Cyber insurance: data breach, business interruption and beyond

Every business, especially small and medium-sized companies, should have cyber liability insurance—here are the reasons why.

10 insurance
Thinkstock

In today’s market, no growing business can isolate itself from online communications and commerce. Yet avoiding the internet entirely is the only way to guarantee your company will not be exposed to cyber threats. Once a business is online it will always be exposed to some residual risk it cannot feasibly address in a disaster recovery plan, business continuity plan, or through an information security technology solution.

As a business owner, a hack isn’t just your website going offline or your data files locked up for ransom slowing down productivity. Based on industry regulation and data privacy laws, you could be liable for fines, and until you remediate any vulnerabilities found, you may not be able to re-open for business to serve customers and generate revenue. This is where a quality cyber liability and business interruption insurance policy comes into play. With a policy payroll goes through, bills can get paid, and your life can continue as “normal” as it can during the crisis that is a major cyber incident.

The devastating financial impact of a cyber incident

Businesses, especially small and medium-sized ones, should prepare for the possibility of a data breach. That risk is no longer a remote one. The Ponemon Institute surveyed small businesses in the U.S. in 2017 and found that more than 61 percent had experienced a data breach, an increase from 55 percent in 2016. Another worrying statistic: Sixty percent of small companies go out of business within six months of a data breach. The financial impact is one big reason.

According to Dr. Larry Ponemon, the founder of the Ponemon Institute, the average cost in 2017 of a data breach due to damage or theft of IT assets and infrastructure is $1,027,053, and the average cost due from disruption to normal operations also increased to $1,207,965 -- a combined total of over two million dollars from a cybersecurity incident from direct IT remediation costs and indirectly through lost revenue.

If hackers access personally identifiable information (PII) through your company’s online systems, you will likely be held responsible and become liable for related data privacy losses. The immediate costs incurred are for hiring a forensics team, notifying customers, setting up call centers to handle customer calls, paying for customer credit monitoring services, legal and regulatory fees, and using the services of a crisis management firm.

In addition, business interruption can create commercial contractual breaches for failure to perform services resulting lost sales and broken customer relationships, especially if the remediation from the cyber breach take weeks or months. Lingering beyond the return to “normal operations” sits the underestimated intangible costs from the long-term damage due to the loss of company reputation.

The business owner, as a result, must make additional expenditures to regain customer trust in order to recover successfully from a data breach. Target, in an attempt to regain customer confidence after its 2017 cyber breach, announced it would speed up adoption of more secure chip-and-PIN-technology in its stores and for its branded credit and debit cards, a $100 million cost which was not covered by their insurance.  

What gaps does cyber insurance fill?

A quality cyber insurance policy is designed to address business losses from the myriad impacts of a cyber breach, including data loss, business interruption, and network damage. Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms and many cyber addendums being added to business owner’s policies (BOP) are woefully incomplete.

Cyber insurance providers are not required to underwrite anyone. Many require certain IT controls and processes in order for basic eligibility. If you answer “yes, I have a firewall with updated software” and later it turns out a breach occurs because the firewall software wasn’t patched a claim can be excluded. Business owners who adopt top quality preventative measures often receive reduced insurance premiums and the option for higher liability coverage limits. Typically absent from coverage I’ve reviewed is the loss of future revenue from damage to a company’s reputation, costs to improve internal technology systems, and losses stemming from the theft of intellectual property.

Cyber liability policies typically cover a variety of both liability and property losses when a business experiences a data breach. Network cybersecurity and privacy policies address the company’s liability for a data breach in which customer personal information is exposed or stolen by unauthorized access to the company’s network. The range of covered expenses associated with data breaches can include notification costs, credit monitoring services for customers, legal costs to defend claims by state regulators, other fines and penalties, and losses resulting from customer identity theft.

With the wide variety of policy types and liability coverage areas, be sure to analyze your cyber liability policy to better understand your coverage areas and the gaps you may need to fill to ensure your business is protected should a cyberattack or accident occur. Here are a few example questions to ask your insurance agent:

  • Is this policy an endorsement to an existing policy or is it standalone?
  • Does the policy cover both first and third-party losses?
  • Are there any exclusions that apply if my security measures change during the policy period?
  • If a security flaw from a third party’s product is exploited, am I still covered?

The cyber risk triad: accidents, attacks and liability

Business risk has moved online for the majority of companies while the spending to defend against risk has not. Physical security spending is nearly universal on alarm systems, surveillance cameras, and general liability insurance. Cyber security spending today may include a firewall and some anti-virus though rarely includes an insurance policy. Small business cyber insurance policies are available in 2018 so do your business and customers a favor and call your agent or broker today to inquire about a robust cyber insurance policy. Remember, sixty percent of small companies go out of business within six months of a data breach. Let’s bring this percentage down!

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart