What is cyberinsurance?
Cyberinsurance is a growing segment of the insurance market. It helps companies avoid incurring huge losses from database security breaches. With so much money and personal information exchanged through and stored on the internet every day, cybercrime cannot be ignored. Many organized criminal groups consider small businesses especially easy targets with low risk and high payoffs.
Cyberinsurance can include first-party and third-party coverage. The first-party coverage mitigates the expenses your company incurs, which can include legal fees, system repairs, lost income and public relations. Third-party coverage involves claims against your company from outside parties, such as your clients who were affected by the breach.
The PlayStation effect
Following the well-publicized breaches of Sony's PlayStation Network in 2011, insurance carriers had a field day. Interest in information security skyrocketed, and for good reason. The attack on Sony revealed the information of more than 70 million user accounts and cost the company more than $2 billion.
In September 2017, credit reporting agency Equifax was hit with a massive data breach that leaked the personal information of about 145 million Americans, one of the biggest in history. This information included driver's license data and Social Security numbers. The company is expecting to spend tens of millions of dollars dealing with the fallout of the breach.
If you add those to Facebook, Saks Fifth Avenue, Best Buy, Delta, Sears, Panera Bread and others who have come under fire for data breaches, you're talking about a lot of data in the hands of the bad guys.
Interest in cyberinsurance seems to go up every time a major incident like this hits the headlines, but it seems many companies are still unprepared. According to a survey by the Private Risk Management Association, 63 percent of insurance agent and broker clients were unprepared to deal with cybercrime in 2017, with 70 percent still unready for it in 2018.
About two-thirds of businesses do not have a stand-alone cyberinsurance policy, and more than half have not discussed cyberinsurance coverage with their insurance agent during the last year, according to Dani Kimble, director of creativity and innovation with The O'Neill Group.
Most small businesses don't have the resources to recover from a data security breach alone. That's where cyberinsurance kicks in.
Weighing the costs
Most stand-alone cyberinsurance policies cost as little as $1,000 annually for up to $1 million depending on the incident. The total cost will likely depend on the type of cybersecurity you have, since the agencies will probably determine your risk, so make sure to have a comprehensive security, backup and recovery system in place before signing up for quotes.
Most insurance companies will ask how your systems are already protected from viruses and hackers, and some will also do onsite audits. Clients are expected to understand the risks of a security breach and to recognize scams such as phishing emails.
Many policies also include several pages' worth of exceptions, most commonly situations caused by social engineering. For instance, if an employee of an organization slips up and downloads a worm or a bug, you will probably not be covered, or the plan could become drastically more expensive.
Keep in mind that you may already be covered. Speak to your insurance provider about information security to find out what exactly is already covered to avoid shelling out for duplicate insurance. Experts recommend speaking to an experienced broker who can investigate your current policy and shopping around for the best deals on an information security plan to fill in the gaps.
What it covers
Many insurance companies have a good grasp on how to provide protection, but quantifying losses incurred from a breach is an inexact science. Downtime, informing users of a security risk, and protection against libel and slander accusations all cost money, and not all companies – especially small businesses – have the income to cover it.
It's important to shop around for a comprehensive policy, since cyberinsurance is still relatively new and not all plans are as standardized as traditional insurance. Depending on the policy, which should cover both first and third parties, most cyberinsurance covers the following key areas.
1. Privacy and security liability
This relates to writing notices and paying clients for any losses they might have incurred. Companies are required to notify their customers of a data security breach in most states. Making sure all your clients are informed of the breach can costs thousands of dollars in repeated postage and email messages. Companies that suffer a breach are obligated to deal with the fallout their customers face, which includes offering services to counter identity theft and credit monitoring.
Because of these regulations, every major security breach is a PR disaster. But by working closely with your company as well as your customers, an insurance provider can mitigate the damage. Spinning the news, containing the damage and trying to repair it fall under crisis management.
2. Hardware repairs and downtime
Data loss and network system damage coverage kicks in when systems have been compromised or damaged. Replacing hardware and recovering files and data can be expensive. Insurance would cover this.
After a security breach, a database may be out of commission for a few days, and service to consumers will be affected. Coverage for business interruption, including DDoS attacks, is useful for when a company loses income because of an incident.
3. Ransomware settlement
If your business gets locked out of your data by ransomware that comes with a steep price tag to unlock it, it's the insurance provider's job to cover the settlement and then hire a security specialist to track down the perpetrator. Cyberextortion has become a popular method for hackers to profit from small businesses.
4. Media/web content liability
This is unrelated to security lapses but equally important – a company can't monitor everything that happens on its site. User forums or comments and banner ads can be sources of potential lawsuits. Media/web content liability coverage protects you from these types of threats. It also covers accusations of libel and copyright or trademark infringement.
No replacement for cybersecurity
When determining if cyberinsurance is right for you and what kind of policy to get, you should conduct a risk analysis on your business. According to Joshua Peskay, VP of technology strategy for RoundTable Technology, insurance is part of only one of four aspects of risk mitigation. Avoid, Reduce, Transfer and Accept are the four steps of risk mitigation, with insurance being an action of Transfer. Transferring risk means moving your risk to another party, the insurance agency.
That leaves three other areas you need to cover to mitigate your risk of damage from a cyberattack. You can avoid risk by not collecting unnecessary personal information and reduce risk by implementing a comprehensive cybersecurity system and strong security policies.
Cybercrime is constantly evolving, so staying in the know is the only way to protect yourself. But even the most security-minded businesses could find themselves in crisis, so cyberinsurance is an investment that businesses of any size should seriously consider.
Additional reporting by Joann Fan.