Incorporating Cyber Liability Insurance to your IT strategy
By Jeremy Louise | May 6th, 2016
As we’ve discussed in the past, there are countless cyber security tools and best practices to help mitigate the effects of a data breach as well as the impact they may have on SMBs. As the technology landscape becomes increasingly volatile and BYOD practices more prevalent, many organizations are implementing cyber security tools in addition to – a seldom discussed topic – Cyber liability insurance.
A robust cyber insurance policy helps businesses weather the storm more effectively when a data breach or network security failure has occurred. Unfortunately, many do not understand the scope of what a cyber insurance policy can provide in the event of a network security failure.
Cyber coverage can mean different things to different people. Most commonly, cyber coverage is some combination of four components: Errors and omissions, media liability, network security and privacy.
Errors & Omissions:
E&O covers claims arising from errors in the performance of your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, accountants, architects and engineers.
These are advertising injury claims, such as infringement of intellectual property, copyright/trademark infringement, and libel & slander. Due to the Internet presence of businesses today, companies have seen this coverage migrate from their general liability policy, to being bundled into a media component in a cyber policy (or a separate media liability policy). Coverage here can extend to offline content as well.
A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. The culprits might be looking to shut your network down so you can’t conduct business, either for financial or political gain. Network security coverage can also apply if you’re holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.
Privacy doesn’t have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human errors such as a lost laptop, or sending a file full of customer account information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained unwiped customer tax records. A privacy breach may also include an action like wrongful collection of information.
Network Security & Privacy Liability Coverage:
What’s unique about the privacy and network security coverage is that both first-party costs and third-party liabilities are covered: First-party coverage applies to your organization’s direct costs for responding to a privacy breach, and third-party coverage applies when people sue or make claims against you, or regulators demand information from you. Recently, a Massachusetts firm was fined $150,000 for slow reporting of an incident.
Some common first-party costs when a security failure or data breach occur include:
– Forensic investigation of the breach
– Legal advice to determine your notification and regulatory obligations
– Notification costs of communicating the breach
– Offering credit monitoring to customers as a result
– Public relations expenses
– Loss of profits and extra expense during the time that your network is down (business interruption)
Common third-party costs include:
– Legal defense
– Settlements, damages and judgments related to the breach
– Liability to banks for re-issuing credit cards
– Cost of responding to regulatory inquiries
– Regulatory fines and penalties (including Payment Card Industry fines)
As with other insurance products, there are a multitude of different plans which cover needs based on specific conditions, so it’s extremely important to understand the entire scope of your organization’s vulnerabilities and how your technology investments are current managed. Example: One plan may cover employee sabotage, as discussed in our previous article, whereas others do not. Also, pay special attention to how data breaches are defined within the plan to ensure proper coverage regardless of circumstances. As with any policy, it is imperative that you discuss the entirety of the plan and your expectations with a trusted broker who can highlight the extent of your business’s liabilities.
Some things to keep in mind when deciding which plan is right for you:
- What are the regulations or requirements for managing technology within your industry? (HIPAA, PCI, CMR, PII…)
- What are the costs associated with being in violation? When you have a data breach how many States will you need to report to?
- Do you store sensitive information off-site?
- How are transactions and payments processed? Are your PCI compliant? Where is data stored? How is it being protected?
- How is your data and network being managed? Are there internal policies to maintain data integrity?
- What security tools are in place? Do they affect coverage in a liability policy should a breach occur?
- Do you have a WRITTEN INFORMATION SECURITY PLAN (WISP-MA CMR 17)
- Do company laptops contain confidential information? Are they encrypted? Are portable storage devices encrypted?
Despite the comprehensive nature of these plans, there are some long-lasting effects which cannot be surmised- including reputation and the trust gained from your business relationships. History has not been kind to SMBs who fall victim to data breaches, with effects that can be catastrophic and long lasting. It should come as no surprise that businesses struggle to recoup not just the immediate costs associated with a breach, but in regaining lost faith from clients or vendors. Unfortunately, without the proper tools, many close indefinitely. Implementing proper security tools and precautions can protect not only your digital properties, but also you most prized commodity- your reputation. For more information on how we limit our clients’ exposure to risk, please contact us. Questions about cyber liability insurance? Contact Rob Ferrini; with NAPLIA Professional Liability Insurance, a long standing Inc. 500 agency serving the insurance needs of Southeastern Massachusetts businesses by phone (866)262-7542 or email email@example.com