Companies tap into cyber insurance to manage business risk
Coverage should be included in security toolbox
By Byron Acohido, ThirdCertainty
Managing cyber risks in the Information Age is something businesses of all sizes must deal with. Part of risk management is insurance liability coverage. ThirdCertainty recently spoke with Shawn E. Dougherty, director of cyber commercial lines product development at ISO Insurance Programs and Analytic Services, to discuss this landscape.
3C: Why do companies need to at least look into cyber insurance?
Dougherty: Cyber insurance is a risk management tool. Many stand-alone cyber insurance programs available in the marketplace today provide both first- and third-party coverages designed to protect you from the many expenses associated with a data breach.
These expenses can include, among other things, the costs of investigating the incident; notifying affected parties about the breach; restoring lost data; hiring a public relations firm; and offering credit monitoring for the victims of the breach.
Business income, extra expense coverage, and coverage for the costs associated with extortion threats—ransom payments, for example—also are commonly available. With respect to cyber liability exposures, website publishing liability (e.g., infringement of another’s copyright, trademark, service mark, slogan, etc.) and programming errors and omissions liability coverages also are widely available.
3C: What’s important to know about the current state of cyber insurance products?
Dougherty: Cyber insurance has been available in the market for about 10 to 15 years, but it is still in its infancy. Currently, most of the carriers who sell cyber insurance generally do so using their own proprietary insurance forms. Many of these cyber insurance policies have been updated over the years to now include many types of coverages.
Even so, it is important to note that policy-specific terms, conditions, definitions and exclusions can and often do vary among different carriers. For instance, two different company cyber insurance policies might provide security breach coverage, each with different definitions of what constitutes a cyber incident. Depending on the circumstances of a potential claim scenario, the claim might be covered under one policy and not covered under the other.
Three-part series: Despite barriers, cyber insurance catches on in key sectors
3C: A lot to watch out for.
Dougherty: The burden is on you, as the insured, to compare each of the policies you are considering purchasing to determine the exposures that may be covered and those that aren’t.
As the cyber insurance market continues to mature, cyber insurance likely will become more standard, just like some of the more traditional commercial lines insurance package programs, such as commercial general liability and commercial property.
3C: Is cyber insurance really worth it?
Dougherty: It seems that hardly a week goes by without the next “largest-ever” data breach affecting millions of consumers being featured in the news. The results of one recent study found that close to 70 percent of businesses have been hacked in the past 12 months. It also seems that no business is safe—in 2015 alone, retail operations; health care facilities; colleges and universities, even the federal government reportedly have suffered data breaches.
In simple terms, business owners need to compare the potential costs associated with dealing with a data breach naked—that is, without cyber insurance—versus the costs of purchasing a cyber insurance policy.
3C: What are the caveats?
Dougherty: I would encourage all businesses to perform a thorough cyber exposure analysis to determine the firm’s potential cyber exposures, if any, and its need—or lack thereof—for specific cyber coverages. Virtually every commercial business faces some exposure to cyber losses. To what degree varies company to company.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
3C: What if my company already has purchased cyber insurance?
Dougherty: Businesses today should not purchase a cyber insurance policy and then rest on their laurels. It often takes more than a cyber insurance policy to protect them.
Companies need to be diligent and continuously monitor their cyber exposures and safeguards. This includes keeping their computer systems up-to-date and staying on top of their potential vulnerabilities and threats.
The company’s senior management team should work with staff to develop and implement best practices for data asset management, including implementing and following data collection, retention and disposal policies. Staff training is a critical component of this plan. Staff should be trained and continuously reminded about actions to take and steps to follow if they suspect a data breach has occurred.
3C: Anything else?
Dougherty: I would strongly encourage organizations to become educated about cyber exposures and to work with their agent or broker to identify and help analyze the firm’s potential cyber loss exposures.
Keep in mind that the size of your firm does not necessarily indicate the need—or lack, thereof—for cyber insurance. There are many examples of small- to mid-size businesses that have a greater cyber exposure than perhaps a much larger commercial firm. One of the unusual things about cyber—it knows no boundaries, and a small business potentially can collect much more confidential information than a much larger firm.
More on cyber insurance:
Not all cyber insurance is created equal: Tips for businesses shopping for coverage
Cyber insurance rises to meet increasing security challenges
Cyber liability insurance for SMBs debated