It’s the 21st century business nightmare. A cyber-attack. A modern “monster” with many faces. Hackers can trick your employee into disclosing sensitive information. They can figure out a weak password. A virus or malware can leave your data vulnerable. The mobility of devices or laptops makes them easy to steal—and any data stored on them can often be stolen just as easily. Hackers can scramble your network and demand a bitcoin ransom to release it. They can down your website with bot traffic. They likely have other ways to get to data we haven’t even heard about yet.
And once they have your data, you can’t stop them from using it; you can only manage the fallout. That costs you not just time, but money too. For example, dealing with compromised personal information often requires attorneys, information technology specialists, a public relations firm, notices to the affected individuals, and identity-theft coverage for them too.
For modern businesses, then, cyber insurance has become a necessity. It can cover many of the costs you incur from a cyber-attack. But how do you know if you have the right coverage and enough of it?
Assess your exposure
First, you should assess and quantify your cyber risks. Generally, you want to identify those areas of your business that make you more susceptible to a privacy or security breach. What records do you store electronically? How many do you have? With that information, you then need to determine how much a breach could cost you. Typically, people use an average per-record cost that organizations will publish from time to time.
The process doesn’t have to be overly intensive. And there are tools, like our Cyber Security & Privacy Self-Assessment, to direct your risk assessment. A risk advisor can also help you assess and quantify your cyber risks.
Assess your current coverage
Now that you better understand your cyber risk, you need to determine if your current insurance program adequately covers it. A common mistake organizations make is assuming their general liability policy or their bundled package includes sufficient cyber coverage. Because these policies are general in nature, they typically aren’t the best way to cover cyber risks. You should review your coverage carefully to understand what it covers and the limits of coverage you have.
Understand what coverages are available
Even if your coverage seems adequate, it helps to know what else is out there. The best cyber coverage will be found in what’s called a “mono-line” cyber policy; it’s only function is to cover cyber risks. But no two cyber policies are created equal; the insurance industry hasn’t adopted standardized cyber risk forms. They can’t even agree on what to call it with cyber risk, data breach, privacy liability, cybersecurity (among others) all referring to the same type of policy. So different carriers use different language in their policies and they don’t all cover the same risks.
Most mono-line cyber policies will cover expenses you incur responding to a cyber incident and liability you may owe a third party due to the incident. Specifically, cyber policies may cover all or some of the following:
- Investigation expenses.
- Breach notification expenses.
- Credit monitoring or identify-theft protection expenses.
- Crisis management expenses for things like public relations and forensics.
- Rewards or ransoms you pay.
- Losses due to your business being interrupted by the breach.
- Expenses you incur responding to electronic vandalism.
- Expenses you incur defending against a regulatory investigation or action, including fines and penalties.
- Liability to third-parties for your electronic activities, including the disclosure of their protected information, harming their reputation, providing a “conduit” for a breach of their data, or impairing their access to electronic data or services.
Understand how those coverages might apply
The goal of buying insurance coverage is to have just enough coverage. To make sure you aren’t buying coverage you don’t need, it is often helpful to consider examples of when a cyber policy would apply to certain circumstances.
For example, assume ACME Co. has a data breach. First, they’re going to investigate to determine the source. Simultaneously, they may consult a PR firm to begin the crisis management process. Once ACME Co. understands the breach’s extent, they’ll have to notify those affected. To avoid potential lawsuits and protect their goodwill, ACME Co. will likely offer them credit monitoring and identity theft protection. If the breach affects ACME Co.’s ability to conduct its business or if they lose business to competitors due to the breach, they could lose income. A properly structured mono-line cyber policy could address these expenses and losses. But without it, the company could be in jeopardy.
To ensure your organization is protected from cyber liability, it is important to assess and quantify your risks, to know what coverage you have, to understand what coverage options are available, and to understand how those coverages might work. It requires a little work on your part, but you’ll sleep better at night knowing your business is more prepared for today’s evolving risks.