In today’s world, everyone who conducts business online is exposed to cyber threats. It used to be that large corporations were the target of cyber attacks and ransomware, but recent media coverage shows it can happen to any business (or governmental agency) no matter the size.
Whether your organization is large or small, you’ve likely been wondering about cyber insurance. What is it? What protections does it offer? How much does it cost?
At Kelser, our primary role is to provide advice and counsel about IT solutions (including cybersecurity).
We know that managed services (and cyber insurance) might not be right for everyone, but we’re committed to providing unbiased information that helps educate people so they can decide what is right for their organization.
In this article, we’ll walk you through some of the cyber liability insurance options currently available, some related liability examples, and we’ll provide a cost estimate for a cyber liability insurance policy.
By the time you are done reading this article, you’ll have a better understanding of the risk, the options, and the cost of cyber insurance, so you can make an educated decision about whether or not it makes sense for your organization. Let’s get started.
What Is Cyber Liability Insurance?
As we all know from watching the news, online communication has resulted in claims ranging from discrimination to privacy, intellectual property to defamation, and even some claims seeking damages for the transmission of computer viruses from one organization to another. So, how can organizations protect themselves?
Cyber (also known as “data breach” or “privacy”) insurance policies are designed to cover specific losses that may result from electronic activities including email, video conferencing, data collection and storage, and more.
According to the Travelers insurance company website, cyber liability insurance policies provide a business with a “combination of coverage options to help protect the company from data breaches and other cyber security issues.”
What Kinds Of Cyber Insurance Policies Exist? What Do They Cover?
Among other things, cyber policies cover the costs an organization may incur when they are hacked. There are two kinds of cyber insurance policies:
1. Third-Party Liability Claims Insurance
We’ve all read about data breaches that result in the exposure of personal information (such as Social Security or credit card numbers) by cybercriminals who gain access to an organization’s electronic network.
Third-party liability policies protect companies from a variety of expenses associated with data breaches.
Such protections may include:
-
-
-
Notification Costs
-
-
Protection against the costs that companies incur every time they need to contact customers about a potential data breach.
-
-
-
Credit Monitoring Services
-
-
Coverage of the fees associated with providing credit monitoring for two to three years for everyone affected.
-
-
-
Privacy and Network Liability
-
-
This defends against claims filed against your business because of a cyber event such as the disclosure of sensitive data due to a stolen device or a data breach.
-
-
-
Regulatory Fines
-
-
Coverage could cover government fines and penalties imposed resulting from a cyber event or violation of privacy regulations.
-
-
-
Payment Card Penalties
-
-
Companies that process credit card payments may be protected against fees associated with system breaches such as fines, penalties, and investigation costs.
-
-
-
Media Liability
-
-
Claims filed against a business because of the release or display of material on websites, in print, or distributed via other media outlets, may be covered. These could include costs associated with allegations such as copyright infringement, slander, libel, and defamation.
2. First-Party Liability Claims Insurance (for direct loss)
First-party claims include costs due to physical or structural (i.e. infrastructure) damage. The coverage may include costs suffered as a result of a cyberattack such as:
-
-
-
Ransom Payments
-
-
Expenses or payments made in response to cyber extortion or a ransomware attack.
-
-
-
Data & System Recovery
-
-
Costs incurred to restore computer system(s) to previous functionality (including restoring, retrieving, repairing, or reinstalling data or software).
-
-
-
Business Interruption
-
-
Reimbursement of lost income and expenses incurred as a result of an operations interruption or slowdown.
-
-
-
Supplier Business Interruption
-
-
Covers company income loss and expenses due to a cyber incident at a vendor or supplier.
-
-
-
Reputation Damage
-
-
Income loss that results from a cyber event becoming public and damaging the company's reputation
-
-
-
Cyber Incident Response
-
-
Costs involved in responding to a cyber event, including legal fees, computer forensic expenses, and image mitigation (or public relations) costs.
What Kinds Of Cyber Claims Have Been Filed? What Have Been The Costs?
In the real world, cyber claims take many forms. Here are a few claim examples from the public websites of Traveler’s, MMG, and CoverLink Insurance:
-
Disgruntled Former Employee
A former employee, whose passwords hadn’t been changed when he terminated employment, hacked a transportation contractor. The company computer system began to act erratically, crucial software programs were unavailable and large amounts of data appeared to have been deleted.
