We are living in a cybercrime era, where cyber attacks have, unfortunately, become a regular occurrence. It’s not uncommon to hear about cyber attacks when you turn on the TV or read the latest news alerts on your computer, smartphone, or tablet.
According to the Identity Theft Resource Center (ITRC), in 2015, there were a total of 780 breaches, with 177,866, 236 records exposed.
The breakdown reported by category is as follows:
- 63 government and military breaches with 34,222,763 records exposed
- 312 business breaches with 16,191,017 records exposed
- 58 educational breaches with 759,600 records exposed
- 71 banking, credit, and financial breaches with 5,063,044 records exposed
- 276 medical and healthcare breaches with 121,629, 812 records exposed
As you can see, there isn’t a branch of business or government that is immune to cyber breaches. The majority of cyber breaches are caused by malicious and criminal attacks, and those attacks are costly and on the rise. As reported in the 2019 Cost of a Data Breach Report conducted by IBM and Ponemon Institute, the average global cost of a data breach is $3.92 million, a 1.5% increase over the 2018 study. The average cost of a data breach in 2014 was $3.5 million, equating to a 12% increase in data breach cost between 2014 and 2019.
With the continued increase in cyber attacks and the costs associated with them, business cyber insurance is more critical now than ever before. As a business owner, it’s a good idea to educate yourself on the types of cyber insurance available so you have some level of understanding of what your business might require. It’s also best to work with an insurance broker who can support you in the process. An insurance broker will help you navigate cyber insurance nuances to ensure that you have the right type and level of coverage for your business needs.
Data Breach vs. Security Incident
Many confuse the terms data breach and security incident or use them interchangeably. In reality, they are not the same. When it comes to purchasing cyber insurance or dealing with cybersecurity, it’s essential to know the difference. A security incident is when there is an event that affects the availability, confidentiality, or integrity of information, increasing the risk of possible unauthorized disclosure. However, unauthorized disclosure cannot be confirmed in a security incident.
A data breach is an event that results in confirmed unauthorized disclosure of data in paper or electronic format. The ITRC defines a data breach as an “incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit and debit cards included) is potentially put at risk because of exposure.”
8 Types of Cyber Insurance
Cyber liability insurance is also referred to as cyber risk insurance. Cyber insurance helps mitigate the costs associated with data breaches and security incidents. Some of the common types of cyber insurance available include:
- Breach response coverage
- Network security and cyber extortion/ransomware coverage
- Network business interruption coverage
- Data breach and privacy crisis management
- Fiduciary liability coverage
- Media liability coverage
- Professional liability coverage
- Errors and omissions
Breach Response Coverage
Once a breach occurs, an immediate response is necessary. Breach response coverage often covers expenses involved with notifications to impacted parties and credit repair and monitoring services. It can also provide coverage for costs pertaining to data restoration or replacement, forensic investigation, public relations advice, and breach response consultants.
Network Security and Cyber Extortion/Ransomware Coverage
Companies subject to information and privacy risk should have network security coverage. Network security cyber insurance covers organizations if network security failure occurs. Data breaches, malware infections, email compromises, and ransomware issues are covered under this type of cyber insurance. Expenses directly related to the cyber incident are mitigated with network security insurance, including data restoration, credit monitoring, call center setup, forensics, legal fees, and consumer breach notifications.
Cyber extortion demands, where hackers threaten the release of information gathered from a data breach to try to extort money or hold a network hostage, are also covered. Under such circumstances, coverage includes fees to pay a negotiator, funds to pay the extortion demand, and expert services required to block the intrusion.
Network Business Interruption Coverage
Network business interruption coverage covers the costs associated with business loss during and right after a data breach. Lost profits and fixed expenses, as well as additional costs incurred during a cyber breach that impacts your business operations or a business you rely on to operate, are covered. Losses that result from a third-party hack, system failures due to human error, or a failed software patch are examples of what network business interruption cyber insurance mitigates.
Data Breach and Privacy Crisis Management
Data breach and privacy crisis management coverage are important for businesses with information or privacy risk. Data breaches and violations that expose employee, contractor, or consumer information are security threats to the individuals comprised. At the same time, they expose the companies breached to liability.
Data breach or privacy liability insurance covers the costs of such cyber incidents or privacy violations. It can cover legal costs to defend your company from consumer class action litigation, fund class action settlements, and cover foreign, federal, and local legal fines related to cyber breaches. Costs associated with investigation, resolution, remediation, consumer notification, credit checking and monitoring, and call management are also typically covered.
Fiduciary Liability Coverage
If a violation of law is involved with a breach, then strict penalties might follow. Fiduciary liability coverage provides protection in the event of such a breach. Protection also includes breaches that require prompt communication of a breach. Coverage for notice expenses might be included. However, it might not cover full forensic investigations or credit monitoring.
Media Liability Coverage
Slander and libel claims, as well as claims for infringement of intellectual property, can be costly. Media liability insurance covers costs associated with claims pertaining to your social media posts, online advertising, and print advertising. Patent infringement claims are not covered.
