Reasons To Buy Cyber InsuranceFri, 21 Feb 2014 13:26:19 -0800
Reasons To Buy Cyber Insurance
Having a thorough understanding of your cyber assets and their value to your business will help you determine if cyber insurance make sense. Here are the seven main reasons to buy cyber insurance, and some tips for getting the best deal on it.No. 1: Your Cyber Assets Are More Exposed Than You May Believe
If your business does not have an online presence, it either will very soon, or will likely cease to exist. Between 2001 and 2010, e-commerce in the United States grew at an average annual rate of 38 percent,i and in 2012, global e-commerce sales topped $1 trillion for the first time.ii All sorts of businesses everywhere on earth have some kind of virtual storefront. To grow your business, you are going to have to join them, and strive to outdo them.
Having an online presence, however, exposes your business to many more risks than the brick-and-mortar world presents. Considering your site is available 24×7 across the world and the rapidly increasing number of devices that can access the internet—smart phones, tablet computers, and traditional laptops and desktops— there are simply more potential opportunities for malicious activities against your e-commerce portal than a brick-and-mortar store. What’s more, your business insurance probably does not cover the assets threatened by those cyber risks in a way that commensurate with those assets’ value.
What that adds up to is more opportunities for your, your customers’, and your suppliers’ information to be compromised, either accidentally or maliciously. There are at least five fundamental pathways for cyber losses.
Access Control: You need to be certain of who has access to what throughout your IT systems. How secure are your customers’ credit card numbers? How about the personal information of your employees and business associates? Failing to control access to your most sensitive information is practically an open invitation to compromising that information.
Authenticity: You need to assure the parties you do online business with that you are who you say you are, and that they are who they say they are. If you do not have adequate measures to assure authenticity, you leave your company open to cyber attack.
Availability: This is the flip side to access control. The people you do business with online expect 24/7 access to websites, databases, online services, and accounts, and the information they access must be accurate. Hackers are known to use so-called “denial of service attacks” to interrupt companies’ business for as long as it takes to restore security and operability.
Data Integrity: This concerns the issue of cyber information being altered while in transit between you and your customers, suppliers, and business partners. Measures to mitigate the loss of data integrity include firewalls and frequent and secure data backups.
Non-repudiation: You need to be able to prove that your customers actually wanted the goods or services that you provided them, that they cannot deny any transaction between the two of you.
Beyond technical issues, how vulnerable is your business to the commercial repercussions of a cyber attack or accidental loss of digital assets? How long would it take for your business to fully recover from a security breach that became widely publicized? Might you be sued for such a breach?No. 2: If You Are a Small or Medium Business, You Are at the Mercy of Third Parties
The typical Fortune 500 company can afford to keep all of its IT systems in-house. They own and manage their own servers in geo-redundant facilities, develop proprietary software for transacting business and maintaining security, and have precise control over who has access to what areas of their IT systems. Small and medium businesses (SMBs)? Not so much. Most SMBs depend on cloud services for hosting and storage, and they typically find SaaS solutions to be the most economical way of tracking inventory and authorizing credit card purchases. If your provider of cloud or other IT services is responsible for loss or damage to your digital assets, how would you recover those assets and pay for whatever collateral damage the loss caused?No. 3: General Liability Covers Only Property Damage
You are probably reasonably familiar with the general liability coverage in your commercial insurance policy, and how it protects you from the costs associated with injury and property damage. But if you believe that your policy covers damages to your cyber property, you are probably mistaken. Most standard commercial lines policies do not cover risks such as:Identity theft resulting from either a malicious or inadvertent security breach. Identity theft refers to the fraudulent use of such information as Social Security numbers, credit card numbers, drivers’ license numbers, birthdates, PIN codes, and employee identification numbers.Lawsuits alleging trademark or copyright infringement resulting, for example, from information posted or available for distribution from your website.Inadvertent disclosure of your or a third-party’s sensitive information by means of email, instant messaging, or other electronic means.Degradation of an organization’s digital assets due to computer viruses, worms, or other malware and malicious code.The costs of monitoring credit card records for persons affected by a security breach at your business.Theft or destruction of such valuable digital assets as intellectual property or customer lists.Damage to an organization’s reputation resulting from a cyber security breach.Interruption of your business due to a hacker crashing a network.
Coverage of such losses and risks usually requires a specific policy for cyber risks.
Many business owners have delayed their search for cyber insurance, thinking: “Who would want to steal my customers’ list? Bigger companies’ digital assets are more valuable than mine.” But what that reasoning fails to take into account is that bigger companies typically have stronger measures to guard against cyber attacks, and that cyber criminals, like any criminal, prefers to pick the low-hanging fruit.No. 4: Cyber Insurance Covers First-Party Losses
A cyber insurance policy can protect you against damage to and destruction of your IT assets, and costs associated with such damage and destruction. There are six groups of first-party losses. You should be aware of those to which your organization is most susceptible, and those which your insurance agent can provide.
E-commerce Extortion: coverage protects you when extortionate threats, such as those demanding money, securities, property, or services, are made against your business. Covered threats may also include those to disclose confidential information about your business or your customers, to damage or destroy any part of your IT systems, to introduce virus or other malware into your IT systems, and to deny you internet service. The insurance may reimburse you for any payments made to the extortionist, and to prevent or mitigate the threat of extortion.
