5 Tips for Investigating and Purchasing Cyber Insurance
In 2016 Lansing, MI's Board of Water and Light fell victim to a cyber-attack that resulted in $2.4 million in costs, including a $25,000 ransom paid to the perpetrators. In the aftermath of the breach, BWL announced that it was filing for a $1.9 million insurance claim under its cyber insurance policy, including $2 million in covered losses, less a $10,000 deductible.
There is a lot at stake for businesses when it comes to cyber-crime, which is why more and more businesses are investigating and purchasing cyber insurance to hedge against the risks associated with cyber security and data privacy.
Businesses face challenges in selecting and negotiating the right cyber insurance policy, however. The lack of standardized policy language and the inadequacy of many “off the shelf” policies in meeting a particular business’s needs make it critical that careful thought and planning go into the selection of cyber insurance coverage.
Here are five important considerations to keep in mind when it comes to purchasing a cyber insurance policy:
- Examine Your Business’s Needs
The first step in purchasing cyber insurance is having a firm grasp on your business’ needs. A business must assess the type and scope of data and information that is stored and sent on its IT infrastructure, and thus potentially vulnerable to breach. This applies not only to information that is on the business’ own systems, but also those of its vendors and to the extent data is stored offsite. Doing this type of assessment will allow a business to make informed decisions about the type and scope of insurance coverage it needs.
- Consider Your Existing Coverage
Before purchasing a new policy, your business should examine its existing policies to determine what type of cyber risks may already be covered. Commercial general liability policies may already provide coverage for things like privacy and data breaches. Other policies commonly held by businesses such as commercial property, Directors & Officers, and Errors & Omissions, may also offer coverage.
- Examine Cyber Insurance Options and Terms
Serious consideration must be given to the policy's coverage, limits, and exclusions. A cyber insurance policy should cover each of the following, at minimum.
- Costs relating to investigations, including those relating to administrative and regulatory actions.
- Fines and penalties.
- Remediation/crisis management, including the costs associated with a data breach. Several laws require data breach notifications, and sometimes providing credit monitoring services to affected individuals.
- Don’t Lose Sight of Non-”Cyber” Risks
While many data breaches take place over digital networks, not all of them do. Data can be stolen from a briefcase in the backseat of an unlocked car, or a banker box in a storage closet. A good “cyber” policy should also cover non-digital data such as paper records.
- Consider the Cloud
Some cyber insurance policies purport to limit the scope of coverage to an insured’s own acts and omissions. This is potentially problematic for any business that stores data on a third-party “cloud” network. Given the pervasiveness of cloud networks, it’s important to understand whether a policy excludes acts and omissions of third parties.
There are many issues that businesses must consider when investigating cyber insurance policies. There is no “one-size-fits-all” product out there. Finding the right policy to meet an organization’s needs requires a comprehensive, team approach, involving management, IT and legal. If you have any questions concerning cyber insurance, please contact us.
Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Corporate practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.View All Posts by Author ›
- Domain Name Registration
- Social Media
- Trade Secrets
- IT Contracts
- Cloud Computing
- Venture Capital/Funding
- Employee Benefits
- Intellectual Property
- Personal Publicity Rights