Your Cyber Insurance and You By Chris Keefer coverage to avoid major out-of-pocket losses.
Cybersecurity is a major risk facing businesses today. In addition to preventive measures such as developing and implementing written protocols with regular training, it is important to have adequate cyber insurance in the event of a cyberattack or data breach. While this seems obvious, you may not be certain what cyber policies cover. First-party cyber insurance covers direct damages your business incurs following a cyber event, such as costs of recovering or repairing lost or damaged data, notifying customers, providing credit monitoring, and business income loss. Third-party cyber insurance covers claims and lawsuits brought by third parties (e.g., customers, regulatory bodies, etc.) against your business following an event. Like any insurance policy, a cyber policy will contain a labyrinth of vague and confusing language as well as gaps and exclusions. Below are some items to look for, along with some strategies to help ensure your cyber policy will work for your business when you need it most.
Adequate Limits & Sub-limits According to the 2019 Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, the average cost of a data breach in the United States was $8.19 million, or $242 per compromised record. To determine your exposure, audit the number of confidential records and information—including employee files, business-to-business records, and individual customer data—that could potentially be damaged or stolen. Next, go back to the cyber insurance policy and determine whether your policy limit adequately covers this exposure. Keep in mind there may be sub-limits of coverage for things like computer forensics, crisis management and public relations, customer notification, credit monitoring, and other costs. Each could significantly reduce the overall limit, requiring additional
16 Enterprise Winter 2019
Business Interruption Loss of business income due to a cyber event can be a huge component of loss and is often subject to a sub-limit of coverage. As part of your audit, evaluate the level of exposure to business income loss following a cyber event and determine whether this component of coverage is adequate. There will likely be further sub-limits within this business interruption sub-limit, specifically how long you must wait until coverage begins (the “waiting period”) and how long coverage actually lasts (the “restoration period”). You will only be able to recover business income loss within that window, so make sure each is adequate.
Coverage for Fines and Penalties Companies are legally required to comply with data protection and breach notification standards and may be sanctioned for failing to do so. Earlier this year, Equifax agreed to pay at least $575 million in settlement of fines and penalties over its failure to reasonably secure its network. Fines and penalties can result in massive exposure, and a cyber policy may limit or exclude these. Make sure this coverage is in place, in addition to written cyber protocols with regular training to ensure compliance with data protection and notification regulations.
State-sponsored Acts Many cyber insurance policies exclude claims that are based on actions authorized or supported by foreign authorities. Given how broadly many of these exclusions are written, every otherwise covered cyber event alleged to be supported in some way by a foreign government could potentially be excluded. According to a 2018 study by Carbon Black, a global cybersecurity vendor, 41% of its investigations involved
Entrepreneurs & Innovation
