Here's what small business owners need to know about cyber liability insurance.
As a small business owner, you understand that protecting your company from cyber threats is now part of everyday life and you take steps to reduce your risk.
But the reality is, there is no such thing as being 100% secure; despite best intentions, top-tier technology and employee training, incidents do happen. And when they do, they can be costly: the average cost of a data breach to a small business is $120,000.
Running a business is tough enough without taking a huge financial hit. One way to prepare is to invest in a cyber insurance policy to provide financial compensation in the case of a cyberattack. In this article, we'll discuss:
- What cyber insurance does and does not cover
- The importance of cyber insurance as a financial safeguard, not a preventative measure
- Rolling out cyber insurance in tandem with a strong cybersecurity program
What is cyber insurance?
Cyber insurance is a specific type of business insurance that covers expenses stemming from a cybersecurity incident. It's becoming far more common as businesses of all sizes are beginning to recognize the risks and costs associated with cyberattacks.
Cyber insurance is generally divided into two categories, although a given policy or package may have components of both:
- First-party insurance that provides compensation for damages to your own business (e.g. the cost of data recovery)
- Third-party insurance that covers damages to other people or businesses affected by a cyberattack to your business (e.g. your customers, whose information was breached)
Depending on the policy, cyber insurance may cover costs associated with the following items:
- Recovering compromised data
- Repairing damaged networks, computers and systems
- Notifying affected customers of a breach and protecting their identities
- Business interruption, downtime and lost revenue
- Legal fees and expenses
It's important to note that general liability coverage rarely covers cybersecurity incidents as nontangible assets – such as data – are not considered "property" and therefore require special coverage. Cyber insurance works in tandem with a strong, preventative cybersecurity program to keep your business running smoothly through modern threats.
Does cyber insurance cover ransomware?
Ransomware – a type of malware that encrypts your data and demands a ransom payment in exchange for your files – is a growing concern for many businesses due to its prevalence and an often-messy recovery process. The good news is that cyber insurance coverage might pay the ransom demand, if necessary, and may even cover downtime associated with getting your business back up and running.
However, unconditional coverage is never guaranteed. A recent incident saw cyber insurance coverage denied after an attack from the NotPetya ransomware strain. The ransomware attack was determined to be an "act of war," exempted from coverage under the force majeure clause of the insurance policy. Although the legal territory is still somewhat uncharted, it's likely that force majeure and other restrictions will continue to come into play with other types of cyberattacks as well.
Editor's note: Need business liability insurance for your business? Fill out the below questionnaire to have our vendor partners contact you with free information.
Cyber insurance doesn't replace cybersecurity.
While cyber insurance is an important component of cybersecurity, it by no means takes the place of cybersecurity in your business. Think of it this way: You likely have car insurance, but you still wear a seatbelt and drive carefully to avoid a dangerous accident. Even dealing with a minor accident is a hassle, so you go out of your way to stay safe on the road.
The same logic applies to cyber insurance. It will help provide financial compensation in the case of a cyberattack, but it's not preventative and certainly doesn't mean that the recovery process will be painless. The best way to minimize the damage of a cyberattack is to prevent it from happening in the first place, something that only a strong, comprehensive, ongoing cybersecurity program can do for your business.
As with any insurance policy, there are restrictions on what claims merit a payout. Here are a few examples of costs and assets that often aren't covered by cyber insurance:
- Unrecoverable data
- Stolen intellectual property (IP)
- Fines (e.g. GDPR or other compliance regulations)
- Damages above and beyond insurance limits
- Physical damage caused by a cyberattack (although physical damage may still be covered by general liability insurance)
In addition, there are some things that money from an insurance payout money can't replace. A few of the intangible costs associated with a cyberattack are:
- Damage to company brand and reputation
- Loss in trust of valued customers or employees who had their information compromised
- Ongoing damage to affected people (i.e. a cyber attacker uses breached information to send spam email or attempt identity theft)
On the other hand, your cyber insurance policy might require you to employ cybersecurity protection. Some policies stipulate that they won't pay claims in situations of "negligence," which can range from human error to unpatched software to failure to follow policies. Insurance companies may even run a cybersecurity risk assessment on their clients and require businesses to maintain a certain level of protection to stay insured. That's why it's important to have a strong cybersecurity program in place. If your team is trained, your technology is updated and your business is fully prepared, any attacks that get through your defenses are more likely to be covered by cyber insurance.
How to implement cyber insurance.
Thinking about adding cyber insurance to your policy? Here's how to get started:
- Understand your options. Talk with your insurance provider about cyber insurance to understand what options are available. Your provider may offer a wide range of policies that are customizable with different coverage limits, location-based restrictions, and incident-type coverage. They can explain the difference between the plans and help guide your discussion of which to move forward with.
- Decide on your coverage. Work with company management, IT and legal counsel to discuss the risks to your business and how cyber insurance fits into your cybersecurity plan. Decide on the incidents you will need covered, in which countries or states you will need coverage and how much your policy should pay out to offset the potential cost of a cyberattack. Cyber insurance policies vary significantly, and it's best to work with your insurance company to find the right coverage for your business size and needs.
- Ensure it's a last resort. Evaluate your current cybersecurity practices and roll out a strong cybersecurity program to be sure your new cyber insurance policy is used only as a last resort. For maximum effect, your program should be comprehensive and provide multiple layers of protection, including a foundation of business policies and procedures, a company culture of cyberdefenders, and the right technology for your business. It can be helpful to bring in a third-party cybersecurity provider to help you set up your program and roll it out to your organization.
- Update your incident response plan. Update – or create – your company's cybersecurity incident response plan to include your cyber insurance company. Your plan will dictate the process your company follows in the case of a cyberattack, helping to minimize confusion and panic in the aftermath of an incident. Be sure to include your cyber insurance provider's name and contact information as well as what types of incidents merit contacting them or submitting a claim. In many cases, your insurance provider will ask that you take specific response steps.
Cyber insurance is a great way to manage your financial risk so you can keep your business up-and-running in the event of a cybersecurity incident. By finding the right policy and integrating it with a strong preventative strategy, you can reduce your overall risk as a target and minimize the impact that cybersecurity incidents could have on your business.