Why You Need Cyber Insurance and What You Should Know
Three thousand, eight hundred thirteen (3,813) — that's the number of reported data breaches tracked through June 30, 2019, putting 2019 on track "to be the worst year on record for data breach activity," according to the 2019 MidYear QuickView Data Breach Report conducted by Risk Based Security.
This is an increase of 54% over 2018 figures during the same time period.
The average cost of a data breach last year hit $8.19 million. In this high-tech era, all businesses are at risk of a data breach.
So, how can you protect your business from these breaches? One way is through cyber insurance.
Cyber insurance covers data security claims involving loss arising from a compromise of the insured's computer systems. This most often is the result of intrusions like hacking into the insured's systems, introduction of malware (programs designed to obtain unauthorized access to data or to damage data or computer systems) and ransomware.
Even though most commercial general liability (CGL) policies cover bodily injury or property damage caused by an accident, it likely does not cover a data breach. Bodily injury is typically defined as physical injury, sickness, or disease to a person — data breaches do not typically result in such injuries. Property damage is typically defined as physical injury or loss of tangible property —electronic data is not tangible property.
With no bodily injury or property damage, the chance of a data breach claim triggering insurance coverage under your CGL is unlikely.
How much cyber coverage do you need? While there is no magic calculator to determine the coverage limits you need, you can assess an inventory of your risk by considering what data you store electronically and how you protect it. In other words, what do you stand to lose in the event of a data breach?
First, you need to know what data you must protect. Do you have personally identifying information, or PII (i.e., names and Social Security numbers, driver's license numbers and/or bank account information)? Don't forget about employee bank account information for direct deposits.
Do you have protected health information, or PHI, including PHI relating to your employees' participation in your health insurance program? Do you have credit/debit card information? What about confidential business information such as client information, intellectual property, or mergers and acquisition information?
Second, be prepared to discuss with your insurance professional how you protect such data. What is your information security policy and data breach response plan? Is your protected data stored in the cloud and, if so, what is the cloud provider's information security policy? Do your vendors have access to such data and, if so, what is your vendor's information security policy?
Third, consider what coverage you could need. Think about the following losses:
- Forensic investigation.
- Legal fees.
- Lost or corrupted data/ransomware.
- Loss mitigation services such as credit monitoring and identity theft protection services.
- Public relations/crisis management.
- Business interruption/denial-of-service.
- Fraudulent funds transfer.
- Regulatory fines/penalties.
- Third-party contractual losses, such as PCI fines.
- Statutory penalties.
- Litigation costs and settlement.
Finally, pay close attention to exclusions and limitations. Watch for narrow definitions of PII that may exclude coverage. Is there an exclusion if stolen or lost laptops are not encrypted or unencrypted data is breached in transit? If you use cloud services, look for coverage of data stored outside of your network.
When shopping and negotiating cyber insurance coverage, the wise saying, "you get what you pay for" is true. You may need experienced counsel to help you carefully evaluate and negotiate adequate and appropriate coverage for your particular risks, especially when purchasing cyber insurance for the first time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.