Sarasota Insurance Agency >> blog
Cyber liability insurance covers the cost for a business to recover from a data breach, virus, or other cyberattack. It also covers legal claims resulting from the breach. Any business that stores sensitive data in the cloud or on an electronic device should have cyber liability insurance.
According to the Identity Theft Resource Center, businesses experienced 571 breaches in 2018, exposing over 415 million employee and customer records. Business breaches accounted for almost half—46%—of all breaches. Although we most often hear about big corporations falling victim to cyberattacks, small businesses are the most vulnerable.
Without big technology departments and IT staff, small businesses are most likely to need cyber liability insurance. This type of small business insurance will help you respond effectively to a cyber breach, cover your costs, and quickly move on. In this article, you’ll learn more about what cyber liability insurance covers, what it costs, and where to purchase it.
Cyber liability insurance, sometimes short for cybersecurity, privacy, and media liability insurance, helps your company respond in the event of a cyberattack or data breach. If your network or computer systems are hacked into or corrupted by a virus, for example, cyber liability insurance can be essential.
Often, a general liability insurance policy or professional liability policy will contain basic cyber liability coverage. However, businesses that store personally identifiable information (PII) for employees or customers should have stand-alone or enhanced cyber liability insurance. PII includes any data that can be used to identify a particular individual, such as name, data of birth, email address, social security number, credit card number, or bank account number.
There are numerous ways that a cyber breach can occur. For example, hackers can send phishing emails to customers in which they masquerade as your company. If a customer clicks on a link in the email, the hackers can steal PII. Or a hacker might use a virus or ransomware to corrupt your data files.
The main way to protect yourself against cyberattacks is with strong internal safeguards. For example, small business owners should limit access to PII to a limited number of people in the organization. You should have strong passwords on electronic devices and to access different software tools. And you should regularly update your passwords and software.
According to Brian Gill, cofounder of Gillware Data Recovery, “Security should be the number one boardroom agenda of any business. Technical and physical safeguards should be in place. Insurance coverage is an added layer of protection which enables the business to call upon the insurer in their moment of need.”
Cyber liability coverage can vary widely based on which insurer you’re purchasing the insurance from. The reason is that there’s no such thing as standard cyber liability insurance. Insurers have started offering cyber coverage only within the last couple of decades.
Judy Selby, a cyber law expert and principal at Judy Selby Consulting LLC, says, “Unlike many other more traditional lines of insurance, there is no standard policy form for cyber insurance. Each cyber insurer has its own policy form, utilizing its own, unique policy language. This creates challenges for companies trying to compare one cyber insurance policy with another.”
Despite the variations, Selby says most insurers offer two types of coverage within a cyber liability policy:
This coverage pays for immediate expenses that a company incurs after a cyber breach. This includes:
This coverage helps the company defend against lawsuits and legal claims. This includes:
On top of first- and third-party coverage, some insurance companies also provide risk mitigation services to help you identify and avoid cyber threats before they happen. After a breach has occurred, some insurers will set up a hotline that customers and members of the public can call to get more information.
It’s important to carefully read through your cyber liability insurance policy and understand any exclusions.
Cyber liability insurance commonly excludes all of the following:
When you purchase a cyber liability policy, you agree to maintain appropriate security measures in order to prevent a cyber incident from happening in the first place. If you fail to maintain these security measures, then coverage might be denied. For example, let’s say that an employee accidentally clicks on a link in an email, which causes malware to corrupt the company’s computer systems. If it’s later found that the company didn’t install any anti-malware software, the insurance company could deny coverage for failure to use preventative measures.
As this example shows, it’s important to know what you’re agreeing to and to have proper security procedures in place. You can put these protocols in place on your own. Alternatively, there are external security firms that can help you get up to speed.
Cyber liability insurance can cost anywhere from as little as $500 per year to as much as $50,000 or more per year. By tailoring coverage to your business’s needs, you should be able to find a cyber liability policy that fits your budget.
Here are the factors that affect the cost of cyber liability insurance:
Compared to other types of business insurance, the cost of cyber liability insurance is higher because the fallout can often be much greater. When you add up all the costs involved with a cyber incident, it can be very expensive. A small business needs to contain the crisis, respond to customers, deal with public relations damage, fix damaged hardware or software, recover lost profits, and cover the cost of any legal claims.
It can be challenging to figure out how much cyber liability coverage you need. Essentially, you need to work backward from a hypothetical cyber incident and figure out how much coverage it would take to recover from the breach.
According to a study by IBM Security and the Ponemon Institute, the average cost of a data breach was $148 per affected record in 2018.The same study found that the average time required to identify and contain a breach was 197 days and 69 days, respectively.
We suggest using those numbers as jumping-off points for your own business. Consider how many sensitive records you store, what type of records, and where they are stored. If your business experienced a breach, what measures would you need to take to inform your customers and protect their interests? How long would this take? On what channels do you store sensitive data (e.g. website, remote services, mobile devices, etc.)?
How much would it cost to replace any affected hardware or software? Do you have an in-house security team that can help you mitigate the damage, or would you need to bring in a consultant from outside the organization? Do you have an in-house public relations professional to answer questions from the public about the breach?
Answering these questions can help you figure out how much coverage you need to protect your business. Business owners who don’t have the technical interest or knowledge can hire an IT security firm to audit the business and determine risk levels. After an audit, an insurance broker should be able to help you double-down on your coverage limits.
When in doubt, says Shari Claire Lewis, a partner in Rivkin Radler’s Privacy, Data & Cyber Law practice group, consider going up in coverage. “Surprisingly, the cost of insurance coverage does not generally go up in direct proportion to the amount of coverage. Because the vast quantities of claims will occur in the lowest level of insurance, additional coverage is often quite affordable. We recommend that any business… purchase the amount of coverage that it can afford.”