Recent news about hackers breaking into large companies' systems and wreaking havoc has caused senior executives at companies of all sizes to consider adding cyberinsurance to their portfolio of protections.
In fact, if a CEO has not thoroughly weighed the pros and cons of cyberinsurance, one has to question whether his or her fiduciary duty has been met.
A recent article in The Wall Street Journal highlights the deep and formidable threat that hackers pose to companies. As one cybersecurity expert in the article states, hackers dwell in a company's system for a median average of 209 days and most often the company executives don't find out about it until an outside agency such as the FBI becomes involved.
Costs associated with a data breach are all over the map, and can easily exceed $100 million. Gartner Inc., a technology advisory company based in Stamford, Connecticut, estimates that the annual cost of cybercrime is approximately $400 billion worldwide. According to a 2014 study of U.S. companies by the Ponemon Institute, the cost of a data breach is $195 per record lost, amounting to an average of $5.85 million per breach.
Common misperceptions about cyberinsurance
Before we get into the details on cyberinsurance, it is important to clear up a few misunderstandings.
- Our existing business policies cover cyberattacks. Not true! First, almost all companies have some sort of Commercial General Liability (CGL) insurance and, despite information to the contrary, these policies will NOT cover your company in the event of some sort of hack. In fact, as far back as 2001, the insurance industry begun to modify their standard CGL policies to exclude cyber-related claims. As for other policies that a company may have, such as Errors & Omissions (E&O), Directors & Officers (D&O), and crime policies, there may be some sort of cyber coverage, but it is safe to say that if a company wants to insure itself against damages caused by cybercrime, they need to consider a cyberinsurance policy.
- Cyberinsurance policies are expensive. Not necessarily. Assuming a company has an adequate IT infrastructure, and company executives are prepared to dedicate technical, legal and managerial resources to work with their insurance carrier upfront, most find these polices can be quite affordable.
- The 'standard' cyberinsurance coverage will do. Cyberinsurance is not one-size-fits-all. It is nothing like automobile insurance, where the insured is basically provided a policy and all that needs to be done is to decide upon the deductible and limits. Rather, a cyberinsurance policy is tailored to each company, because companies have different types of IT systems, risks, customers, regulations and management. Most cyberinsurance policies will offer to cover different types of risks, and it is up to the company to consider whether they need such coverage.
What does cyberinsurance cover?
Cyberinsurance policies can be broadly divided into two types of risks to be covered:
- First-party risks. This is the risk of damage to your company and your company’s IT infrastructure. Damages would include loss or damage to electronic data, software and hardware. Coverage should include remediation costs (i.e., the cost to hire people to restore or rebuild your IT systems).
- Third-party risks. These risks are much broader and dependent upon the type of business of your company, but the policy should cover damages caused by the data breach to other individuals, including customers and other businesses. Damages may include inadvertently spreading a virus, releasing private information of customers, breaching contracts with other companies or failing to meet regulatory obligations. Third-party risk coverage should include the costs of defending claims from customers, contractors, shareholders and regulators, and may also cover any resulting penalties.
How to get started
The first step is to contact a broker who has experience in working with companies to identify the correct insurance company and policy. The broker will work with your potential insurance carrier to gain a greater understanding of your company’s specific risks. These reviews/audits tend to be time-consuming from a management and technical perspective, but are worthwhile to ensure your company obtains the correct type and level of insurance.
The second step is to obtain experienced legal counsel who can work with company executives and the potential insurance companies to ensure the resulting cyberinsurance policy adequately covers a company’s risks.
Additional benefits of cyberinsurance
Hidden benefits of purchasing cyberinsurance coverage include:
- Management will gain a better understanding of the company's risk profile.
- The insurance company will likely provide suggestions on how to increase your company’s IT security and training.
- With the assistance of qualified counsel, most companies take the next step and develop a data breach response plan.
- If the worst happens, your legal counsel and insurance company are ready to assist your company in executing your data breach response plan.
Image courtesy of chanpipat, FreeDigitalPhotos.net