Data breaches, cyberattacks, and business interruption should be top of your list when shopping for coverage.
- Cybercrime is on the rise
- Not all commercial policies include cyber insurance
- Make sure to note what’s covered (and what’s not)
Cyberattacks are an unfortunate reality of modern business. Whether you run a brick-and-mortar store or a purely online startup, you likely have data and infrastructure that is potentially vulnerable to digital assault. Cyber insurance is a valuable tool to maintain your company’s security in the face of these attacks.
An investment in cyber insurance is, first and foremost, an investment in your company’s safety and stability. It protects your data and your business from potentially expensive financial losses, clean-up costs, and liability. It makes it easier for your organization to stay open and active even in the midst of a cyber crisis, and it can help cover such unforeseen expenses as customer payouts and legal assistance.
How do you get cyber insurance? And what kind do you need? Read on for answers to these and other essential questions about cyber protection.
Cybercrime is on the rise
If cyberattacks seem like an abstract problem that only happens to Silicon Valley startups, think again. The Identity Theft Resource Center’s (ITRC) 2021 Annual Data Breach Report shows that the number of “cyberattack-related data compromises” in 2021 grew in almost every primary business sector, and that there were more cyberattacks that year than “all data compromises” in 2020.
And if you think these incidents were small-time crimes, think again. A 2021 report from international specialist insurer Hiscox shows that about a quarter of all small businesses (23%) were victims of a cyberattack, incurring an average cost of $25,000 each to resolve them. All the more reason to protect your own business with cyber insurance.
Risks covered by cyber insurance
Not all cybercrimes are alike, and comprehensive cyber insurance should cover a wide range of incidents, including:
A data breach occurs when a person or organization obtains unapproved access to company data. It may include sensitive information such as financial data, medical records, personally identifiable information (PII), or other private material. It can lead to identity theft, damage to a company’s reputation, and significant financial losses.
One of the more substantial data breaches in recent history is the 2011 Sony PlayStation Network breach, where hackers exposed the PII of 77 million PlayStation user accounts, prevented users from accessing the platform for 23 days, and cost the company over $171 million. Sony, unfortunately, did not have a cyber insurance policy in place and was responsible for all costs.
Another breach of note is the 2017 Equifax attack which exposed the PII of 147 million customers and cost the company $425 million in a government settlement. Once again, the company had no cyber insurance policy to help offset these expenses.
A cyberattack is a malicious effort to compromise a system’s security, integrity, and availability. The motive may be data theft, but it also may be simply to disrupt a company’s operations and throw them into chaos.
A recent high-profile example was the 2021 attack on the Colonial Pipeline, the largest pipeline in the U.S., which interrupted fuel deliveries for multiple days in twelve states. The company’s CEO ended up paying a $4.4 million ransom demanded by the attackers. Another cyberattack made CNA, one of the biggest insurers in the U.S., stop trading for a short time. The firm paid the hijackers a $40 million ransom to get back control of its systems.
Business interruption insurance reduces the losses when a company can’t keep working due to a breach or attack. It typically covers physical damage from a natural disaster or fire, but it also can cover cybercrimes as well. It can reimburse a company for the difference between its expected revenue and the lower amount it actually generated in the wake of a cybercrime.
Not all cyber insurance covers business interruption – it’s often an afterthought. In a conventional policy, business interruption uses the company’s planned operating expenses and fixed costs as a model for compensation. On a cyber policy, that rate is usually a straight daily rate that is set in advance.
The cost of this type of policy is determined by a variety of factors, including industry, location, number of employees, amount of coverage, and risk. If your company sits in a New Orleans flood zone or California wildfire region, your rates for this type of coverage may be higher.
After evaluating your company’s risks of these types of cybercrime, the next step is to make sure your policy has the necessary protections to keep your business safe.
Cyber insurance coverage
The first question to ask when figuring out what coverage you need is actually quite simple: Do I already have cyber insurance?
Your commercial insurance policy protects against many things – property damage, liability, and employee risks – but check the fine print before assuming it also includes cyber insurance. Many insurers won’t cover damages from these attacks in a basic policy, but instead provide specialized products for cyberattacks.
But even if you want cyber insurance, you may have to jump through a few hoops in order to get it. Many insurers require that your business get a cybersecurity assessment, which can pinpoint gaps in security and areas of risk. It typically looks at your tech, procedures, and policies to get a full picture of your potential security vulnerabilities.
Once you’re ready to choose a policy, here are the components it should have:
- First-party coverage. This protects your data, particularly that of customers and employees. It also includes recovery and replacement of stolen data, legal counsel fees, customer notification services, PR and crisis management, forensic investigative services, and fines or penalties.
- Third-party coverage. This protects your company from liability in the event a third party files a claim against you. It also includes consumer payments, expenses for legal claims and settlements, litigation costs, and copyright infringement and defamation costs.
Knowing what your policy covers, however, gives you only half the picture.
Cyber insurance exclusions
Just as important as understanding what your cyber insurance policy covers is understanding what it doesn’t. Here are some of the more common exclusions:
- Prior knowledge exclusion. This states that the policy won’t cover incidents that were already known or reasonably predictable. If your company knew about certain vulnerabilities, your insurer may not cover them. Be sure to disclose any potential risks or threats to your insurance company.
- Wear and tear exclusion. The physical components of hardware or storage drives break down over time, so some policies may limit coverage if a hardware failure causes a data breach.
- Unencrypted data exclusion. Cyber insurers now expect clients to have data encryption as part of their basic security protocols. If your company has unencrypted data and experiences a breach, your claim may be denied.
To minimize the risk of any of these exclusions, be sure to research and patch any vulnerabilities, keep your infrastructure up to date, and ensure that your data is well encrypted.
Let the professionals keep you covered
In today’s 24/7 wired business world, it’s more important than ever to protect your assets in the event of a data breach or cyberattack. But every business is different and therefore needs different coverage. If you’re unsure about the type and amount of cyber coverage you need, help is just a click or call away.
The expert team at NICRIS Insurance can put together a free, personalized review of your cyber insurance needs and connect you with a policy that keeps your company safe. Contact us today for a free quote, and find out how we can help provide the protection (and peace of mind!) you need.