Exclusively from Foa & Son
The rate at which businesses are buying Cyber policies continues to escalate. Two main reasons for this are the unending stream of reports of breaches as cybercriminals find ways to attack even the largest, most sophisticated organizations, and the fact that insurance policies have evolved to a point where they offer real value in the coverage they provide, at prices that still remain reasonable.
Such policies are still often commonly called “cyber liability” insurance, a very misleading term. The word “cyber” suggests a technological hacking event, while “liability” suggests these policies are primarily liability policies. The more appropriate name for these policies would be “privacy breach insurance,” because the scope of coverage includes the loss of private information from almost any means, not just technology breaches or failures. And while these policies almost always include a liability coverage component, it’s the first party coverage for out of pocket costs that result from a breach that’s really caught buyer’s attention. Suffer a breach and you’ll start writing checks right away, and it’s nice to have an insurance policy to pay those bills.
We don’t need to dwell on the severity of privacy breach risk, all you have to do is read the paper. These threats continue to grow at an exponential rate, and cybercriminals are becoming increasingly sophisticated in their methods of attack. The problem isn’t just technology breaches; in 2015, nearly 50% of total breaches were the result of employee error, improper disposal of documents, lost equipment and other non-technological failures.
With all this, what should a cyber policy do for you? Here are some key coverages to look for in any good policy:
1. Forensics and legal costs: The first checks you’ll write after a breach is for forensic services to figure out what happened and how bad the situation is, and legal services for advice on what laws apply and what you need to do to comply with them. These costs are the most frequently exhausted limits in a policy, so it is important to assure that limits of liability offered by insurance carriers for such coverage are adequate.
2. Public relations: Another early cost after the breach. An old bromide says “It takes a lifetime to build a reputation and ten minutes to ruin it.” If a data breach occurs, a good public relations team to help mitigate reputational risk associated with the breach can be an important investment.
4. Business interruption coverage: Security failures often lead to unforeseen business disruptions while your systems are down to identify or recover from a breach. Interruptions also come in different forms: denial of service attacks, deletion of critical flies or secret installation of malicious software that causes systems to malfunction or fail. These can lead to interruptions that wreak havoc on day-to-day operations and lead to substantial additional financial losses, which a good policy will pay for.
5. Notification costs and credit monitoring: After all the other early and immediate costs from a breach you’ll come to this. Currently 47 states have breach notification requirements that force companies to inform affected individuals of a data breach in a prescribed way. It’s also become standard to offer free credit-monitoring services for at least 12 months following an incident. You may also need to set up a phone line or even a new website to provide affected individuals with answers to frequently asked questions. All of these damage control strategies require capital up front; costs associated with informing customers of a data breach can be substantial and should not be overlooked.
6. Fines and Penalties: When all the other dust settles you’ll still be left with these. Many state and federal laws about privacy breaches provide for fines and penalties; the Payment Card Industry (PCI) has its own set of penalties. Unlike most other insurance policies privacy breach polices can cover these costs, which can be substantial. You likely won’t be dealing with these right away, it takes a while for these to shake out, but you’ll want to buy high enough limits so that after all the other costs of a breach are paid for you have some limits left over to pay for these.
At the end of the day you need to take every reasonable step to secure information you may possess, even if only briefly. Even so, experts caution there are only three types of businesses, those who have been breached, those who will be breached, and, worst of all, those who have been breached but don’t know it yet.
Even with everything going on with privacy breaches, good, well written policies with meaningful coverages can be found at reasonable prices. We can help you with them.