Anderson Technologies often reports on the rising dangers of ransomware or other forms of cyber attack and how to defend against them, but even the most diligent business can still fall prey to determined cyber criminals. A robust business continuity and disaster recovery plan can get you back in business without as much downtime, but the cost of the intrusion may continue to rise if personally identifiable information (PII) or electronic protected health information (ePHI) is exposed in the breach. Small business owners need to seriously consider adding a cyber insurance plan to their existing insurance coverage or they may find themselves without any financial support when they need it.
Why Is Cyber Insurance Necessary?
When cyber crime was just becoming a major financial problem, policies often did not explicitly include or exclude cyber attacks and damages. If the insured party claims that the damages incurred by a cyber attack fit the definitions of the policy’s terms and the insurer pays out, this is considered “silent cyber” coverage.
Some insurance companies refuse to pay for damages from cyber attacks, though, and many insurers have begun explicitly excluding cyber damages from general business insurance policies in favor of separate cyber insurance policies. Insurance companies have been taken to court for failing to pay this “silent cyber” coverage, and some policyholders have successfully won, but this is not always the case. That lack of guaranteed coverage should concern small business owners who do not have a dedicated cyber insurance policy.
What Types of Cyber Insurance Are Available?
When choosing cyber insurance policies, there are two main types of insurance coverage available: first-party coverage and third-party coverage. It is essential that buyers know the differences between these two types of coverage and carefully examine the necessity of both for their own company.
For a quick overview on what cyber insurance policies should include, the Federal Trade Commission provides a helpful checklist for small businesses.
First-party coverage involves the costs incurred directly by the insured company as a result of a cyber attack. The types of expenses or damages first-party cyber insurance can cover include:
- the cost to restore or replace data and software destroyed or stolen in a breach
- the cost of investigating a data breach or cyber attack
- income lost during downtime or spent to restore the business to working order
- the price of a ransom demand, if paid
- the cost of notifying all necessary parties, including customers, if PII or ePHI is compromised
- the cost of crisis management to deal with the media/public fallout from a security breach
Third-party coverage involves the expense of legal action taken against you as a result of a breach. This could be by customers or by other businesses whose data is compromised. Third-party cyber insurance can cover:
- claims of negligence that resulted in the cyber attack and breached data
- claims for failure to fulfill a contract due to system downtime or lost data
- claims of defamation, invasion of privacy, or copyright infringement as a result of exposed data
- settlements or damages owed to injured parties
- fines imposed by regulatory or state agencies
For businesses at risk of breaching client or customer data, both types of cyber insurance may be necessary to cover all possible expenses. A thorough risk assessment of the business can help determine the best course of action.
Denial of Coverage
Just because a business has purchased cyber insurance doesn’t mean the insurance company will pay a claim in the event of a breach. Many policies require businesses to maintain a certain level of cyber security infrastructure for a claim to be paid out or have exclusions for certain situations. The language in the policy can be broad, depending on the insurer or policy, so small business owners should thoroughly discuss what is expected and how the insurer defines the terms of all requirements and exclusions.
Some insurance companies provide a risk self-assessment to businesses before agreeing to sell the policy. If the business doesn’t maintain the standards laid out in the risk self-assessment, or if the answers provided are false or misleading—even by accident—then the insurance company can void the policy.
These exclusions have already been upheld in many cases of data breach. In 2014, Cottage Health System in California settled a class action lawsuit against them for a data breach of more than thirty thousand medical records. Their insurance company paid the $4.1 million settlement, only to later sue Cottage Health System for the money back, citing the organization’s failure to meet minimum cyber security standards and inaccurate information given on the risk self-assessment. This case is still in process.
An exclusions clause in P. F. Chang’s cyber insurance policy cost the popular Chinese restaurant chain $1.9 million after its breach of customer data, which included credit card numbers. The policy excluded any “contractual obligations” that P. F. Chang entered into with third parties. In this case the court agreed that P. F. Chang’s contract with Mastercard to pay fines in the event of a breach fell under this exclusion.
In order to ensure their policies provide the financial insurance they’re supposed to, businesses should:
- carefully read all requirements and exclusions listed in the policy and make sure all vocabulary is clearly defined to avoid ambiguity
- answer all risk self-assessments accurately and thoroughly, avoiding or explaining absolute questions (yes or no) whenever possible
- invest in the level of cyber security required by the insurance company, or better
- make sure the policy covers all the cyber attacks the business is at risk for
- have both first- and third-party coverage, if applicable
The last thing a business needs after a cyber attack or data breach is to find out their insurance won’t help pay for the damages.
The Growing Need for Cyber Insurance
The necessity of explicit cyber insurance coverage is only becoming more prevalent. Fines issued by the Department of Health and Human Services for HIPAA Privacy and Security violations range from the tens of thousands to millions. At the same time, state and international privacy laws, like the California Consumer Privacy Act and the EU’s GDPR, are stricter and impose increased fines that raise the cost of a data breach.
No matter how secure your IT infrastructure is or how diligent your IT department or MSP is, it only takes one employee clicking on the wrong link or visiting an infected webpage for cyber criminals to invade your systems. When that happens, small businesses need the financial support cyber insurance provides to investigate the breach, recover the business, and manage the public damage. Without aid, the cost of a breach may prove too expensive for small businesses.
Don’t let your insurance company leave you high and dry in a crisis. Contact Anderson Technologies today to shore up your cyber security infrastructure. Call us at 314.394.3001 or email us at firstname.lastname@example.org.