As businesses fortify their data and networks against the next cyberattack, some business owners might be considering cyber insurance to limit their exposure to the uncertain and evolving risk of a network or data breach that could disrupt operations.
But legal and technology experts recommend that businesses first assess their exposure and have a cyber security plan and protections in place before purchasing an insurance policy from the growing number of insurers and brokers now offering them.
Jacqueline Brettner, an insurance coverage partner at Carver Darden in New Orleans, said the first thing company leaders need to do is sit down with the right people in the organization and evaluate what the weaknesses are, and that includes the type of data managed and how it’s stored.
“If it is electronic data, what processes do you follow to store the information and what safeguards do you have in place or can you put in place to protect it?” Brettner asked.
Discussion among managers and internal and external IT professionals should also include third-party vendors, such as cloud storage, credit card and payroll processing companies.
“What information are you giving them, how you are giving it to them and what are their procedures?” Brettner added.
When you are ready to consider a cyber policy, Brettner recommends working with an insurance broker or insurance coverage counsel.
“They are going to be a good source for understanding your business generally speaking, especially if you’ve got a long-term relationship with them and they understand what your appetite is for risk,” she said.
Clayton Mouney, president of New Orleans-based thinkIT Solutions, said some clients tell him they do not need to purchase cyber insurance because they have his company to protect them.
“Those are two different things,” Mouney said, adding that businesses likewise should not assume that having cyber insurance means they do not need a robust security program. “You have to have both, because insurance is only there to help you after the fact.”
Some insurers will reduce premiums for companies that take steps to establish security programs that include protocols for applying security patches, accessing networks and using USB flash drives.
“Actually having a written set of standards you follow, or a regular employee training that you follow, all of those things should help you drag down the premium cost for the cyber policy,” Brettner said.
Gaining in popularity
Cyber insurance has been around since the late 1990s, but few companies purchased it in the early years. Financial and information management companies were among the first customers
The global cyber insurance market is expected to grow from about $3 billion currently to $14 billion in premiums by 2022, according to Portland, Oregon-based Allied Market Research.
Regulations in the U.S. have also played a role. Today, 46 states have some form of statute requiring companies to publicly disclose data breaches. Some states allow companies to be fined and have requirements for encrypting certain data.
Mouney said small businesses are most at risk of cyber threats, in part because they think hackers would rather go after bigger fish. But he says the opposite is now true.
“Small businesses are the No. 1 target today. You are the easiest, and that’s why they are coming after you,” Mouney said. “You can be victim of malware, viruses, encryption, spoof emails – and you can be a victim no matter what size business you are.”
A National Small Business Association survey in 2015 showed 42 percent of businesses reported being the victim of a cyberattack. The intrusions included general computer and website hacks, and stolen credit card and bank account information.
Brettner said that business owners might think that they are covered for cyber losses and liability through their commercial general liability (CGL) policies or other types of business insurance. But while her firm has had some success getting cyber-related coverage though property, crime and CGL policies, she says there’s no guarantee those policies would pay claims.
“It’s more of a luck of the draw, based on your jurisdiction, the type of law that’s going to apply to the interpretation of the policy, your judge in some circumstances and the facts, so that’s not something that I would call a risk-management program,” Brettner said.
Types of policies
Cyber policies are generally divided into first-party and third-party coverages, but there are policies that cover both.
First-party coverage protects businesses against their own losses, such as paying for a forensic investigator to find the cause of a breach, legal advice to determine notification and regulatory obligations, public relations expenses and lost profits. Third-party coverage secures businesses against liabilities to others; those policies typically cover settlements, judgments and legal defense costs related to a breach, as well as liabilities to banks and credit card companies.
“It all goes back to what are your risks and who would you be liable to in the event of a breach, what’s the scope of that?” Brettner said.
Mouney recommends that business owners think of technology upgrades as an operational expense rather than a capital expense, and develop a budget plan to keep hardware and critical defenses such as firewalls and anti-virus and web-filtering software up-to-date.
Mouney also reminds businesses to be sure to regularly backup systems to recover lost data in the event of a breach.
Unfortunately, he said, “the costs for technology and threats are not going to end.”
Michael Joe is a reporter for BridgeTower Media.