Tens of thousands of cybersecurity breaches occur each year and based on available statistics, more than 75% of breaches occur at businesses with less than 200 employees. More alarming is that over 60% of those businesses shut their doors for good within six months of discovering a breach.
In my last post on cyber insurance for small businesses, I discussed types of coverage you might find in your policy, and three components on the types of coverage you should focus on.
In this piece, I want to emphasize two takeaways and provide you with a checklist of considerations when purchasing cyber insurance.
The main takeaways here are:
- Cyber insurance is relatively in-expensive right now but there is a lot to consider when tailoring your policy. Make sure you ask lots of questions and take the time to discuss with your carrier exactly what is and is not covered.
- Understand your insurance provisions and disclaimers – As more and more incidents are reported, carriers are continuously looking for reasons to limit claim amounts. Some policies have windows for notifying the insurance carrier of a breach (i.e. 45 days from discovery) to ensure the claim is fully covered.
Keep in mind, coverages are not equally available. Insurance for losses arising from a breach of customer or employee privacy is easier to find, and there appears to be substantial capacity in the insurance marketplace for this type of coverage. On the other hand, insurance coverage for the ancillary financial loss arising from data or privacy breaches, such as lost business income and loss of the value of destroyed information assets, is harder to find.
When it comes to insurance, many people don’t realize there are a lot of different aspects to consider. Educating yourself on the types of coverage you might find in your policy and what they mean may make the difference on whether your company survives, or becomes another statistic.
Top 10 Things to Consider When Buying Cyber Insurance
- Identify Your Unique Risks. The first step in buying cyber insurance is to understand the nature and the extent of the risks facing your company. For some businesses, like banks and retailers, the primary concern is the theft of personal financial information. On the other hand, the major risk to a utility or energy company is the disruption of critical businesses or physical operations through attacks on networks. Businesses should tailor their coverage to the risks that they face. Buy What You Need. With the variety of coverages offered by insurers in the market today, it is important to focus on the basics. You should consider whether your business needs all the coverages being offered and decline to purchase those that you do not need. Likewise, if an insurer is not willing to remove an objectionable exclusion or limitation from its policy, ask your broker to obtain a quote from a carrier who will offer the coverage without the limitation.
- Understand Your Existing Coverage. Your company’s standard first- and third-party policies may provide some protection from cyber risks, and it is important to understand what coverage, if any, may be available under your existing policies. For example, standard financial institution bonds provide coverage for third-party claims arising from a fraudulent computer instruction to transfer customer funds. Understanding your existing coverage will enable you to purchase the type of cyber insurance that your company needs.
- Secure Appropriate Limits and Sublimits. Perhaps the most important step a company can take to assess the value of cyber insurance is to compare the anticipated costs associated with a data breach with limits of liability available and the related costs. The costs of responding to a data breach can be substantial. Estimates vary, but in 2011 the average cost of a breach was $5.5 million, and the cost per lost electronic record was $194. Your company should try to match its limits of liability with its realistic exposure in the event of a cyber loss. Also, most cyber insurance policies also impose sublimits on some coverages, such as for crisis management expenses, notification costs and regulatory investigations. These sublimits are often inadequate, but many carriers are willing to negotiate on the size of the sublimit, often with no increase in premium.
- Beware of Exclusions. Often, coverage for a loss or claim depends on the language in policy exclusion as opposed to the language in the grant of coverage. Because cyber insurance is a new product, the policy language is not standardized. Policies may contain exclusions that have been cut and pasted from other insurance forms, and the exclusion simply may not belong. When this happens, negotiate with the insurer, or seek other quotes.
- Get Retroactive Coverage. Cyber policies sometimes restrict coverage to breaches or losses that occur after a specific date. In some forms, this is the inception date of the policy. This means that there would be no coverage for breaches that occurred before the inception of the policy. Because breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date.
- Consider Coverage for Acts and Omissions by Third Parties. Many companies outsource data processing or storage to a third-party vendor. It is important that your cyber insurance policy provide coverage for claims that arise from misconduct by one of your vendors.
- Evaluate Coverage for Data Restoration Costs. Many cyber insurance policies do not provide coverage for the costs to replace, upgrade or maintain a computer system that was breached. Data restoration costs are potentially prohibitive. Any company that faces the risk of a data breach should take steps to ensure that its policies provide coverage for the costs of putting the company back in the position it was in before the breach.
- Dovetail Cyber Insurance with Indemnity Agreements. You should ensure that your company’s indemnity agreements work hand-in-hand with your cyber insurance. For example, many cyber insurance policies have retentions and require that the retention be satisfied by the insured. Insurers may interpret this language to require that the insured pay the retention out of its own pocket and that a payment by a third party under an indemnity agreement would not satisfy the retention. This is a subject for negotiation with the insurer during the underwriting process.
- Understand The “Triggers.” It is important to understand what activates coverage under your cyber policy. Some policies are triggered on the date the loss occurs, while others are triggered on the date that a claim is made against the insured. In order to provide proper notice, you need to understand how coverage applies under each policy you purchase.
- Consider Coverage for Loss of Information on Unencrypted Devices. Many professionals today work on computers and tablets outside the office. Although many firms encrypt company-owned laptops, personally owned computers and storage devices are not. It is important for firms facing a loss of data through personal computers to buy insurance that provides coverage for such losses.
- Consider Coverage for Regulatory Actions. A data loss may cause not only the loss of information but also could result in regulatory actions against your company. State and federal agencies have become more active in responding to data and privacy breaches. You should consider whether your company’s insurance policy provides coverage for a regulatory investigation or a regulatory action arising from a cyber incident.