CYBER SECURITY INSURANCE
Are you insured if your business gets attacked?
Traditional business commercial general liability and property insurance policies typically excludes cyber risks from their terms, leading to the emergence of cyber security insurance as a “stand alone” line of coverage. This coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations. Few cyber security insurance policies, however, provide businesses with coverage for an area of growing private and public concern: the physical damage and bodily harm that could result from a successful cyber attack against critical infrastructure.
Managing cyber risks through insurance is relatively new. Although the market for cyber liability insurance is off to a good start, it is expected to grow dramatically over time as business gradually become more aware that current business policies do not adequately cover cyber risks. With each announcement of a system failure leading to a significant business loss, the awareness grows. This growing awareness has stimulated demand for cyber liability insurance products.
As data breaches occur more frequently, there are additional pressures for business to step up efforts to protect the personal information in their possession. Cyber-attacks may come from nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Cyber criminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can eventually be monetized, such as credit card numbers, health records, personal identification information and tax returns. Cyber Security risks include:
- Identity theft as a result of security breaches where sensitive information is stolen by a hacker or inadvertently disclosed, including such data elements as Social Security numbers, credit card numbers, employee identification numbers, drivers’ license numbers, birth dates and PIN numbers.
- Business interruption from a hacker shutting down a network.
- Damage to the firm’s reputation.
- Costs associated with damage to data records caused by a hacker.
- Theft of valuable digital assets, including customer lists, business trade secrets and other similar electronic business assets.
- Introduction of malware, worms and other malicious computer code.
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information.
- The cost of credit monitoring services for people impacted by a security breach.
- Lawsuits alleging trademark or copyright infringement.
Cyber Security Liability Policies
Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage. However, most standard commercial lines policies do not cover many of the cyber security risks mentioned above. To cover these unique cyber security risks through insurance requires the purchase of a special cyber security liability policy.
However, cyber security risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber security risk are more customized than other risk insurers taken on, and, therefore, more costly. The type of business operation will dictate the type and cost of cyber security liability coverage.
The size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the Web, the type of data collected and stored, and other factors. Cyber liability policies might include one or more of the following types of coverage:
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating or replacing business assets stored electronically.
- Business interruption and extra expense related to a security or privacy breach.
- Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
- Expenses related to cyber extortion or cyber terrorism.
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
Securing a cyber security liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk-management techniques applied by the business to protect its network and its assets. The insurer will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will be keenly interested in how employees and others are able to access data systems. At a minimum, the insurer will want to know about antivirus and anti-malware software, the frequency of updates and the performance of firewalls. This is where POWERNET can help you. Our CyberSphere® Solution is a cyber risk management solution that leverages a network of cyber security companies and delivers unrivaled advisory and technology services for your business and gives you a Cyber Security Validation Certificate to lower your Cyber Security insurance premiums.
CAN YOU HELP ME FIND A GOOD INSURANCE AGENT?
Yes. We have collect and researched several insurance companies that can provide you with the proper insurance policy to protect your business. We do this for FREE, and we don't make a dime off of referring you to the companies. We just ask if you do have to use it, come back and ask us for a quote to fix the issues.
We do offer a CyberSphere® Solution that can help you lower your insurance costs with a Cyber Security Validation Certificate. Once we implement a Cyber Security Validation Certificate for you, and you have a signed certificate, you can take this to your agent, and it will help lower you costs.
WHAT DOES THIS DO FOR MY BUSINESS? - Cyber Security Validation Certificate
POWERNET will validate your business to show that you are providing due diligence in your cyber security processes. How do we do this?
- ASSESSMENT: We will perform an assessment on your business, determine the potential risks and vulnerabilities. We will help you start the process by writing your Plan of Action and Milestones (POA&M) process for each of the vulnerabilities.
- SUPPORT: We provide a cyber security subject matter expert (SME) retainer to help you keep safe and fix the vulnerabilities. And you will let the insurance agent know you have taken steps to keep safe by having a cyber security subject matter expert (SME) on retainer! This will give them a warm and fuzzy feeling that you are taking steps to minimize potential risks.
- PROCESSES: We will make sure that a Concierge CIO / CISO Management Consultant assists you in building or modifying your policy and processes, as well as managing the cyber team that supports you.
- MANAGEMENT: Helping a company be innovative in their cyber security posture and culture to provide training, testing and provide the entire executive leadership perspective on all cyber matters.
- CERTIFICATE: Once we have set the above up, we will sign a certificate for you, and help you with underwriters of your insurance agent, get a better rate.
Reasons To Buy Cyber Security Insurance
Having a thorough understanding of your cyber assets and their value to your business will help you determine if cyber insurance make sense. Here are the seven main reasons to buy cyber insurance, and some tips for getting the best deal on it.