Crisis Management: expenses include the costs of negative publicity brought on by a security breach, cyber attack, or a publicized claim that your business suffered a cyber security breach. Coverage could reimburse your costs to react to such publicity or claims, such as hiring a public relations service to preserve your brand credibility through advertising or marketing communications. Coverage also could reimburse you for the costs you incurred to identify the perpetrator of the security breach.
Security Breach and Identity Theft: expenses include the costs of assessing a security breach or identity theft, and notifying the parties affected by it. The coverage may also reimburse your expenses for monitoring the bank and/or credit card accounts of all affected customers, and the costs of hiring a call center to address affected customers’ concerns.
Computer Fraud: coverage protects you in the event that a hacker steals money or securities from your IT systems. The coverage is available for your accounts and your customers’ accounts, and it can reimburse the damaged party for the value of what was stolen. Coverage is also available for funds transfer fraud, which relates to fraud committed during transfer requests to your financial institution.
Software and Data Recovery: coverage can protect your software applications and databases from damage caused either inadvertently by employees, or maliciously by hackers. The coverage may reimburse you for your costs to restore, replace, or reproduce from backups the information (data) and/or capabilities (applications) damaged or destroyed in the incident.
Cyber Business Interruption: coverage can reimburse you for lost operating profits resulting from business interruptions caused by hackers or other attacks against your IT systems.No. 5: Cyber Insurance Covers Third-Party Claims
A cyber insurance policy can protect you against claims that your negligence caused damage to others’ digital assets, IT systems, networks, or cyber security precautions. There are four types of third-party claims. As long as you have digital assets of third parties within your IT systems, you may be liable for damages to those assets.
Network, Information and Security Liability: coverage protects you from others’ claims that their finances, property, or person was damaged or destroyed because of your negligence in securing you IT systems. Such damages can result from unauthorized access to or use of your network, such as to commit a theft of identity information. The theft may be mediated by a virus or other malicious code introduced into your network. The invasion may result in denying service to authorized users of your IT systems. You may also be liable for damages caused by failing to notify others that your IT systems have been compromised.
Regulatory Defense Expenses: This coverage protects your business when a government agency makes a regulatory claim against it. The typical agencies that make such claims are the Federal Trade Commission (FTC) and Federal Communication Commission (FCC), and the typical claims they make are formal requests or pleadings, demands for monetary damages or non-monetary relief, criminal charges, summonses, and arbitration requests. The coverage may reimburse you for legal defense and funds to dispute or settle such claims.
Errors, Omissions and Negligent Acts: covers damage resulting from accidents or negligent errors you made in operating your network or other IT systems, such as damage to a customers’ media or other digital assets. The coverage may provide legal defense and funds to settle lawsuits related to the customers’ claims.
Communications and Media Liability: This coverage relates to the unauthorized use of copyrighted material or trademarks published through your IT systems. Copyrighted material could include others’ intellectual property, photographs, artwork, or other content, and even a person’s likeness.No. 6: Coverage Can Be Tailored to Your Business
While cyber insurance may be a relatively new form of risk management, that does not mean that your choices need to be constricted when it comes to buying a policy. It does pay, however, to shop around. Some agencies and companies have more experience with cyber insurance products than others, and so have a better understanding of what sorts of coverage best suit companies of various sizes in various industries. These companies may also be able to handle and resolve claims more effectively and expeditiously.
Different businesses have different needs when it comes to cyber insurance, so there is no “one size fits all” policy. To get all of the coverage you need, you must understand your business and the risks present in your IT systems, protocols, and policies. Having this understanding will allow for a more informed conversation with your agent. If that agent also happens to represent the company that provides your regular business insurance, you will likely get better service, since the agent will be familiar with your company.
Having a firm grasp on what your digital assets are, what their value is, and how effective your efforts are to keep them secure, will be of enormous help in developing a cyber insurance policy to insure them.
We’ve built an online tool that generates a customized coverage checklist based on answers you provide about your business. Our checklist identifies and explains each coverage you need, and why you need it. Use the checklist when shopping for business insurance or talking to your insurance agent.No. 7: Coverage May Be More Affordable than You Thought
There are many measures you can take to keep the cost of cyber insurance down. All of these revolve around maintaining the highest standards of cyber security possible at your organization.
If your customers need access to your website 24/7, make sure your internet provider gives you that guarantee. Clearly understand your agreements with third-party providers, such credit card authorization services or cloud storage services. Be sure that your IT systems are protected by an absolutely reliable firewall. Establish clear and strict access controls throughout your IT systems. Make sure your systems are backed up regularly and the backup image is stored securely. Whatever you do to improve your security posture will likely result in a lower rate.
As a further step toward keeping the costs of your coverage down, involve your lawyer in the crafting of your policy. A familiarity with your company combined with legal expertise will give you the best chance of getting the best deal on the coverage you need.Conclusion
Think of cyber insurance as another part of maintaining the security of your digital assets. Years ago, you began this process when you first licensed firewall software and subscribed to an antivirus service. Since then, as the IT side of your organization has become more complex, you have been doing what you could to keep sensitive capabilities and information secure. Maybe you have installed a virtual private network (VPN), use public-key encryption, digital certificates, and digital signatures. Perhaps you have retained the services of a cyber security expert. Ultimately, the value of your organization is the information you possess. Protecting it is a never-ending process. Villains will always be striving to stay one step ahead of those who would thwart their malicious actions. Cyber insurance extends your wall of security one level further.