1. Applying is a Risk Management Activity
Simply applying for cyber insurance can help protect your company’s confidential data even if you do not end up finalizing a purchase. Cyber insurance applications ask about the processes and procedures a company has in place to mitigate cyber breaches. They make Insurance buyers think. They ask questions like: Do outgoing payments have dual factor authentication? Are employees trained to spot breaches? Are systems backed up and updated regularly? Does an outside IT Security firm perform audits or monitor the business systems? Does the business have a Chief Technology Officer? If so, what is their experience? Here is a link to a real cyber insurance application: https://www.cfcunderwriting.com/media/1568/cyber-combined-application-usa.pdf
2. You Are Not Covered
Unlike the traditional business insurance, general liability, which provides coverage for bodily injury and property damage claims, cyber insurance is primarily designed to provide coverage for a financial loss General liability (GL) insurance, is near useless when it comes to data breaches.
GL is littered with electronic data exclusions, excludes forensic expenses, credit monitoring, confidential data breach, reputation harm, credit monitoring expenses, etc. Crime policies even exclude confidential data. Business Owner’s packages (BOPs) also limit electronic data to specified perils and traditionally only come with $10,000 of coverage (which is laughable) and excludes viruses as a covered cause of loss.
Personal and advertising injury (included in General liability) which is coverage for bodily injury from false arrest, detention or imprisonment, invasion of privacy wrongful eviction, infringing on another’s copyright trade dress or slogan in your advertisement; is also limited in the GL. There are exclusions for patent, trade mark, trade secret, businesses in media and internet type businesses, and business whose’ websites have chatroom or bulletin boards.
3. Cyber Insurance is Affordable
Costs varies greatly by company size and revenue, but a minimal $1,000,000 limit coverage can typically range from $1,500 to $5,000 annually. The cost is decreasing due to insurance companies having more underwriting data. Cyber Insurance in general, has only been in the market place for about two decades as opposed to other products like auto insurance or homeowner’s insurance, where insurance companies have many decades of underwriting and claims data.
4. It’s “Required” by Law
Pretty much, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Cyber Insurance can help pay fines and penalties. Security breach laws typically have provisions regarding who must comply with the law (i.e., businesses, data/information brokers, government entities, etc.); definitions of “personal information” (i.e., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (i.e., unauthorized acquisition of data); requirements for notice (i.e., timing or method of notice, who must be notified); and exemptions (i.e., for encrypted information). Here is a complete list: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Here are some other laws you may recognize with data breach implications:
Health Insurance Portability and Accountability Act (HIPPA)
The Heath Information Technology for Economic and Clinical Health (HITECH) Act
Graham-leach Bliley Act
5. It May be Required by Contract.
Federal Government Contractors, IT Services, software developers, and technology companies may be required by a vendor or customer by contract to provide some cyber insurance. Signing confidentially agreements, master service agreements, or any contract with insurance implications may go smoother if cyber insurance is in place. It shows the other party you are serious when it comes to protecting their data.
6. Your data breach response plan is simplified
Cyber insurance policies bestow all the cyber incident specialists to the policy holder. In other words, if a breach happens, you submit a claim and let your cyber insurance company do the leg work of coordinating responses from a breach coach, an IT forensics firm, a PR agency, notification services providers, call centers, and legal counsel. Many cyber insurance companies also give additional “pre-breach” services to policy holders like Online Security Awareness Training & education, 24/7 cyber hotlines, response readiness assessments and pre-breach white-hat hacking services.
7. Accidents Happen.
Many studies show the majority of breaches are a result of human error. Cyber insurance can help pay the breach costs from an accident like a financial controller forgetting to password protect a spreadsheet or a salesperson forgetting their company laptop in an Uber. The infamous Equifax data breach that exposed records of about half the population of the entire U.S. was reportedly due to the mistake of Equifax employees not properly patching software, i.e. human error.