Cyber Insurance – Does Your Business Need It?

Does Your Business Need Cyber Insurance?

March 17th, 2023 – by Eric Lonsinger

The short, easy, answer is yes. Just about every business should have a least some level of cyber insurance. The more complicated question is which coverages are right for your business and how much makes sense?

QUESTIONS TO ASK
Let’s start at the beginning. Do you need cyber insurance? Ask yourself the following questions:

1. Does your business handle or store sensitive information such as payment data or customer names and addresses?
2. Do you have customers that access any of your systems in any capacity (for example: logging into your website)?
3. Does your business rely on computers or applications to run day to day operations?
4. Would your ability to do business be impacted if those computers or applications were offline?

If the answer to any of these questions is yes then cyber insurance is likely something your business should be looking into.

A word to the wise. Many business incorrectly assume they have no liability when it comes to handling sensitive data since they use vendor systems to perform their work. For example, as a restaurant you may use a point of sale system with a payment processor that is hosted in the cloud. Or, as a retailer you may transact through a 3rd party or marketplace which provides the platform and hosts the data.

What most people don’t realize is that more often than not those companies have language in their contracts, license agreements and terms and conditions that limit their liability for your customer’s data. This may seem counter intuitive since those platforms do technically handle and store the data but most are careful to limit their legal liability in the case of a data breach. In many cases, if a provider like this is hacked the responsibility to respond falls on you.

TYPES OF CYBER POLICIES
Let’s review the two most common ways to get Cyber insurance.

First is through an endorsement (add on) to an existing liability policy or business owners policy you already have. They are generally very easy to add and the additional premium tends to be very affordable however, these endorsements typically provide less coverage and at much lower limits than a standalone policy.

That may be perfectly adequate for your business but the only way to really know is dig into the details with your agent and make sure all of your bases are covered.

The other option is that standalone policy – these polices tend to offer broader coverage and greater flexibility to fit a business’s specific needs and as you may have guessed, tend to cost more than a packaged endorsement, for good reasons.

Within either type of policy you will generally see the same types of coverages, but the details and limits may vary.

CYBER COVERAGES IN A NUTSHELL
There are 4 common types of coverages you will find when shopping Cyber Insurance – 1st Party, 3rd Party Liability, Crime and Business Interruption. Just about every policy or endorsement includes some level of 1st party and 3rd party with Crime and Business Interruption usually optional.

1st Party coverage, simply put, covers the damages and costs you as a business incur as a result of a cyber incident. Most policies extend coverage to address breach response, mitigation, notification and restoration. They provide access to, and payment for, the technical and legal experts needed to assess and respond to a breach and coordinate the efforts to repair and restore your environment.

Cyber Extortion, commonly referred to as Ransomware, is also covered here. Cyber extortion is when a hacker locks your files or systems preventing you from using them until you pay them money. Believe it or not the general guidance is to pay because the likelihood of restoration without the hackers involvement is very, very low.

3rd party liability coverage addresses claims that arise from the unauthorized access to data, or the alleged access to data along with any regulatory requirements that may result.

This one’s important. If you are sued for allegedly failing to safeguard data there are a few important points consider.

First, even if the allegation is baseless, meaning you didn’t get hacked but are simply being blamed for it, a good Cyber policy will still pay for your legal defense. This is a true, but often overlooked fact for may liability policies.

Second, If you are found liable for damages, for example someone lost a lot of money and alleges it is because you failed to safeguard their information then this is where a Cyber policy can be worth its weight in gold.

Cyber-crime typically covers events such as social engineering (when someone tricks you into transferring them money), or funds transfer fraud (when a hacker accesses your systems and transfers money out to themselves). Many policies offer additional coverages such as vendor and client payment fraud, this is when a hacker instructs your customer to send them money while posing to be you and as a result you have lost that payment.

Business Interruption helps your business operate when income is lost due to your systems being down from a cyber incident. Some policies may extend coverage for more general “outages” which do not necessarily need to be the result of a hack. There’s another interesting coverage here called dependent business interruption which provides the same type of help if a business you rely on is taken down and it impacts your ability to operate. For example, if you sell goods through an online marketplace and that marketplace is hacked and goes down, you can’t sell your goods – this coverage may kick in.

CONCLUSION
While this article only scratches the surface of how Cyber policies work it should provide some context on how it may apply to your business. Ultimately it’s best to consult with your insurance agent to understand your options and exposures. If you do have questions then don’t hesitate to reach out to our office.