Should you invest in cybersecurity insurance?
According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, a data breach costs a company, on average, $3.5 million. That number was up by 15 percent from the year before, and all expectations are that number will be even higher next year.
With the rising costs of a data breach, it is no wonder that small and midsize businesses often don’t survive a cybersecurity incident. Today, with the ever-evolving cybersecurity threat landscape, businesses find themselves at an increased risk for some sort of incident that will result in a loss of data, money, reputation or all three.
For this reason, more companies than ever are purchasing cybersecurity insurance. As Will Yakowicz wrote in Inc., “U.S. companies are expected to pay $2 billion worth of cybersecurity insurance premiums [in 2014], a 67 percent increase from 2013.”
That investment requires a self-evaluation of the company’s security setup to identify and understand the risks. Before deciding on cybersecurity insurance, business leaders must recognize that this is just one layer of defense against a data breach, said Ted Devine, CEO of TechInsurance. It’s more important to take actions to prevent a data breach from happening — and Devine stated, we have to remember that an overwhelming number of data breaches are preventable — rather than making the aftermath of a breach the primary concern. That includes providing more security training for staff, keeping software updated and patched, and investing in security systems that the IT department can operate.
“IT departments are often too understaffed to actually implement some of the functions that would keep their people safe,” Devine said. Once those issues are addressed, then it is time to turn to the cybersecurity insurance investment.
It’s easy to get caught up with the idea of the malicious hacker trying to steal your information, said Lynn LaGram, spokesperson for The Hartford’s Business Owner’s Policy. But in reality, the most common breaches are caused by accident. A data breach, she added, can occur as a result of:
- Lost or stolen files or devices (paper and electronic files; laptops, smart phones, tablets or computer disks; credit card or debit card information)
- Theft or release of data resulting from unauthorized access (former employees or vendors)
- Employee error or oversight
Mark Harrington, general counsel at Guidance Software, advised that cybersecurity insurance coverage should include the following:
- Risk-management services coverage to protect your company from some of the costs of proactively strengthening your security, such as security training for IT staff, incident-response planning, IT systems penetration testing, etc.
- Fines and penalties coverage to cover the expenses of regulatory and payment card industry fines and penalties, as well as potential civil judgments from customer lawsuits
- First-party coverage to indemnify your company for the costs of any interruption to your business, loss of income, loss of data, damage repair and restoration costs, crime loss, etc.; think of this as “property and theft” coverage for the information age
- Third-party coverage to cover liability to third parties such as government entities and customers following a breach
- Remediation coverage to pay for legal services delivered in response to a data breach, public relations and other crisis management services, cyber forensics services (which can help you capture relevant evidence about the attackers for delivery to law enforcement), regulatory and consumer notification, credit monitoring, and identity theft protection services
These are basic suggestions, of course. Just as businesses are different, cybersecurity policies will be unique to individual companies and different industries.
“Businesses with very little exposure may be able to get away with adding cybersecurity coverage as an endorsement to a General Liability policy or a Business Owner’s policy,” TechInsurance’s Devine said. “Those with greater exposure will probably need a standalone cyber policy, which can offer greater protection.”
Even though no one wants to be in a position to need the insurance policy, it is in everyone’s best interest to have something that is going to cover your specific needs, allowing the business to keep operating during and after that worst case scenario.