x

Please take action to ensure continued access to FirstRepublic.com. We will be discontinuing service to older web browsers with outdated security settings. Please update to the latest version of Google Chrome, Internet Explorer, Safari or Firefox. For assistance, please call (888) 372-4891.

A Primer on Cyber Insurance: What Business Owners Should Know

George A. Berman, Partner, Peabody & Arnold LLP, and Mark Van Divner, Chief Information Security Officer, First Republic Bank
April 11, 2017

For the vast majority of business owners, securing insurance to protect physical property against traditional hazards — such as fire, flood and theft — is second nature. However, far fewer seek out “cyber insurance” to safeguard digital assets from the risk of electronic crimes. This relatively new type of insurance has emerged primarily because of the 21st-century rise in cybercrime, such as malware infections and phishing scams, which have led to headline-making data breaches and social engineering attacks resulting in the unauthorized transfer of funds.

Cyber insurance is entirely new terrain for entrepreneurs to navigate. Following are some considerations for business owners as they decide whether cyber insurance is right for them.

Why would a business need cyber insurance?
Many companies don’t fully appreciate the value of their data in the eyes of cyber criminals. Digital threats evolve at such a rapid pace that it can be difficult to get a clear grasp on particular vulnerabilities — and the potential peril those vulnerabilities represent to both the company and its customers — until it’s too late.

Any company that collects “personally identifiable information” from customers, such as credit card numbers, social security numbers, date and place of birth, mother’s maiden name, and biometric records  is at risk, whether it’s a retail shop nestled in a downtown city block, a dental office in a suburban mall or a small online side-business.

Most states have data breach notification laws which require companies to alert customers if their personal information has been compromised. While this seems like a sensible precaution, it’s an incredibly involved and expensive process for a business to carry out in practice. When you send out the notification, many people will call, tying up your phone lines. You might have to research and then follow different requirements from different states that your customers live in. Often, a business that suffers a data breach will ultimately need to hire a notification service because the details of notification are so complex. Likewise, if your website goes down because of a cyberattack or if you or your staff fall victim to a social engineering attack (such as a Business Email Compromise scam) that results in the loss of funds, those incidents can represent a significant cost to your business. The FBI reported that since January 2015, there has been a 1,300 percent increase in identified exposed losses totaling $3.1 billion since the agency began tracking these scams in 2013.

Such scenarios are hardly rare occurrences: More than half of the nearly 600 small- and medium-sized businesses surveyed by the Ponemon Institute in a 2016 study said they suffered a cyberattack in the past year, and 50 percent said they experienced a data breach involving customer and employee information over the same time period.

How should you evaluate a policy?
This is where things can get tricky. If you purchase fire insurance, the policy will likely have a slight variation of wording that’s been used for a century. Volumes of case law make the terms of the coverage clear. In contrast, the scope of what will and will not be covered by cyber insurance is less clear. Best practices and industry leaders have yet to emerge, there is no uniformity of language, and the policies have not yet been tested in court.

The bottom line: You’ll need to pay attention to the exact wording and analyze the coverage in comparison to your operational business risk.

Tip: Watch out for policy exclusions
Innocent-sounding exclusions in cyber insurance policies — the most common of which is an exclusion of cyberattack by rogue employees — can end up being quite costly. For example, a disgruntled clerical employee could download multiple customer files to a thumb drive upon exiting the company, leaving the firm on the hook for hefty notification costs. 

Having a cyber insurance policy that excludes careless employee actions is like having a fire insurance policy that excludes fires caused by a faulty toaster — that’s when you need the policy most. Many cyber insurance policies require perfectly good controls, such as encrypting and changing your passwords frequently. The problem is that companies don’t always follow these practices — and a rogue employee who is willing to breach your data likely won’t, either.

What does cyber insurance cost?
More than 60 carriers offer stand-alone cyber insurance policies, according to a recently released white paper from the Insurance Information Institute. That said, cyber insurance is typically a rider to your general business insurance, which means the cost of the rider will vary depending on your overall insurance package. Doing your due diligence and reading the fine print is mandatory when shopping for a cyber insurance policy that can give you the level of protection you need.

What are policy limits?
Many policies provide $25,000 in the case of a data breach. This may sound like a lot, but in reality, you can eat up $25,000 in 25 minutes responding to a cyberattack. According to the Ponemon Institute study cited above, reported attacks cost the surveyed companies an average of nearly $900,000 in damage to or theft of IT assets and an average of almost $1 million due to the disruption of operations. Unauthorized fraudulent transactions resulting in the loss of company or client funds is often a direct hit to bottom line profits when cyber insurance isn’t in place to cover or offset these loses. What’s more, litigation could substantially increase costs should there be no cyber insurance coverage or in the event that there is a disagreement over who is liable. The average loss to Business Email Compromise victims is $130,000 according to the FBI’s Internet Crime Complaint Center.

While these numbers may seem high, keep in mind that it can be difficult to determine all the downstream costs of a cyber mishap. For example, you might expose a customer’s data, which can subject you to a lawsuit. A cyber thief might infiltrate your systems to get data they use to infiltrate one of your large customers, which can result in a massive cost that might eventually come back to you.

How do you make a claim?
This is another area of cyber insurance that is still developing. If the physical property of a business is damaged by traditional hazards, the business owner can turn to a claims operation at their insurance company. That often isn’t the case with cyber insurance, in which you may find yourself working with your insurance carrier to figure out who will handle your claim and how.

Safeguarding your business with cyber insurance
Such hurdles, though perhaps frustrating, shouldn’t put you off from cyber insurance. In a world where data is the currency of business and financial transactions are required to run your business, ensuring your data and customers are protected amidst an ever-shifting digital landscape is critical. Staying informed on the developing field of cyber insurance can help you make the best decision to safeguard your business.

The information contained in this article is provided to you as-is, does not constitute legal advice, is governed by our Terms and Conditions of Use, and we are not acting as your attorney. We make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained in or linked to this website and its associated sites.

© 2017 First Republic Bank