Professional Liability Coverage
Professional liability insurance provides coverage for liability costs from claims of negligence in providing a service. Consultants, technology developers, and advertising agents are examples of service providers who would be wise to invest in professional liability coverage.
Errors and Omissions
If a cyber event keeps you from providing services or fulfilling contractual obligations, you’ll be thankful you have errors and omissions cyber insurance. Suppose that claims arise from your not keeping up with your obligations or a breach of contract due to a cyber event. In that case, E&O insurance covers the costs associated with legal defense or indemnification. Technology service providers, architects, dentists, lawyers, accountants, and engineers are examples of professionals that could benefit from errors and omissions insurance.
Additional Coverage Available for Cybersecurity
All of the above-mentioned elements of protection are in some way or another incorporated into most cyber insurance policies. However, there are add-on coverage options to provide additional risk mitigation, including:
- Reputation management
- Social Engineering
Because these add-ons aren’t standard in most policies, you need to request them to be added to your policy.
Reputation Management Coverage
Some businesses continue to be impacted after a cyber event because of brand reputation issues. Brand reputation damage leads to a loss of business, which means a loss in profits. Reputation management insurance is typically time-limited after an adverse cyber event and helps to mitigate profit loss due to reputational harm.
Replacing damaged equipment from a cyber attack is costly. Bricking is a cyber insurance enhancement that covers the replacement cost of equipment that becomes unusable due to a malware attack.
Social Engineering Coverage
Social engineering coverage protects organizations from money lost due to phishing emails and fund transfer fraud. If you have a crime insurance policy, you will likely already have some level of social engineering coverage. To ensure that you are protected at the right level within each policy, speak with your insurance broker.
Losses Not Typically Covered by Cyber Insurance
Many traditional insurance policies are unclear as to whether or not they cover cyber events. Even if they do, there is a high probability that there will be gaps in coverage. Work with your insurance broker to determine what is or isn’t covered in your traditional policies to ensure that you have the coverage you need and that you fill in any gaps when purchasing cyber insurance. Generally, cyber insurance policies do not cover any value lost due to business intellectual property theft. The possibility of future lost profits is not covered, nor are costs to upgrade after a security breach or cyber attack.
Proactive Tips to Prevent Data Breaches
You can work together as an organization to reduce the risk of cyber attacks and recover more quickly if they do occur. Investing in comprehensive cybersecurity, developing a security incident and cyber breach response plan, and training your staff are all steps to prevent and quickly recover from data breaches.
Implement Comprehensive Cybersecurity
Don’t cut corners when it comes to utilizing firewalls, cybersecurity software, and encryption devices. These are your first lines of defense against cyber attacks.
Develop a Security Incident and Cyber Breach Response Plan
Developing a security incident and cyber breach response plan and testing it are two of the best things you can do to mitigate cyber breach costs. The 2019 Cost of a Data Breach report found that testing an incident response plan was one of the most effective tools to reduce data breach costs. Testing an incident response plan was found to reduce the average total cost by $320,000. The number-one tool to mitigate costs was the creation of an incident response team, which reduced the total average cost by $360,000.
Educate Staff about Cyber Risks and Safety Protocols
Educating your staff about cybersecurity and its importance helps create a united front against cybercriminals and breaches. Some things to consider when training employees:
- Emphasize the importance of updating software and encryption keys regularly. Out-of-date software makes it easier for hackers to make their way into your network.
- Stress the importance of authentication and password changes for security. In a 2016 Data Breach Investigation Reportby Verizon Enterprises, 63% of data breaches involved stolen, weak, or default passwords.
- Provide education about phishing emails and scams and what to look for so that employees know when not to open emails and attachments. The Verizon Data Breach Investigation Reportfound that 30% of phishing messages were opened by the intended user, and 12% of users clicked on the malicious link or attachment, so the attack was a success.
Virtually All Businesses Require Cyber Insurance
If you have operations involving the use of computer networks and software for operations and data storage and sharing of information, you need some level of cyber insurance. Corporations, franchises, small businesses, and self-employed individuals should consider cyber insurance and ensure that they have the necessary level of coverage for their business type, operations, and size.
Privacy crisis management and network security coverage are two types of cyber insurance options that every business should have, regardless of size and type. The larger the company, the greater the risk in most cases, so a higher coverage level is generally required. With that said, if you are a small business or self-employed and don’t have the resources to cover hefty legal fees for allegations and lawsuits, you might want to employ a higher level of coverage geared to your needs.
KBI Helps Businesses Manage Cyber Insurance
Cyber insurance is a crucial element of a comprehensive business insurance platform to mitigate risks and cover costs when needed. KBI is a reputable brokerage firm that supports businesses of all sizes with their insurance needs, including cyber insurance. We will analyze your current risks and insurance plans to determine any gaps and the additional coverage you might need to mitigate cyber threats. From there, we will work with our many cyber insurance providers to find the best pricing available for the policies you need.
Contact us today by submitting our online contact form or calling us at 408.366.8880. We look forward to working with you!
By Chris Freitas