Businesses face a lot of pressure to protect data and systems from data breaches and cybercrime. Failure to do so could result in millions of dollars in losses, according to data breach statistics that show the global average data breach cost is $3.86 million. Most small businesses don't have the resources to handle a major breach, so it's vital to find the right type of insurance for protection.
Getting the right policy can be confusing, however. Both cyber insurance and data breach insurance sound important, but they also sound similar. Here's what you need to know about both insurance types and how to choose the right one for your business.
What's the difference between cyber insurance and data breach insurance?
Cyber insurance and data breach insurance are types of business insurance that sound similar, but they have distinct differences. If your business suffers a data breach, both insurance types will cover the primary financial interest – called first-party coverage – stemming from the exposed data. But only cyber insurance would provide legal protection – called third-party coverage.
In other words, data breach insurance covers the costs directly attributed to a data breach, such as lost revenue and credit monitoring, while cyber insurance also pays attorney's fees and any regulatory fines assessed.
Data breach insurance will also cover losses that don't involve a computer. For example, if someone infiltrates the records room of a doctor's office and obtains protected health information (PHI), cyber insurance wouldn't cover this breach, because it focuses on data loss or operations disruption due to electronic device interference or damage. Data breach insurance, however, would cover losses stemming from this non-computer-related breach.
Let's break down each insurance type, what it covers, and what it doesn't cover.
What is cyber liability insurance?
Cyber liability insurance is a commercial insurance policy that provides financial protection from losses due to cyberattacks or other tech-related risks. In a cyberattack, the cybercriminals can leak data, destroy it, or hold it for ransom. Cyber liability insurance will help you respond to the attack so that you can recover from the loss with the lowest impact possible.
Your cyber insurance policy provides both first-party and third-party coverage, meaning it covers direct losses as well as third-party expenses of claims made against you because of the data exposure.
What does cyber liability insurance cover?
Cyber liability insurance covers two primary elements: first-party claims and third-party claims. It covers losses associated with PHI and personally identifiable information (PII) hacks as well as business interruption caused by nefarious parties.
These are some of the first-party claims that cyber insurance covers:
- Investigatory costs
- Repairs to damaged or lost equipment
- Lost revenue
- Consumer notification costs
- Consumer credit-monitoring costs
- Ransom paid to a hacker to restore files
These are some of the third-party claims covered by cyber insurance:
- Legal fees
- Settlements and court judgments
- Incurred regulatory fines
Example of a cyber insurance claim
Let's say an accounting firm with a database of 2,000 clients is attacked with ransomware. The hijackers block access to the site until the firm pays a $100,000 ransom. The accounting firm files a claim with its insurance carrier. The insurance carrier may pay the ransom, but the insurer makes the final call. If the insurer decides not to pay the ransom, the insurer will pay network recovery costs and other costs related to lost income due to the attack.
What is data breach insurance?
Data breach insurance is coverage of breach-related costs that specifically focuses on whether PHI or PII has been viewed or obtained by someone who shouldn't have access to it.
Information can be exposed in many ways, either on purpose or by accident. For example, someone may hack the system to steal the data intentionally, or an employee may forget to put a file away, exposing information to someone who sits at their desk.
What does data breach insurance cover?
Data breach insurance covers first-party losses for a company that inadvertently allows PHI or PII to fall into the wrong hands. This loss could result from hacker attacks, physical theft, the loss of a laptop or other device, or information leaks. A data breach could also be caused by employees who abuse their privileges and purposely share, copy, and use data without proper authorization.
These are some first-party claims that data breach insurance covers:
- Consumer notification costs
- Consumer credit-monitoring costs
- Damage control from a public relations firm
- Extortion coverage
Example of a data breach claim
Let's say a medical office has a storage room with file cabinets of medical records. An individual posing as an electrical contractor for the building is given access to an electrical panel located in the storage room. He is left unattended and uses the opportunity to take pictures of patient data records.
In this case, the insurance carrier will cover the costs to notify patients of a breach in recordkeeping and pay for the credit-monitoring services of the affected patients.
What do cyber insurance and data breach insurance not cover?
Cyber liability and data breach insurance are two types of liability policies. These policies don't offer full general liability coverage for other types of insurance liability claims, such as:
- Bodily injury or property damage. When a business is liable for bodily injury or property damage, a general liability insurance policy will cover it.
- Employee harassment, discrimination or wrongful termination. Employment practices liability insurance would cover costs related to employee harassment, discrimination or wrongful termination.
- Professional mistakes or omissions. Professional liability insurance covers mistakes made in the course of business.
Should my business choose cyber or data breach insurance?
Your business type will determine whether you should get cyber liability or data breach insurance. In some cases, you may need both types of liability insurance to cover different risks.
For instance, if your operations are set on a network that also stores customer or proprietary data, you should get cyber liability insurance. This way, you're protected if a cybercriminal infiltrates your network and steals data or shuts down your network and holds it for ransom.
If you have large PHI and PII databases, make sure you have data breach insurance – especially if the data isn't held on a network but stored onsite or offsite in files. Medical practices and accounting firms are two examples of businesses that need data breach insurance. If your database is an online system, talk to your insurance carrier to determine if cyber coverage is enough to protect you.
How much does cyber insurance or data breach insurance cost?
On average, you can expect to pay around $1,500 in premium costs for a year with $1 million in coverage. That's usually with a high deductible of around $10,000.
However, the cost of either policy is contingent on many factors, and every business is different. When giving you a quote, the insurance carrier will want to know this information about your business:
- How many customers you have
- What type of sensitive data you store
- Your overall revenue
- Your claims history
Your insurance carrier may also consider who has access to your data. A company that has many employees or uses many third-party contractors may be at higher risk of cybercrime or data loss. The more people who can access your data, the more risk your company faces of that data being exposed.
How can I prevent a data breach?
A robust insurance policy is important to have when you're dealing with a data breach or cybercrime. However, it's essential to try to prevent claims. Take your data protection seriously to preserve your reputation in the community as well as to protect your business.
Here are some tips to help you avoid data breaches and cybercrime:
- Keep files locked. Use locks on all physical file cabinets and desk drawers that store client data. Secure your storage rooms with locked doors and, again, locks on any file containers to limit access to private and personal data.
- Update your antivirus software. Choose one of the best antivirus software solutions and continually monitor it for updates and patches. Up-to-date antivirus software can prevent hackers from accessing your systems.
- Train your employees. Hold regular training sessions with your employees on how to protect data. This training should include best practices for document access and storage, emails, and passwords. Teach your employees how to identify phishing schemes that can lead to bad actors accessing data, and make sure passwords are complex and impossible to guess.
- Develop vendor protocols. Establish security protocols for when third-party vendors and service technicians are in your office. Limit their access to specific rooms, and never leave them alone near personal and private data.
- Create a disaster response plan. There are some breaches that you can't avoid, no matter how hard you work. Develop a plan for how you will keep your business operational and respond to any issues if you detect a breach.
- Have a backup. Work with an IT professional to develop backup databases and operational systems you can access if you fall victim to a cyberattack. A backup won't eliminate the need to notify your customers of a data breach, but it will allow you to continue operations with minimal interruption.
Every business should be working to minimize the risk of data breaches and cybercrime. In case you do incur an attack, though, the right insurance coverage will go a long way in protecting your bottom line.