What you need to know about Cybersecurity (Breach) Insurance
In the news almost daily are companies, small and large, that are under attack or have a disclosure of sensitive data from outside parties or internal employees. A data disclosure or breach can dramatically affect your bottom-line from regulatory penalties, civil law suits, IT support for fixing the problem and not to mention the damage to your brand. In many cases, a breach of information can completely destroy a business, leaving the owner with hundreds of thousands of dollars in liability.
In the wake of all the cyber activity affecting business, insurance companies have started providing Cyber/Breach Insurance policies. These types of policies should really be a part of your overall business insurance portfolio, especially if you store any personal or regulatory information (Personally Identifiable Information, Credit Cards, Medical Information, etc…).
Like all insurance there are key points to keep in mind when selecting a policy. These are not all encompassing but they will give you a good place to start when evaluating a policy.
- Discovery – In most cases, it takes weeks, months or even sometimes years before it has been discovered disclosed
- Accidental Disclosure – If this occurs through yours or an employee’s inadvertent action, the resulting damage can be just as damaging as a hacker stealing your data
- Potential Costs – These can quickly go beyond lawsuits and regulatory penalties
- Incident Response / Crisis Management Team(s)
- Forensics Experts
- Specific legal counsel
- New IT equipment
- Public Relations
- Credit Monitoring
- Reputational losses
- Exclusions – These are the primary exclusions and your policy could have all or some depending up your carrier.
- Cyber-Terrorism – I would have them define what that actually means, especially in the wake of the recent hacks against Sony, Home Depot, etc..
- Intellectual Property (IP) Stolen – This is such a subjective part and thus they not are willing to cover your specific IP.
- Paper Files – Some insurance companies may not allow cover any information that is within paper documents
- Claims by Government/Regulators – This could affect fines or defense cost coverage which would leave a gap
- 3rd Party Data – If you entrust data with a third party vendor (Cloud, HVAC, anyone really) there is a possibility it may not be covered
- Encryption – The policy may be void if you did not use encryption with your data, which in reality truly complicates matters
- Negligence – The failure by the business to install software updates or security patches. This could cause you just as much complications as the above bullet on encryption.
Bottom-line: Cyber Insurance can help with reducing or transferring your overall liability risk by offsetting your financial losses but the fine print needs to be completely understood.
Have a blessed day!