Protect Your Data and Your Business with Cyber Insurance

Posted in: Commercial Insurance

The insurance industry knows how to cover your business’ physical assets – desks, chairs, specialty machinery, paper files – but has fewer standards in place for how to cover damages and losses that pertain to data. 

As with any discussion of business insurance, there are two types of policies to consider when it comes to data: loss, which pertains to a physical or economic loss to your business, and liability, which pertains to potential harm done by your business and the damages, including regulatory fines, that may result from that harm.

Tech companies should be well versed in implementing network security to help protect themselves from data loss and liability. But today, everyone, not just tech companies, relies on data, and everyone collects customer data. That applies to the corner restaurant that swipes its customers’ credit cards at lunchtime, the cab service that lets riders pay from their smartphones, the main street shop that uses an online cloud service to store its mailing list and accounting information, and the nonprofit that accepts donations via PayPal. What this wide range of companies often doesn’t realize is that being the keepers of customer data exposes them to loss and financial damage in a way that formerly did not exist.

Non-tech companies like these need to protect themselves and their customers from the possibility of data loss and liability. That starts with a solid network security plan and system, but it should extend to cyber insurance. Understand what steps you need to take to protect your network and what you should do if those steps fail. What policy or policies do you need to secure your data assets so that a computer virus or a hacker doesn’t sink your business?

The standard Business Owner Policy has been around for years and serves as a good jumping-off point. It typically covers damages from loss and liability, meaning that if you lose customer information that was written on paper and stored in a file cabinet, you are probably already covered. But that standard Business Owners Policy doesn’t treat data the same way that it treats tangible property. If, for example, critical information that was stored on a computer was lost due to a computer virus, are you covered for the loss? Unless you’ve set up a cyber-specific insurance plan, the answer is … likely not.

Consider the following examples before talking to your insurance provider:

  • If your accounts receivable information is stored on an external hard drive, that device should be insured for all its worth, and you should be protected against its potential loss via flood, fire, or physical theft with a standard business policy, as well as computer hacking or viruses with an additional cyber-specific policy.
  • If your customers’ credit card information is stolen, you could face quickly mounting fines and costs. In fact, recent studies from the Ponemon Institute have shown the cost of a data breach to be around $188 per record. That means, if every customer during one day’s lunch hour at a local restaurant had their credit card information compromised, that restaurant could immediately expect to pay (for 200 customers) almost $38,000.
  • The same report says that in the case of a doctor’s office, which may hold records for hundreds – or even thousands – of patients, the damage can be even more devastating. The cost of a health care data breach is on average $305 per record. If a doctor’s office has just 1,000 patients, that’s more than $300,000 in fines.

As major insurance carriers work to differentiate their cyber insurance brands in the marketplace, consumers face a bevy of new and confusing coverage terms. This also means every cyber insurance policy form is different and must be carefully reviewed. On a broad basis, the term “cyber insurance” includes two types of coverage:

  • First Party insurance typically provides coverage for direct losses of cyber assets and can include insurance to respond to regulatory costs associated with the release of confidential personally identifiable information (PII).
  • Third Party coverage is legal liability insurance designed to respond when your business is alleged to have caused a loss to another party. This is typically required by contract and is almost exclusively offered on a claims-made basis.

Policies can be tailored to cover a range of potential issues, including (but far from limited to):

  • Credit Monitoring Coverage: Covers costs and expenses incurred by the insured to offer credit monitoring services to parties impacted by a privacy breach.
  • Regulatory Coverage: Covers the cost of proceedings or fines against the insured by a regulatory agency resulting from a violation of a privacy law.
  • Network Interruption Business Income and Extra Expense Coverage: Covers the loss of income, and any expenses incurred to reduce the loss of income and to minimize the duration of a network interruption, forensic expenses, and the loss of data due to a network attack or a denial of service attack.
  • Network Asset Protection (including Non‐physical Business Interruption): Covers costs required to recover or replace data that is compromised, damaged, lost, erased, or corrupted. Coverage also includes business interruption and extra expense coverage for income loss as a result of the total or partial interruption of the insured’s computer system.

Curious about the state of your network security? Download our data security checklist to see where you stand.

For more information about cyber insurance and help with valuing and protecting your data, please feel free to contact me at jnapp@psafinancial.com.