An outside IT firm was hired to recover electronic data, input other records only available in paper form, reinstall software, re-configure the insured’s servers, and repair additional damage to the computer system. Damaged cargo tracking software also was replaced.
The company lost several days of business while issues were being addressed. A public relations firm was hired to help the company communicate with customers about the incident.
Total Loss: $33,850
-
Data theft or cyber extortion
A U.S.-based information technology company contracted with an overseas software vendor. The vendor left certain “administrator” defaults on the company’s server and a “hacker for hire” was paid $20,000 to exploit the vulnerability.
The hacker demanded an extortion payment, threatening that if he didn’t receive it, he would post records from millions of registered users on a blog available for all to see.
The extortion expenses and payments are expected to exceed $2,000,000.
-
Stolen laptops
A regional retailer contracted with a third-party service provider. A burglar stole two laptops from the service provider containing the data of over 80,000 clients of the retailer.
According to applicable notification laws, the retailer - not the service provider - was required to notify the affected individuals.
Total expenses incurred for notification and crisis management were nearly $5,000,000.
-
Data Breach
A clothing and accessories manufacturer suffered a data breach of their online ordering system (which supports 50% of their revenue).
The FBI notified the company that a hacker they arrested had the credit card numbers of 500,000 of the company’s customers in his possession.
The company hired a forensic investigator, as required by the Payment Card Industry Agreement. The investigator determined that the cybercriminal had compromised online shopping carts for six months, stealing names, addresses, credit card numbers, expiration dates, card security codes, and email addresses.
The company had to pay to notify affected customers as required by state law and also offered a full year of free credit monitoring.
A public relations firm was hired by the company to maintain customer confidence and limit reputational damage. The company was also subject to regulatory fines and penalties.
The potential cost to the business could exceed $10 million.
-
Phishing Incident
A medical group employee opened a phishing e-mail that infiltrated their centralized network. Anti-virus software failed to keep out the malicious code, exposing names, addresses, birthdates, medical record numbers, medication, dates of service, and diagnoses of 1200 patients.
The medical group hired a computer forensics investigator, who determined that PHI (protected health information) had been compromised. The medical group notified the affected individuals and hired a public relations firm in anticipation of bad publicity.
In addition, the Office for Civil Rights launched an investigation. The medical group was fined as a result of a HIPAA violation for having unsecured access to the network.
The estimated costs for this event could be nearly $600,000.
How Much Does Cyber Insurance Cost?
The cost of cyber coverage can vary from business to business. Some of the variables that affect cost are the size of the organization and the industry the business is in.
In general, small businesses can obtain a nominal amount of cyber liability coverage (both third- and first-party) with a limit of $50,000 for a few hundred dollars per year.
Online estimates state that coverage for medium- to large-sized businesses (depending on industry) can range from a couple of thousand to tens of thousands of dollars per year.
Another source, Embroker.com, a digital insurance provider, says “A recent study performed by AdvisorSmith Solution Inc. found that the average cost of a cyber liability policy in 2019 was $1,500 per year for $1 million in coverage, with a $10,000 deductible.”
The cost for cyber liability premiums will likely increase with the continuing rise in cybercrime.
When evaluating risks and pricing an account, some of the factors underwriters consider include the company’s disaster and business continuity planning, cyber awareness & training, IT risk, and system security.
How Can You Be Sure Your Organization Has What It Needs?
In this article, we’ve talked about the differences between third-party and first-party insurance, some of the cyber risks organizations face, the potential costs of data breaches, and the rough cost of cyber insurance.
We present this information, not as a scare tactic, but to be sure you know the risks and the associated benefits. Armed with this new information, you may or may not decide that cybersecurity liability insurance is right for your organization.
This article also may have gotten you thinking about the security of your IT infrastructure. You may be wondering if you are really covered in the event of a data breach or other network issue. The last thing you want is to find out after the fact is that the answer was no.
In addition to investing in cybersecurity liability insurance, managed services providers (MSPs) like Kelser can help enhance your cybersecurity posture to minimize your risk. For the past 40 years, we've been helping companies just like yours and we'd love to put our IT knowledge to work for you.
Find out how an MSP can help protect your organization in this article: 6 Ways MSPs Help Businesses Continue When Disaster Strikes.
Or, if you'd like to find out more about how Kelser can specifically address the cybersecurity issues your organization is facing, fill out this form and one of our knowledgeable IT experts will contact you.
