Most business owners whom Valerie Corekin comes in contact with don’t think at first that the cyber insurance plan they’re pondering is as crucial to their risk management strategy as life insurance is for their personal lives.
“Business owners who think that they don’t have to secure their data and IT technology with the same level of due diligence they use to protect their physical assets, such as on a building, are not making good decisions,” said Corekin, a senior risk advisor with PSA Insurance & Financial Services in the Washington D.C. metro area.
Digital exposure is much greater than people realize, instances of cyberattacks and breaches are growing, and so is the publicity surrounding them. “There are costs associated with this,” she said. “Those costs are pretty scary, too.”
According to the Poneman Institute’s 2016 Cost of Data Breach study of 64 U.S. firms, the average lost or stolen “record” containing sensitive and confidential information cost $221 this year, up from $217 the year prior. This may not seem like a pricey sum until you consider breaches this year to organizations involved 29,611 records, on average and companies shelled out an average total cost of $7.01 million to resolve cyber breaches, a number that has risen about seven percent since 2015.
Before you buy
But how do you choose a reasonable cyber insurance policy among the hundreds offered?
When Frank Giachini, senior vice-president of operations at PSA, looked at plan for his firm, his first consideration was determining the company’s level of exposure. Ask yourself whether you can survive a temporary interruption or shutdown of operations or pay for the costs associated with, say, notifying exposed clients, he advised.
Evan Blair, co-founder and chief business officer with social media security and threat intelligence firm ZeroFox in Baltimore, said every business should first conduct an audit and establish a written corporate security policy, wherein cyber insurance is included among various risk mitigation strategies as a sort of last line of defense. Make sure the policy looks to the potential impact—direct and indirect costs—a breach would have on your business operations, as well as how your customers could be affected, he said.
There are at least 47 different sets of state laws that regulate cyber breaches, Corekin said, so make sure you are knowledgeable about your company’s potential responsibilities to secure its data. Some industries, such as health care, are highly regulated and have federal requirements that relate to electronic health care transactions.
Also, understand the precise limits of these policies and what steps have to be taken to maintain coverage—reputational damage from a high profile breach, for instance, could prove to be outside the scope of a recoverable loss, Blair said. “It’s about trust and reputation at the end of the day with your customers.”
Coverage nuts and bolts
Cyber insurance policies, which have only been around for over a decade, have many coverage options, but generally offer three buckets of coverage, Corekin said. These buckets can include: liability for security breaches when private information is released and costs for items such as regulatory compliance fees, legal issues or the expenses associated with unlocking the system after a hack. Also, the policies can cover business interruption expenses.
Note that most standard insurance policies, including business liability insurance, business interruption insurance, or even computer fraud coverage, will likely no longer cover the fallout from a cyberattack, Corekin said.
Another point of potential confusion: Understanding the precise meaning of the terms associated with a breach of privacy. Buyers can quickly stray into the weeds when trying to figure out the precise meaning of terms in the policies like “glitch” or “wrongful act,” but knowledgeable agents will guide you through this, she said.
Before you buy, choose the right partner, Corekin said. Executives considering an insurance company should carefully weigh its experience writing cyber policies. For instance, you’ll want a provider that has dedicated staff and resources surrounding cyber policies, Giachini said. And make sure your agent understands the types of policies on the market and is conversant in the relevant terminology. Smaller or regional carriers could be fine for some companies, while national players with a larger pool of resources may be preferable for others, he said.
If your firm operates around the clock and a breach could affect operations at any time, you’ll need a provider that will pick up the phone on a Friday or Saturday evening, Corekin said. In some states, you may only have 72 hours to meet regulatory deadlines to respond to a breach.
Nail down your cyber risk mitigation strategy in a holistic fashion, Blair recommended. For example, small businesses should look into cloud security that provides relatively inexpensive and hands-off cyber defense.