No. 1: Your Cyber Assets Are More Exposed Than You May Believe
If your business does not have an online presence, it either will very soon, or will likely cease to exist. Between 2001 and 2010, e-commerce in the United States grew at an average annual rate of 38 percent, and in 2012, global e-commerce sales topped $1 trillion for the first time. All sorts of businesses everywhere on earth have some kind of virtual storefront. To grow your business, you are going to have to join them, and strive to outdo them.
Having an online presence, however, exposes your business to many more risks than the brick-and-mortar world presents. Considering your site is available 24×7 across the world and the rapidly increasing number of devices that can access the internet—smart phones, tablet computers, and traditional laptops and desktops— there are simply more potential opportunities for malicious activities against your e-commerce portal than a brick-and-mortar store. What’s more, your business insurance probably does not cover the assets threatened by those cyber security risks in a way that commensurate with those assets’ value.
What that adds up to is more opportunities for your, your customers’, and your suppliers’ information to be compromised, either accidentally or maliciously. There are at least five fundamental pathways for cyber security losses.
- Access Control: You need to be certain of who has access to what throughout your IT systems. How secure are your customers’ credit card numbers? How about the personal information of your employees and business associates? Failing to control access to your most sensitive information is practically an open invitation to compromising that information.
- Authenticity: You need to assure the parties you do online business with that you are who you say you are, and that they are who they say they are. If you do not have adequate measures to assure authenticity, you leave your company open to cyber attack.
- Availability: This is the flip side to access control. The people you do business with online expect 24/7 access to websites, databases, online services, and accounts, and the information they access must be accurate. Hackers are known to use so-called “denial of service attacks” to interrupt companies’ business for as long as it takes to restore security and operability.
- Data Integrity: This concerns the issue of cyber information being altered while in transit between you and your customers, suppliers, and business partners. Measures to mitigate the loss of data integrity include firewalls and frequent and secure data backups.
- Non-repudiation: You need to be able to prove that your customers actually wanted the goods or services that you provided them, that they cannot deny any transaction between the two of you.
Beyond technical issues, how vulnerable is your business to the commercial repercussions of a cyber attack or accidental loss of digital assets? How long would it take for your business to fully recover from a security breach that became widely publicized? Might you be sued for such a breach?
No. 2: If You Are a Small or Medium Business, You Are at the Mercy of Third Parties
The typical Fortune 500 company can afford to keep all of its IT systems in-house. They own and manage their own servers in geo-redundant facilities, develop proprietary software for transacting business and maintaining security, and have precise control over who has access to what areas of their IT systems. Small and medium businesses (SMBs)? Not so much. Most SMBs depend on cloud services for hosting and storage, and they typically find SaaS solutions to be the most economical way of tracking inventory and authorizing credit card purchases. If your provider of cloud or other IT services is responsible for loss or damage to your digital assets, how would you recover those assets and pay for whatever collateral damage the loss caused?
No. 3: General Liability Covers Only Property Damage
You are probably reasonably familiar with the general liability coverage in your commercial insurance policy, and how it protects you from the costs associated with injury and property damage. But if you believe that your policy covers damages to your cyber property, you are probably mistaken. Most standard commercial lines policies do not cover risks such as:
- Identity theft resulting from either a malicious or inadvertent security breach. Identity theft refers to the fraudulent use of such information as Social Security numbers, credit card numbers, drivers’ license numbers, birthdates, PIN codes, and employee identification numbers.
- Lawsuits alleging trademark or copyright infringement resulting, for example, from information posted or available for distribution from your website.
- Inadvertent disclosure of your or a third-party’s sensitive information by means of email, instant messaging, or other electronic means.
- Degradation of an organization’s digital assets due to computer viruses, worms, or other malware and malicious code.
- The costs of monitoring credit card records for persons affected by a security breach at your business.
- Theft or destruction of such valuable digital assets as intellectual property or customer lists.
- Damage to an organization’s reputation resulting from a cyber security breach.
- Interruption of your business due to a hacker crashing a network.
Coverage of such losses and risks usually requires a specific policy for cyber risks.
Many business owners have delayed their search for cyber insurance, thinking: “Who would want to steal my customers’ list? Bigger companies’ digital assets are more valuable than mine.” But what that reasoning fails to take into account is that bigger companies typically have stronger measures to guard against cyber attacks, and that cyber criminals, like any criminal, prefers to pick the low-hanging fruit.
No. 4: Cyber Insurance Covers First-Party Losses
A cyber security insurance policy can protect you against damage to and destruction of your IT assets, and costs associated with such damage and destruction. There are six groups of first-party losses. You should be aware of those to which your organization is most susceptible, and those which your insurance agent can provide.
- E-commerce Extortion: coverage protects you when extortionate threats, such as those demanding money, securities, property, or services, are made against your business. Covered threats may also include those to disclose confidential information about your business or your customers, to damage or destroy any part of your IT systems, to introduce virus or other malware into your IT systems, and to deny you internet service. The insurance may reimburse you for any payments made to the extortionist, and to prevent or mitigate the threat of extortion.
