Cyber Liability Insurance 101
Since October is Cybersecurity Awareness Month, we thought it would be an ideal time to cover one vital aspect of cybersecurity for your firm: cyber liability insurance.
It’s likely that your financial services firm collects, transmits, stores, views, and interacts with personally identifiable information (a.k.a., social security numbers, email addresses, and login IDs). As such, it’s possible the chances of falling victim to a cyberattack are exponentially greater for you and your firm. In fact, these pervasive and increasingly sophisticated attacks are why having cyber liability insurance is now considered an industry best practice.
So, if you don’t currently have cyber liability insurance, how do you evaluate the kind of coverage you need and the costs involved? As with many insurance questions, a logical place to start is with limits and deductibles.
Not All Policies Are Created Equal
Most policies cover similar items—but they aren’t identical.
Package policy. When coverage is purchased as an endorsement or rider to another policy (i.e., a package policy), it often has a much lower dollar amount (i.e., limit) the insurer will pay for a claim but at a significantly lower premium. When coverage is purchased this way, it is not meant to shield large losses and often includes only a few of the coverages that truly help in a data incident (more on that below).
Stand-alone policy. A stand-alone policy, on the other hand, has much higher limits and more coverage options, but at a significantly higher premium. Our focus here will be on stand-alone policies.
These policies often come with one limit instead of a per-claim and aggregate limit, with the most often recommended minimum limits being $1 million, $2 million, and $3 million. Deductibles for these policies typically come in increments of $2,500. It’s important to note that while premiums can be lowered by increasing the deductible, the insured will have to pay more up front when a breach occurs.
Cover Your Losses
Having the right limits and deductibles is just one piece of an effective cyber liability policy. You must also ensure that it has the proper insuring agreements, so any potential losses are covered.
Network security and privacy liability. Here, you will find the bulk of the policy coverage. This agreement covers legal defense costs, damages, and other expenses that arise from the theft or improper disclosure of confidential client and employee information (e.g., social security numbers, dates of birth, and addresses) in the insured’s care.
Regulatory defense and penalties. Although network security and privacy liability coverage protects against civil suits, regulatory defense and penalties coverage protects against losses from regulators. This insuring agreement covers attorney’s fees associated with a formal regulatory or administrative investigation. It also provides coverage for any fines or penalties that may be incurred due to the investigation. With regulators such as the SEC increasing their cyber enforcement, regulatory defense coverage has become increasingly important.
Extortion and ransomware. Insurers often cite extortion and ransomware as the principal risks they cover, and, as such, it’s essential they are included in any cyber liability policy. As the name implies, this coverage includes the associated costs and extortion demands resulting from ransomware attacks where a cybercriminal holds a website, data, or software “hostage.”
Data breach response costs. An often-overlooked facet of a data breach is the cost associated with learning what was taken, investigating how it was taken, and protecting those affected. Data breach response costs provide for the expense of any required forensic investigation, identity restoration, notification, and credit monitoring.
Crisis management expense. A data breach can cause significant damage to a company’s reputation—and restoring consumer confidence can be difficult and expensive. With crisis management expense coverage, you can hire a public relations firm to rebuild your organization’s brand and reputation.
Business interruption and data restoration. Although all of the agreements listed above cover “costs,” business interruption and data restoration provides coverage for the resulting lost income and costs to restore data and networks. Data breaches, ransomware attacks, and system failures often result in lost profits, especially if sustained for a prolonged period, since the insured is kept from being able to perform normal duties. Cyberattacks can also result in the theft or corruption of critical data that takes time to restore.
It’s important to read this agreement carefully. It can sometimes be limited to security incidents, whereas others will provide coverage for lost income resulting from a system outage. Limitations can be further pressed onto the policy by specifying that it only provides coverage for incidents directly affecting your networks, while more comprehensive coverage will include business service providers.
Know the Limits
Now that you know the types of available coverage, you may be wondering where to buy a policy. Many advisors purchase cyber liability policies through existing relationships with their property and casualty insurance agents. If you decide to purchase a policy, we recommend that it have a minimum of $1 million in limits, with insuring agreements that cover:
Data forensic expenses to figure out what was taken and how
Notification and identity monitoring costs for individuals affected by the breach
Legal services to pay for regulatory and civil defense costs
Business interruption coverage for revenue lost due to the breach
Extortion costs for ransomware attacks
Public relations to rehabilitate an injured public image
The Risk Reality
The reality is that we are all at risk of a data breach. By making sure you have the right coverage, limits, and deductibles, you can reduce the overall costs of a cyber liability insurance policy—and limit the damage and disruption to your business and clients.
This material is for educational purposes only and is not intended to provide specific advice.