How to Determine If Cyber Insurance Coverage Is Right for You
Standard business liability insurance can cover misfortunes such as missing computer equipment or a storm-wrecked office. But would it help you survive the loss or theft of valuable company data inside your computers, a website shutdown from a power failure or hacker attack, or a false-claims accusation triggered by an edgy Twitter post? Probably not.
If you possess valuable data -- especially regulated personal, financial or medical information about consumers – you might want to consider adding "privacy" coverage for the potentially onerous costs of a data breach. If you would struggle to survive an extended website or computer-network shutdown, you may need network-security coverage. And if you host online discussions and risk libel or false-claim accusations, media coverage may be prudent.
Cyber insurance also can help boost your business by giving customers and business partners more confidence in you. Some partners may even require it. Julia Claire Shapiro, cofounder of Hire an Esquire, a Philadelphia-based online matchmaking service for freelance lawyers, recently purchased cyber insurance primarily to soothe "tech-phobic" decision makers at the law firms she serves. Shapiro bundled cyber coverage with professional and general liability insurance and paid almost nothing extra.
"When we show them in our pitch that we are insured by Lloyds of London, their faces kind of soften," she says.
Of course, cyber insurance isn't for everyone. As with all insurance purchases, it's important to weigh the hazards you face, your appetite for risk and premium costs. Finding the right policy can be tricky in this booming but immature area of insurance, where many agents and brokers lack experience. Here's a roadmap for finding your way.
Assess your financial risk.
Take a hard look at your business, your data and how valuable it is, and what costs you might incur if things go wrong. If absorbing the losses could wipe you out, you're a good candidate for insurance.
Andrew Schrage, co-owner of Money Crashers, a personal finance blog, weighed these factors and decided not to buy cyber insurance. The chances of a security breach appeared slim. "And even if one took place, the fallout wouldn't be that difficult to manage," he says. "Most of the information stored on our servers is fairly innocuous, and the potential for lawsuits in the aftermath of a breach is practically nonexistent."
But a company that stores private consumer data aggressively sought by identity thieves might make a different calculation. A study of insurance-claims data for 117 privacy breaches found that the average cost is $5 per lost customer record, with a typical breach exposing 100,000 records, according to NetDiligence, a security risk assessment firm in Gladwyne, Pa. The cost includes legal defenses and settlements; crisis response, including required customer notifications; and business-interruption costs and fines. The study did not consider hard-to-measure costs such as lost business opportunities.
A free tool from the nonprofit American National Standards Institute can help you value your data and potential liability -- and the amount of insurance you may need. Although designed for healthcare organizations, it can work for any business that handles sensitive data, says Jeremy Henley, insurance solutions executive at ID Experts, a Portland, Ore., breach prevention and response company. "You would put a value on your building or your trucks," he says. "But when it comes to your data, it's hard to do that."
Evaluate your security posture.
To manage risk, insurance carriers require policyholders to take reasonable steps to protect their businesses. Large companies have to jump through many hoops to prove this, but most small businesses can answer a simple questionnaire about their operations and existing security measures, says Todd B. Ruback, a Warren, N.J.-based privacy attorney.
An insurer may require you to make improvements, whether by putting additional security technologies in place or training employees to handle private information safely. Improving your security posture can lower your premium payment. Some carriers have web portals providing free security advice, free services like privacy training, or discounted products and services to help get you in shape, Ruback says.
Weigh insurance options.
With more than 30 cyber insurance carriers with different types of policies and prices, comparing them all can be daunting, says Rick Betterley, publisher of The Betterley Report and a cyber insurance market survey. A cyber add-on to an existing liability policy might cost $300 a year while a separate policy could cost $1,000 or several multiples of that, he says. The most affordable route may be a rider for your existing general liability policy, but be sure you are getting the necessary level of coverage.
When investigating separate cyber policies, start with a clear vision of the coverage you need, find a knowledgeable broker who can guide you, get multiple quotes and look to carriers with a track record with small companies and your industry.
Related: 7 Tips for Upgrading IT Security