Cyber Risk & Data Breach Insurance

With large scale data breaches occurring weekly, attracting significant media attention, companies today are well aware of cyber risk. However many SMBs (small and mid sized businesses) have been slow to react. Why? This is mainly the result of a false sense of security, failure of understanding exposures, and a misunderstanding of the cyber risk insurance itself. Due to the media attention surrounding large scale breaches (and lack thereof for smaller scale breaches), many companies operate under the false assumption that they are less at risk than fortune 500 companies, being a less attractive or insignificant target. This is in large part, false. “Black code” does not discriminate - cyber criminals are opportunistic, seeking financial gain wherever they can. In fact smaller companies are often softer targets due to their relaxed approach to information security and unestablished internal controls. One look at an online breach archive will indicate the true frequency of smaller scale breaches and present a considerably more accurate picture. Compiled statistics indicate:

  • 60-75% of breaches were against SMB’s (small to mid sized companies under 250 employees)
  • Industries most affected are: healthcare, finance, retail, technology and professional services
  • More clients and VC/PE firms are requiring cyber insurance

Due to the failure of many risk professionals in properly educating companies on cyber risk, many SMB’s (small and mid sized businesses) often believe cyber insurance is only intended for retailers and financial institutions, to cover the risk of payment processing and the storage of personal information. This is also false. It is often more helpful to think of cyber liability policies as providing protection against computer/digital related risk in general. Strong cyber coverage (when properly structured) provide protection against a broad range of claims, including, but not limited to:

  • Theft of clients’ IP & trade secrets (in addition to the more obvious perosnal and health information)
  • Resulting lost income from network interruption and cyber incidents 
  • Extotrtion demands from ransomware attacks which hold a website/data hostage 
  • Financial damages from viruses & malicious code and liability for the transmission of viruses to clients, vendors and 3rd parties
  • Malware & Phishing attacks (and possible social engineering schemes)
  • Theft of paper records
  • Employee errors & rogue employees
  • Loss of laptop or mobile devices with protected information
  • Media liability for lawsuits alleging IP/copyright infringement
  • Coverage for regulatory & forensic investigations 

Cyber liability insurance policies are not standardized products (like personal auto insurance). These policies are manuscripted and individualized by the underwriter/carrier, requiring careful review, coordination, and negotiation. The custom nature of these policies offers both benefits and disadvantages. Policies may initially carve out critical coverages to limit their exposure, and this can be easily missed by inexperienced risk managers/brokers and make coverage comparisons extremely difficult (if at all possible) for the buyer. However, this also allows companies to negotiate and carve back critical coverages, tailoring policies to their exact needs and effectively allowing insureds’ (almost) manual control over the premium. This however is a delicate balancing act, accentuating the importance of partnering with a knowledgeable broker - obtaining a strong, well structured package will depend on their expertise. A corporate law firm may purchase a cyber policy for $20k per year, but one definition such as the requirement of affected data to be personal information vs corporate non public information, could render it useless it the event of a breach. 

With much of the cyber risk landscape being uncharted waters, it is more important than ever to partner with a broker that understands your company’s exposures/needs. GB&A is particularly well aligned to meet those needs.

  • 1st Party Coverage

    First Party coverage reimburses the company/entity for costs and financial damages incurred as a result of a covered breach. Those can include (but may not be limited to)

    • PR expenses
    • Legal advising
    • Notification Costs
    • Credit Monitoring Costs
    • Forensic Investigation Costs
    • Loss Of Business Income
  • 3rd Party Liability Coverage

    Third Party liability coverage provides coverage for damages caused to other 3rd parties (such as clients, suppliers, vendors, etc), as a result of transmitting or failing to protecting against an intrusion or breach.

    • Resulting Liabilities
    • Defense Costs
    • Settlements
    • Damages
    • PCI Fines
    • Regulatory Damages
  • Coverages To Look For
    • Damage caused by viruses/malware/self propagating code
    • 3rd party processors and cloud providers
    • Loss Of Business Income
    • Contingent Business Income
    • Automatic ERP (extending reporting provision)
    • Restoration Of Digital Assets
    • Coverage for paper files
    • No "encryption requirement"
    • Full Prior Acts
    • Duty To Defend (Vs Duty To Indemnify)
    • Coverage for corporate confidential information 
  • Who Needs Data Breach Insurance?

    Most organizations have some level of cyber risk. Retailers, processing payments on POS terminals, healthcare institutions storing personal health information and corporate law firms focused on Mergers and Acquisitions are all at risk. That risk and the needs of the organization just differ. Where one company may have a significant need for 1st party coverage for lost income, another may have a greater need for 3rd party liability resulting from stolen data. However, industries most affected by breaches tend to be: healthcare institutions, financial institutions, manufacturers, retailers, tech companies and professional services firms (accountants and law firms)

  • How Does Cyber Insurance Work?

    Just like errors and omissions insurance, cyber risk insurance policies are claims made policies. Which means that coverage must be in force at the time a claim is made. For example, a hacker might deploy a spear phishing attack and gain access to your network today, collecting information over the course of months (or even years), then sell that information on the dark web. By the time authorities/regulators discover that your computer system is infected, a year or two might have elapsed. Even though the malicious code infected your computer 2 years ago, the claim will be made on the date the breach is discovered, which will trigger the policy's terms and limits in force at that time. Which is why it is critically important for companies to carry over the "retro-active" dates of their policies when replacing coverage from one insurer to another. Even companies that discontinue their operations continue to carry a certain level of risk for a prolonged period.

  • How is Coverage Structured and Purchased

    Cyber policies offer a great range of available coverages such as coverage for ransomware and extortion demands, media liability for copyright infringement, lost income resulting from a virus or breach that affects a cloud provider, and coverage for regulatory investigations and fines following a breach. Not all companies require all of the coverages. Cyber policies can be constructed a-la-carte to match the risk profile of the buyer. For some companies a simpler "cyber endorsement" added onto their general liability policy may provide sufficient coverage, however companies that require robust protection will likely want to purchase a stand alone cyber policy. Often, organizations can also significantly broaden the coverage they are purchasing simply by knowing the right questions to ask and which terms to negotiate. which is why it is important for companies to work with an experienced broker when crafting their programs. Brokers that are unfamiliar with the intricacies of cyber policies may structure coverage incorrectly. 

  • What Is Not Covered?

    As we have noted above, policies can vary greatly. Some basic policies contain exclusions for items such as "non-encrypted data", losses resulting from paper files, and/or lost income. Which is why it is important to carefully review the policy terms and conditions. But even broad, stand alone policies have their limits. Claims such as lost income resulting from a social engineering attack, theft of IP, DDOS attacks affecting offsite providers and informal regulatory investigations are excluded in just about every policy. If your organization has a specific concern, such as the potential theft of IP or source code, it is important that you have a discussion with your broker in the early stages.

  • What Other Insurance Should We Consider?

    Companies that are concerned about social engineering attacks (business email compromise) should purchase crime insurance with a social engineering endorsement. The other policy that we always recommend is directors and officers insurance (D&O). D&O provides protection for cyber related litigation such as consumer class actions, shareholder class actions and derivative claims. It is however important to review the terms of your D&O policy when purchasing to ensure that it does not contain a broad cyber related exclusion precluding coverage for such claims. 

Get (Risk) Managed.

Ready to review your existing insurance program? Interested in setting a reminder for a renewal review? Or simply have a question? We're here to help. We also understand you're busy - let's schedule a time to speak that works best for you. Simply schedule a call and we'll reach out when it's convenient.

Schedule a callback