In a nutshell, the simple answer is that if your business is dealing with data then ignoring the peace of mind that cyber liability insurance would provide would be foolhardy. In fact, the very survival of a business that stores and leverages customer data in any way may very well depend on protecting the data with good cyber insurance coverage.
Cyber liability insurance is not a panacea. It will not throw up a wall of intelligent electrons around your data. But what it can do is keep your business afloat if it does face a significantly damaging cyber security event, including data breaches.
No one is immune
However, it’s not only those companies that are active in database management or the marketing of consumer data who might very well need this sort of coverage.
There’s no doubt that cyber liability insurance is just like almost every other type of insurance is what economists call a ‘grudge purchase.’ Every business owner hates to pay the premiums – until they have to make a claim.
In today’s data-driven environment, business almost without exception runs on the back of online technology. It doesn’t matter whether your organisation is using the social media as a marketing tool or you’re using email as your chosen communication avenue with clients (and who doesn’t?) or if your organisation stores and maintains customer information or collects online payment, or uses the cloud. At some point, you are going to come under threat of a cyber-attack. It could be from a garage bound group of teenagers, an international criminal syndicate, someone inside your organisation or a nation state – it’s almost inevitable that it will happen.
Small businesses are not immune.. Symantec’s 2016 Internet Security Threat Report indicated that 43 percent of all attacks in 2015 were targeted at small businesses.
Cyber liability insurance as part of risk management
Given that the likelihood of attack is growing each day it is essential that this sort of insurance cover should be an integral part of any risk management plan. A structured and well thought out risk management plan orders the organisation’s thinking about how risk should be handled. The choices are relatively simple. Risk can be ignored, avoided, controlled or – transferred. Cyber liability is an example of how risk can be transferred to a third party.
So what exactly is cyber insurance?
Cyber liability insurance coverage, which also goes by the acronym of CLIC, is a risk mitigation strategy that allows a company to offset the costs involved in recovering from a cyber security breach. It has become increasingly popular since its use became widespread in around 2005. In fact, according to PWC the total value of premiums that will be paid for cyber insurance is forecasted to reach $7.5 billion by 2020.
Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Should an organisation choose to purchase this sort of cover it can expect reimbursement for the following expenses:
Investigation: Covers the cost of a forensics investigation which is necessary to determine what occurred, what has been breached, how to repair damage and how to prevent the same type of breach from occurring in the future.
Business damage: May include similar items that are covered by a traditional errors and omissions policy (which usually include errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery. Interestingly enough there are versions of cyber liability coverage that will contribute funds to the costs involved in managing a crisis – including repairing reputational damage.
Privacy and notification issues: Includes required data breach notifications to customers and other affected parties (required by law in many jurisdictions), as well as credit monitoring for customers whose information was compromised.
Lawsuits and extortion: Includes legal expenses associated with the loss of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.
A cyber liability insurance checklist
Many of the most trusted names in the insurance business are today offering comprehensive cyber liability insurance options. However, if your organisation uses one of the larger insurance providers, chance are that they can offer coverage. Industry pundits are convinced that due to increasing demands, most large insurance companies will be forced to bolster their service offerings with products related to liability insurance covering cyber-related risk.
A simple (albeit not completely comprehensive) checklist for the organisation when shopping for what is after all an ever-evolving service and product offering might include the following questions:
Does the insurance company offer a choice of cyber insurance policies or is the coverage simply an extension to an existing policy? In most cases, a stand-alone policy is best. Also find out if the policy can be tailored to the unique requirements of the organisation.
Be sure to compare deductibles closely among insurance providers.
How do coverage and limits apply to both first and third parties? For example, does the policy cover the liabilities of third-party service providers?
Does the policy cover non-malicious actions taken by an employee? This is part of the errors and omissions coverage that applies to cyber insurance as well.
Does the policy cover social engineering as well as network attacks? Social engineering plays a role in most kinds of attacks, including phishing and advanced persistent threats (APTs).
Because APTs can take place over a long period (months to years), does the policy include timeframes within which coverage applies?
What does my business need to do to ensure coverage?
In short, the organisation needs to ensure that it is insurable by meeting the requirements for coverage. A cyber insurance provider wants to see that an organisation has assessed its vulnerability to cyberattacks, created a cyber risk profile and follows best practices by enabling defences and controls to protect against attacks as much as possible. Employee education in the form of security awareness, especially for phishing and social engineering, should be part of any protection plan.
Essential in today’s heightened cyber threat environment
Cyber liability insurance is as essential as the insurance that covers other assets and unforeseen circumstances which may threaten the viability of any business. An organisation needs to set in place a cyber risk profile and immediately begin investigating options if they have not done so already. Failure to be proactive may result in significant loss – and in some cases a threat to the continued survivability of the organisation.