- Crisis Management: expenses include the costs of negative publicity brought on by a security breach, cyber attack, or a publicized claim that your business suffered a cyber security breach. Coverage could reimburse your costs to react to such publicity or claims, such as hiring a public relations service to preserve your brand credibility through advertising or marketing communications. Coverage also could reimburse you for the costs you incurred to identify the perpetrator of the security breach.
- Security Breach and Identity Theft: expenses include the costs of assessing a security breach or identity theft, and notifying the parties affected by it. The coverage may also reimburse your expenses for monitoring the bank and/or credit card accounts of all affected customers, and the costs of hiring a call center to address affected customers’ concerns.
- Computer Fraud: coverage protects you in the event that a hacker steals money or securities from your IT systems. The coverage is available for your accounts and your customers’ accounts, and it can reimburse the damaged party for the value of what was stolen. Coverage is also available for funds transfer fraud, which relates to fraud committed during transfer requests to your financial institution.
- Software and Data Recovery: coverage can protect your software applications and databases from damage caused either inadvertently by employees, or maliciously by hackers. The coverage may reimburse you for your costs to restore, replace, or reproduce from backups the information (data) and/or capabilities (applications) damaged or destroyed in the incident.
- Cyber Business Interruption: coverage can reimburse you for lost operating profits resulting from business interruptions caused by hackers or other attacks against your IT systems.
No. 5: Cyber Insurance Covers Third-Party Claims
A cyber insurance policy can protect you against claims that your negligence caused damage to others’ digital assets, IT systems, networks, or cyber security precautions. There are four types of third-party claims. As long as you have digital assets of third parties within your IT systems, you may be liable for damages to those assets.
- Network, Information and Security Liability: coverage protects you from others’ claims that their finances, property, or person was damaged or destroyed because of your negligence in securing you IT systems. Such damages can result from unauthorized access to or use of your network, such as to commit a theft of identity information. The theft may be mediated by a virus or other malicious code introduced into your network. The invasion may result in denying service to authorized users of your IT systems. You may also be liable for damages caused by failing to notify others that your IT systems have been compromised.
- Regulatory Defense Expenses: Are you ready for DFARS? This coverage protects your business when a government agency makes a regulatory claim against it. The typical agencies that make such claims are the Federal Trade Commission (FTC) and Federal Communication Commission (FCC), and the typical claims they make are formal requests or pleadings, demands for monetary damages or non-monetary relief, criminal charges, summonses, and arbitration requests. The coverage may reimburse you for legal defense and funds to dispute or settle such claims.
- Errors, Omissions and Negligent Acts: covers damage resulting from accidents or negligent errors you made in operating your network or other IT systems, such as damage to a customers’ media or other digital assets. The coverage may provide legal defense and funds to settle lawsuits related to the customers’ claims.
- Communications and Media Liability: This coverage relates to the unauthorized use of copyrighted material or trademarks published through your IT systems. Copyrighted material could include others’ intellectual property, photographs, artwork, or other content, and even a person’s likeness.
No. 6: Coverage Can Be Tailored to Your Business
While cyber insurance may be a relatively new form of risk management, that does not mean that your choices need to be constricted when it comes to buying a policy. It does pay, however, to shop around. Some agencies and companies have more experience with cyber insurance products than others, and so have a better understanding of what sorts of coverage best suit companies of various sizes in various industries. These companies may also be able to handle and resolve claims more effectively and expeditiously.
Different businesses have different needs when it comes to cyber insurance, so there is no “one size fits all” policy. To get all of the coverage you need, you must understand your business and the risks present in your IT systems, protocols, and policies. Having this understanding will allow for a more informed conversation with your agent. If that agent also happens to represent the company that provides your regular business insurance, you will likely get better service, since the agent will be familiar with your company.
Having a firm grasp on what your digital assets are, what their value is, and how effective your efforts are to keep them secure, will be of enormous help in developing a cyber insurance policy to insure them.
No. 7: Coverage May Be More Affordable than You Thought
There are many measures you can take to keep the cost of cyber insurance down. All of these revolve around maintaining the highest standards of cyber security possible at your organization.
If your customers need access to your website 24/7, make sure your internet provider gives you that guarantee. Clearly understand your agreements with third-party providers, such credit card authorization services or cloud storage services. Be sure that your IT systems are protected by an absolutely reliable firewall. Establish clear and strict access controls throughout your IT systems. Make sure your systems are backed up regularly and the backup image is stored securely. Whatever you do to improve your security posture will likely result in a lower rate.
As a further step toward keeping the costs of your coverage down, involve your lawyer in the crafting of your policy. A familiarity with your company combined with legal expertise will give you the best chance of getting the best deal on the coverage you need.
HOW DO I GET STARTED?
If you already have cyber insurance, just fill the form below, and we will work with you to get the required elements we need for your Cyber Security Validation Certificate. If you do not have insurance, just fill the form below, and we will give you a few insurance company agents that can help you, as well as get started working with you to get the required elements we need for your Cyber Security Validation Certificate.
If you want more information, either call us a (256)489-8425!