What Is Cyber Insurance and Should Your Business Have It?

Does your company use electronic data? Does it store or communicate potentially sensitive information about customers, employees, or competitors? If so, then a breach of that data could cost your company plenty. Some well-known organizations have experienced data breaches, including WalMart, JP Morgan Chase, Yahoo, eBay, Target, the IRS, and, more recently, Equifax. Unfortunately, just about any size company or organization that retains personal information can be hit with a cyber attack. One way to transfer some of the risk and costs associated with a data breach or network security failure is through cyber insurance.

What is cyber insurance?
Cyber insurance provides protection against potential costs and financial losses resulting from data breaches caused by cyber attacks, viruses, and other threats. It also helps cover third-party lawsuits filed against your company resulting from data breaches or your failure to adequately protect sensitive or confidential information.

What does cyber insurance cover?
While individual policies may differ, cyber insurance can help cover:

  • Loss of data: Cyber insurance may help cover the cost of restoring or reconstructing data that was lost, stolen, or damaged.

  • Losses from data breach or security failure: Cyber insurance assists in covering some of the costs of investigating how and where the breach occurred; expenses associated with regulatory fines; legal costs of defending against lawsuits and settlement of claims brought by victims whose information was inappropriately accessed, shared, or lost; expenses related to notifying victims of the data breach, such as customers and employees.

  • Costs associated with extortion or ransom demands: That’s right, often a cyber criminal will demand a ransom or try to extort money from your company in exchange for your data. Cyber insurance covers some of the costs of paying the ransom for the data or for the restitution to victims whose information was captured.

  • Losses from business interruption: If your company must close while the data breach is investigated and resolved, cyber insurance can help offset the ordinary costs and expenses of your business during its down time.

Who needs cyber insurance?
Your company or organization may be a candidate for cyber insurance if it does any of the following:

  • Sends or receives documents electronically

  • Communicates with customers or third parties via email, text messages, or social media

  • Stores third-party information on a computer network that may be considered sensitive or private, such as an individual’s identity, tax information, income, address, Social Security and/or credit card numbers

  • Stores confidential company information or data (e.g., tax documents, sales or marketing figures or projections, trade secrets) on a computer network

  • Advertises company services or products via a website or social media

Aren’t these risks covered by business insurance?
Unfortunately, most of the risks and losses resulting from data breaches or losses are not covered by standard commercial general liability insurance. In fact, many policies contain a specific electronic data exclusion. In addition, loss or damage to electronic data isn’t considered property damage under a business policy, so coverage wouldn’t apply.

Questions to think about
Cyber insurance has policy exclusions, terms, and conditions. When thinking about the purchase of cyber insurance, here are some questions to consider:

  • What specific risks are covered, and what risks are not covered?

  • What deductibles or coverage limits apply?

  • Will the insurer require your company to undergo a security risk review?

  • Are there security controls your company can adopt that will decrease the premium?

  • Will the insurer identify security risks and offer alternatives to minimize or eliminate those risks?

Plan ahead
Cyber attacks and loss of data can be devastating to a business. Plan ahead before a cyber attack occurs. Evaluate your business and determine areas of particular vulnerability. Then create cybersecurity policies and procedures for company employees to follow. Finally, consider the purchase of cyber insurance to help cover at least some of the risks associated with a cyber attack.