious software protection continues to be driven by emerging technology. That being said, a secure policy usually provides financial risk mitigation for the following:
- Paying ransomware demands to end business interruption.
- Notifying clients and customers about security breaches.
- Covering legal fees for privacy rights violations.
- Hiring third-party managed IT experts to retrieve or restore damaged data.
- Securing issues regarding compromised personally identifiable information (PII).
- Repairing or replacing physical infrastructure.
Cybersecurity insurance is usually a standalone product not folded into general business liability policies. Added protections may include credit monitoring and other proactive measures. There are also items that insurance carriers might not cover, such as the following:
- Pre-existing cyber breaches and hacker infiltrations.
- Cyberattacks leveled by employees or company insiders.
- Hacks that result from known vulnerabilities or cyber hygiene failures.
It’s also important to ensure your cybersecurity defenses and managed IT remains up to date. Insurance corporations may resist paying a claim when systems are misconfigured, software wasn’t patched in a timely fashion, or other preventable issues reduced network defenses.
What Should You Look for in Cybersecurity Coverage?
We’ve established that every business requires robust cybersecurity defenses to deter hackers. Failing to make a good-faith effort to secure your network perimeter could result in a claim being denied. Along with investing in protecting your digital assets, it’s important to select a cyber insurance policy that delivers along the following areas.
This coverage option is an absolute must for organizations that store or transmit PII or personal health information (PHI). Should a thief figure out someone’s login credentials and swipe this sensitive personal information, the organization will incur a backlash.
Data breach coverages typically pay for notification costs, credit monitoring for impacted people, and hiring a public relations firm. When PII and PHI hacks occur, the publicity causes significant reputational damage. It’s not uncommon for a company to lose customers and see industry partners sever business relationships.
In the event of a network security breach, insurance carriers may cover the cost of curing the immediate problems. This may involve paying a ransomware demand, legal expenses, IT forensics needs, and other items. Should a reasonably secure system fall prey to a skilled adversary, many of the costs to right the ship are covered.
When PII or PHI data has been stolen or compromised, the organization may also be liable for privacy law violations. These costs may stem from third-party lawsuits motivated by the impact on personal privacy, embarrassment, or direct financial losses. A major cybersecurity breach could result in an expensive class-action lawsuit. And when PHI has been stolen, companies can anticipate a government investigation and potential fines. Cybersecurity liability insurance may cover part or all of these costs.
Ransomware attacks are the most well-known for shutting down an operation. When high-profile companies are the subject of a ransomware attack, media coverage focuses on multi-million dollar payouts. But the organization may suffer equal or greater harm due to downtime.
Products and services may be impeded while salaried employees continue to draw a paycheck. Adding insult to injury, your customers may shift over to competitors. Those are some of the reasons to include business interruption in a cybersecurity insurance policy.
The transition of information from traditional and alternative media resources to the internet has blurred some liability lines. These days, an outfit that places a significant amount of information online could be deemed a publisher. That’s why media liability in cyber spaces has become increasingly important. Secure policies cover intellectual property infringement, and patents, as well as defamation, libel, and slander. It can be something of a mixed bag of essential protections.
Errors and Omissions
Commonly referred to as E&O insurance, technology companies have a significant need for this cybersecurity liability product. A policy that includes E&O can cover losses that stem from faulty items that result in users suffering harm. The range of possibilities also spans anything from healthcare equipment software failures to civil lawsuits. Should an unforeseen technology-based incident occur, court costs, legal fees, regulatory fines, and credit monitoring, among many others, could be covered.
This type of cyber insurance coverage comes into play when a hacker or cybercrime group deposits malicious software into your network and seizes control. Legitimate users are effectively locked out until a cryptocurrency payoff is made. Then, hackers may or may not send the decryption code to allow you to access your system.
There are a great many costs associated with ransomware attacks. These include the payoff, business interruption, sales losses, and damaged technology. It’s also quite likely the thieves will not send the code, and you will need to rebuild the lost data from scratch. Making ransomware coverage part of your cybersecurity liability footprint would be prudent.
Gaining seemingly legitimate access to a business network ranks among hackers’ preferred theft methods. They deploy email phishing schemes to trick employees into divulging their usernames and passwords. Online threat actors also use methods such as leveraging personal information from professional platforms and social media profiles. Once they can log in, PHI and PII thefts can go undetected for years.
The right cyber insurance policy for your organization may also need to cover things such as online fraud or the impact of malicious software. It’s important to consult with a managed IT cybersecurity professional to assess your defenses and ensure they can adequately deter attackers. With a detailed assessment in hand, you can make an informed decision about cybersecurity liability options.
How to Choose a Cyber Insurance Policy
You would be well-served to make a cybersecurity insurance policy part of the overall cybersecurity defense strategy. Given the investment into protecting against theft, financial recovery from an incident is another prong of digital business protection. Insurance carriers have wide-reaching options and the specifics can be tailored to what your organization does as well as the following:
- Risk Tolerance: Understanding how big of a financial hit the operations can handle is a good jumping-off point for knowing what it cannot take. Anything beyond your pain point needs to be covered.
- Cost and Deductible: Small businesses are often on tight budgets. Weigh the monthly installments against the out-of-pocket deductible, should you get hacked.
- What’s Inside: Make a checklist of the absolute must-haves in a policy. Select an insurance product that delivers them.
If you’re thinking about securing a cybersecurity liability policy or updating an existing one, a co-managed IT partner with cybersecurity expertise can be a powerful resource. We work with businesses to develop a dynamic cybersecurity posture and comprehensive plan that keeps your business in compliance. Let’s talk about hardening your cybersecurity plan and reviewing what is needed for your own cyber insurance coverage to give you peace of mind.
Be Ready for the Next Audit
Download your free cyber insurance compliance checklist today.