Do I need Cyber Insurance?
Unfortunately, I don’t think you have an option. If you are a business the answer is yes. If you are a non-profit the answer is yes, and even as individuals the answer is yes. If you are a public company and don’t know the answer to “Do I need Cyber Insurance?”, good luck to your investors.
The Market:
U.S. businesses spent more than $2 billion for cyber insurance in 2014 as demand for this coverage grew dramatically following numerous high profile data breaches. Recent reports have stated that this insurance market will triple by the year 2020. There is a reason why businesses are purchasing this coverage, its a must buy in today’s world. Look what has happened in government, politics, consumer and health insurance industries.
The Need
Experts have said that the likelihood of someone being the target or victim of a hacker or cyber attack grow each day. The question is not “if” it will happen but “when” and to what severity? And how am I protected?
Some businesses have records and information about millions of customers. This raises the important question of whether and how adequately businesses are protected by insurance coverage in the event they suffer a loss due to a cyber attack.
Coverage Forms
Now knowing the “in’s and out’s” of each product will be for different discussions, we will talk about the various forms and have a cloud computing expert identify the risks as seen from a cloud expert but in the meantime these are the types of cyber coverage (according the the Insurance Information Institute):
Loss/Corruption of Data
This product covers damage to, or destruction of, valuable information assets as a result of viruses, malicious code and Trojan horses. This product has value for both personal and commercial consumers. A virus damaging or corrupting your home computer can be devastating, depending on your use of home computer.
Business Interruption
This covers loss of business income as a result of an attack on a company’s network that limits its ability to conduct business, such as a “denial of-service” computer attack. Coverage also includes extra expenses, forensic expenses and dependent business interruption.
Now that most businesses are generating significant revenue from the internet, ask yourself can we afford to be offline? What are the costs per day? week? Month?
Liability
In today’s world, most contracts are requiring this coverage. It covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:
- Breach of privacy due to theft of data (such as credit cards, financial or health related data);
- Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties;
- Failure of security which causes network systems to be unavailable to third parties; rendering of Internet Professional Services;
- Allegations of copyright or trademark infringement, libel, slander, defamation or other “media” activities in the company’s website, such as postings by visitors on bulletin boards and in chat rooms. This also covers liabilities associated with banner ads for other businesses
located on the site.
D&O/Management Liability
Corporate boards and non-profit boards, pay attention to this cover. It is one of the newly developed tailored D&O products provide broad all risks coverage, meaning that the risk is covered unless specifically excluded.
All liability risks faced by directors, including cyber risks, are covered. Post Sarbanes-Oxley…MUST BUY!!!
Cyber Extortion
Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
Hackers are using the threat of attack as a way to extort certain companies with large pools of customer data. To be blackmailed or extorted to return the data or not publish private information is the threat.
Crisis Management
Covers the costs to retain public relations assistance or advertising to rebuild a company’s reputation after an incident. Coverage is also available for the cost of notifying consumers of a release of private information, as well the cost of providing credit-monitoring or other remediation services in the
event of a covered incident.
Ask some of the major brands and businesses about this coverage, although sometimes overlooked it has tremendous value. Customer loyalty maybe non existent after a breach without some good PR.
Criminal Rewards
Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a cyber criminal who has attacked a company’s computer systems. This is a great incentive to deter attacks and catch those responsible.
Data Breach
Covers the expenses and legal liability resulting from a data breach. Policies may also provide access to services helping business owners to comply with regulatory requirements and to address customer concerns.
Identity Theft
Provides access to an identity theft call center in the event of stolen customer or employee personal information. The costs associated with identify theft can be larger than market capitalization of certain companies if they don’t buy this cover.
Social Media/Networking
Insurers are looking to develop products that cover a company’s social networking activities under one policy. Some cyber policies now provide coverage for certain social media liability exposures such as online defamation, advertising, libel and slander.
Cloud Computing
Insurers are developing products to provide coverage for cloud providers and the businesses that utilize them. Recruiting new business can be challenging for cloud providers as businesses have concerns over data security.
Traditional cyber liability policies typically exclude losses incurred by a third party such as a cloud provider. The cloud coverage being developed by insurers would apply to loss, theft and liability of the data stored within the cloud, whether the loss occurs from hacking, a virus or a subsequent liability event.
Size of Loss
A quick example of the magnitude of a loss: A small business is hacked and the business is required to notify its customers of their data being compromised and providing credit monitoring services. This is a $800 loss per customer for a small business with 10,000 customers is an $8M loss for notification, credit reporting, etc. Now if this was a business with 10,000,000 customers the loss is now at $8B. Keep in mind, large businesses can negotiate better rates for these services but the takeaway is the numbers can add up quickly. That’s only for notification and credit monitoring, we are not including any of the other expenses associated with a breach.
Now at what price can you afford to insure your cyber risk?
Hopefully an affordable price, however, you have to weigh the risk vs. what can you afford to lose? Are you at risk of losing all your clients and customers in the event of a cyber breach? The price of reputational risk?
Each company and individual have different risks, protections, and security measures so this is a customized pricing and coverage form, but we must comment now is one of the best times to buy in the market. Insurers are aggressively competing against one another to grow in this product, and it is to your benefit.
Thoughts:
This coverage cannot come at a more affordable price considering what is at stake!
Your personal information, impact on credit scores, your business information, customers information, health records, etc.
My thoughts are Buy, Buy, Buy.
Understanding your risk is important, but as you are learning about your risk and how to protect your systems, cloud and security measures, someone is trying to breach them. Continue to learn about other ways to mitigate the risk, but in the meantime our advice is try to transfer as much of this risk as possible, it is affordable and the other risk management techniques will evolve to meet the future demand.
This list will expand and contract over time so please keep your eyes on our cyber tab for updates.