Most businesses invest in physical security and general liability insurance, but cybersecurity is usually limited to a firewall and some antivirus software. Unfortunately, this leaves many small businesses exposed to the high cost of cyber attacks – which are increasing in frequency.
According to Gartner, a global research and advisory firm, 43% of major data loss victims immediately go out of business and only 6% survive the next two years.
Let’s take a look at why you need cyber insurance, what cyber insurance policies cover and how to choose the best cyber insurance policy for your business.
Why You Need Cyber Insurance
More than half of all small businesses experience a cyber attack or data breach in a given year. On average, these businesses experienced about $880,000 indirect losses due to the damage or theft of IT assets, and another $955,000 in losses from disruption to normal operations, according to SmallBizTrends.
Despite the high cost and prevalence of cybercrime, about half of small businesses don’t allocate any budget to risk mitigation. Most small businesses don’t regularly upgrade software, monitor credit reports or encrypt data. And only about a quarter of businesses have cyber insurance.
Without cyber insurance, small businesses may be responsible for significant costs arising from a data breach. These costs include lost business, regulatory investigations, customer communication costs, data asset losses and any court fees and settlements from legal action.
What Does Cyber Insurance Cover?
Cyber insurance policies were originally developed by Lloyd’s of London in 2000. At the time, the policies were designed to cover business interruption and potential liabilities if one company negligently transmitted a virus to another company, which wasn’t covered by general liability insurance.
Since then, more than 80 insurance companies have started providing cyber insurance policies with broader coverage. Modern cyber insurance policies cover the payment of fines and penalties, credit monitoring costs, public relations costs, the cost of restoring private data and more.
General Liability vs Cyber Insurance
Most businesses have general liability insurance policies that cover bodily injuries, property damage, and advertising injuries. While some business owners may think of their data as property, there’s a big difference between tangible and digital property in the insurance world.
General liability policies usually specify that they only cover damage to a third party’s tangible property, which doesn’t include electronic data. If there is a provision for “digital data protection,” it typically only covers the loss of data from physical damage (e.g. damaged servers).
Some insurance companies have cyber addendums that can be added to business owners policies (BOPs), but it’s important to ensure that these add-ons provide sufficient coverage. In many cases, there are significant limitations that can make the policies ineffective in the event of a cyber incident.
Types of Cyber Policies and Coverages
Most conventional insurance policies have been standardized over time. For example, most car insurance policies aren’t very different between insurance providers. Cyber insurance differs in that there are many different types of policies and liability coverage areas to consider.
Cyber insurance policies are usually broken down into two types based on their basic coverages:
- First-Party Response: These policies cover the cost of notifying affected parties about a security breach, as well as rebuilding your business’ reputation. For example, the policy may cover credit monitoring service costs for customers affected by a data breach.
- Third-Party Defense: These policies cover any legal expenses arising from data breaches, including lawsuits from any regulators or affected customers. For example, the policy may cover the legal costs to defend claims by state regulators as well as any fines incurred.
Policies can be further broken down by individual features and coverages for specific cyber attack losses, such as:
- Theft and fraud: Covers the destruction of data, as well as the theft and transfer of funds arising from a cyber attack.
- Forensic investigation: Covers the legal, technical, and forensic services required to assess damages following a cyber attack.
- Business interruption: Covers lost income and costs due to shutdowns or delays in operations caused by cyber attacks.
- Extortion: Covers the costs associated with payments to extortionists who threaten to disclose or destroy sensitive information.
- Reputation loss: Covers the cost of reputation loss and defamation arising from cyber attacks.
- Data loss & restoration: Covers physical damage or loss of data, including the retrieving and restoration of data.
How to Choose the Right Policy
There are many different types of cyber insurance policy types and liability coverage areas. The right choice depends on your specific small business, exposure to cyber attacks and the types of data you store. For example, healthcare companies have very different needs than restaurants.
You should ask yourself several questions before purchasing a cyber insurance policy:
- Is the policy a standalone policy or an addendum to an existing policy?
- Does the policy cover both first- and third-party losses?
- Are there any exclusions that apply due to inadequate or changing security?
- Are you still covered if a security flaw from a third-party product is exploited?
Many cyber insurance policies also require certain IT controls and processes in order to be eligible. If you falsely state that you have an updated firewall in place, but a breach occurs due to outdated firewall software, then your claim may be excluded. So, cyber hygiene is very important. If you are still unsure which type of policy you need, talk to a trusted insurance agent. They can help you determine the risks specific to your business and find a policy that fits your needs as well as compare prices to get you the deal.
The Bottom Line
Cybersecurity is becoming increasingly important for small businesses. In addition to having the right cybersecurity measures in place, you may want to consider cyber insurance to protect against data loss, business interruption and other costs stemming from a cybersecurity incident.
Source: Jungle Disk