What is it, do you need it and how will it protect your business?
by Scott Lewis
November 21, 2014

Business owners are concerned about the electronic frontier we now live in and the liabilities that we all face because of it. Cyber insurance aims to help mitigate losses from a wide variety of cyber and electronic intrusions, such as data breaches, business interruption and network damage caused by virus or malware.

By alleviating or limiting a wide range of risks, this flexible and customizable tool can help improve prevention practices.

Cyber insurance can be designed to meet your specific needs and cover specific goals, so take a look at your business and evaluate your individual risks and exposures. The following are some of the options cyber insurance is customizable to cover. Work with your insurance company to determine which options best fit your company.

  • Identity theft—Liability resulting from failure to properly institute processes to prevent or mitigate unauthorized access to electronic and paper data which includes personal information such as name, address, social security numbers, account numbers, including HIPAA information
  • Computer virus damage—Liability around failure to institute industry best practices for prevention, identification and mitigation of the transmission of a computer virus to any other computer, system or software which you do not own
  • Security breach liability—Liability for failure to properly provide notification to any person or entity of a breach that has affected their confidential information if your state requires notification by law
  • Website or email libel or slander—Harm to the reputation of an individual or organization through the means of electronic transmission via websites or email
  • Crisis management expenses—Coverage for cost or reasonable expenses for potential negative publicity resulting from a security breach
  • Computer program and electronic data restoration expense—The cost for the replacement or restoration of software or hardware, destroyed or damaged computer systems, servers, switches, routers and phone systems which you have under your control at the time of a crisis
  • Business interruption—Coverage for net income loss and extra expenses due to a computer virus, intentional attack or intentional damage to a computer, network system by a third party or disgruntled employee

Cyber liability insurance is really intended to protect against two types of risks, first party and third party. Some first party items typically include the hire of a public relations company to manage the media and customers, forensic costs, and the costs related to the repair and restoration of networks and computing systems. Third party risks are more of a concern for businesses that collect medical information, financial information, credit card numbers or Social Security numbers.

Due to the prevalence of electronic funds transfers, a common cyber risk is an email that appears to be from a bank or financial institution but, in fact is not. Opening the email activates a Ransomware virus or malware such as a key logger and allows a data breach or unauthorized access to your bank account that results in a fraudulent transfer of funds. If your cyber insurance includes funds-transfer fraud insurance it may cover the funds.

To supplement federal regulations, most states have data breach notification laws. These laws apply to private, public and government agencies, and require notification to individuals and organizations if a security breach involves personal information.

Personal information could include names, social security numbers, addresses, driver’s licenses and account numbers. There are also varying definitions of what constitutes a data breach. Typically it is defined as unauthorized acquisition of data. Most states also outline the notification process with regard to timing of breach, method of breach and who must be notified.

Businesses continue to count on firewalls, spam and malware filters, and virus protection but according to Brian Burkbuegler at the Crane Agency in St. Louis, Missouri, that may not be enough. “Due to the rise in social media, and the vast use of Internet technologies, along with bring-your-own-device-to-work policies, mitigating risks around privacy, security, intellectual right ownership and employment practices are becoming mission critical to all businesses,” he says.

Consider the ramifications if a hacker gains access to your system and obtains confidential company information pertaining to contracts, client lists, pricing information. That could result in claims against you for not properly securing and preventing data access. If your cyber insurance policy includes network and information security liability, then you may be covered for damages and defense costs related to resulting lawsuits.

Cyber insurance makes sense for companies of all sizes, though smaller companies often think it is too expensive. Business owners can get a policy starting at $150/month, depending on risk and exposure. Many business owners also think their general business liability insurance will cover them, but most general policies exclude cyber losses due to Internet connectivity.

Companies also use the excuse that the IT guy is “taking care of our firewalls, routers and other protections we already have.” Although business owners want to believe that their employees are always doing the right thing, your insurance company can help you fill the gaps. Even if you host your website or have your data in the cloud, you are still responsible for any breaches or lost data, and most cloud providers do not cover items like business interruption or downtime associated with virus and malware issues.

One of the greatest misconceptions concerning a cloud computing environment is that by using it, you have transferred all risk to the cloud provider. The truth is that, there is little to liability on the part of the cloud provider.

Cloud service providers typically carry error and omission policies that may include cyber insurance and that would protect them from a data breach.

However, they typically would not be liable for the actual data loss. Cloud providers have done a good job shielding themselves from liability, sometimes to a zero balance, or at least to fees paid over a specified time period such as equal to one year’s hosting fees.

Cloud computing companies typically are not responsible for direct costs, such as reporting to regulators or responding to customer lawsuits as a result of a data breach. If you are using cloud computing or thinking about migrating to the cloud, check with your provider and ask questions about their cyber insurance policies, error and omissions policies—including negotiating policy coverage—prior to becoming a client as part of your hosting or collocation contract.

Always keep in mind that you are still responsible, even if you’re in the cloud. Hosted services, such as online backup and hosted networking or servers, do not automatically mitigate your risk or move the risk to the cloud provider. In most cases, your general liability policy or errors and omission policy will not cover you. The losses involved in cybercrime can be big, and the FBI’s Internet Crime Report does not address civil lawsuits, lost opportunity and other soft costs, such as damaged computers and networks.

Cyber insurance policies come in many shapes and sizes, so it is important to work closely with your insurance carrier to determine what type of coverage best fits your business. We now live in a world where cyber
insurance is simply part of running a smart business, and one that companies of all sizes, shapes and markets should consider.