In 2017, there were 1,579 data breaches in the U.S. according to a report published by the Identity Theft Resource Center and CyberScout. This represented a 44.7 percent increase over the number of breaches recorded in 2016. A data breach or other type of cyber attack can seriously impact your business. It can damage your data, generate lawsuits against your firm, and harm your company's reputation. You can protect your business against many of the effects of cyber crimes by purchasing cyber liability insurance.
Do You Need It?
Cyber liability coverage can benefit any company that uses electronic data in its day-to-day operations. You may need this coverage if you do any of the following:
- Communicate with customers via email, text messages or social media
- Send or receive documents electronically
- Advertise your company via electronic media, such as a website or social media
- Store company data such as sales projections, accounting records, tax documents, and trade secrets on a computer network
- Store personally identifying information (PII) about employees, customers, clients, patients or prospects on a computer network. Examples of PII are names and addresses, credit card numbers, birth dates, and social security numbers.
- Sell products or services or provide information to customers via a company website
While these activities may allow your company to operate efficiently, they generate risks. The data you store on your computer system could be breached, resulting in lawsuits against your firm. The data could also be damaged due to a virus, hacker attack or other cause. Restoring or repairing the data could be very costly.
Cyber Claims Not Insured by CGL Policy
Cyber liability insurance covers claims stemming from events like data breaches and denial of service attacks. Such claims aren't covered by a standard commercial general liability (CGL) policy. One reason is that damage to electronic data doesn't qualify as property damage because electronic data is not considered tangible property. Secondly, most CGL policies contain an electronic data exclusion. This exclusion eliminates coverage for claims based on the loss, damage, corruption, or inability to use data.
Cyber Liability Policies
Cyber liability policies protect businesses against lawsuits filed by customers or other parties as a result of security or privacy breaches. They cover claims against your business alleging you failed to protect sensitive information stored on your computer system. Policies vary widely. Some include media liability insurance, which covers claims alleging libel or slander, invasion of privacy, and other intentional torts. Virtually all cyber liability policies apply on a claims-made basis.
In addition to third-party liability, most cyber policies cover various first-party expenses. Here are some examples:
- Business Income and Extra Expense. Covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a hacker attack, virus or other insured peril. Such losses aren't normally covered under the business income and extra expense insurance that is available under a commercial property policy.
- Loss of Data. Covers the cost of restoring or reconstructing data that was lost or damaged due to a virus, hacker attack or other covered cause
- Associated Costs. Covers costs you incur to notify customers impacted by your data breach as required by law. Some policies cover the cost of providing credit monitoring to affected customers.
- Cyber Extortion. Covers the costs associated with an extortion threat, including ransomware. For example, an extortionist installs ransomware your computer system and then refuses to release your data unless you pay him a sum of money.
- Crisis Management. Covers the cost of hiring legal, public relations, or computer forensics consultants to help mitigate the loss and restore your company's reputation.
Some insurers have developed special cyber liability policies for certain types of businesses, such as technology companies or health care organizations. Many insurers offer coverages on an "a la carte" basis so that customers need buy only the ones they want.
How to Obtain Coverage
Some insurers offer cyber liability insurance directly to customers while others sell it through agents and brokers. If you already have an agent, ask him or her to submit an application on your behalf to an insurer that offers the coverage. The application is likely to include detailed questions about your firm's computer system and its security policies. Here are examples of the types of information insurers will need before they can issue a policy.
- Network Security. What types of security measures does your firm have in place? Does it have a firewall, anti-virus and malware protection, intrusion detection software, a secure password system, etc.? Does it update software regularly?
- Responsible Person. Who is responsible for network security?
- Security Policy. Do you have a written physical and network security policy?
- Employees. Do you conduct background checks on all new hires? Do you train workers regularly on data security?
- Remote Access. Do employees, customers or others access your system remotely? If so, what system is in place to authenticate users?
- Sensitive Data. What types of personally identifiable information do you collect, transmit or store? How many records containing such information do you handle each year? Do you encrypt the data? How do you control access to sensitive data?
- Data Controls Testing. Do you periodically test your data control measures?
- Data Backup and Storage. Do you back up your data daily? Where are the backups stored?
- Outsourcing. Do you outsource any computer functions (such as data storage) to others?
- Response Plan. Do you have a written data breach response plan you would follow in event of a computer-related incident?
Article edited by Marianne Bonner