Cyber Insurance: Covering cyber risks and protecting from the inevitable

Jared Sholley, Sholley Insurance AgencyMePush is proud to announce that Jared Sholley and his team from Sholley Insurance Agency will be at the CyberSec Symposium 2019 where a cyber liability policy or a data compromise/breach protection policy is needed to address cyber-related risks.  Keep in mind that the risk landscape is changing, so these policies are changing also.  Keep an eye out for a policy that will cover the risks your company is facing.

RSVP for the CyberSec Symposium on October 3rd, 2019

Insurance is no replacement for prevention, but is still needed as prevention is often a step (or several steps) behind zero-day threats.  A company with educated users, a managed network with up-to-date and secured workstations and servers, and properly configured and supported tools are needed in addition to a great cyber policy to really reduce the risk to your company.

So many times after a ransomware outbreak, I’ve been asked: “Insurance will cover this, right?” Well, that really depends on your policy. Most general liability insurance can be purchased with an additional rider or endorsement that covers cyber threats, but most general liability plans do not cover losses due to cyber threats (malware, ransomware, breaches, destruction of data, etc).

  • When a client on a lower management tier (which does not include a virus-fix guarantee) needs us to clean up and restore their data (assuming they have backups), this is often tens of thousands of dollars in labor. An incident response can include our whole team pulling all-nighters for several days.
  • If a client loses data to a breach, all of the expenses of a breach notification to all affected victims falls on the clients’ shoulders.
  • Some of the breach victims will sue the client for privacy violations.
  • Forensics work to determine the vector of attack and attempt to prosecute can be over $100,000.
  • If the client does not have backups of critical systems and has to pay the ransom, then they have to fork over tens of thousands of dollars in ransom.
  • Systems can be down for days or weeks, causing loss of productivity for all staff and zero cash flow.
  • Oftentimes, a hacker has stolen intellectual property or cash (via wire transfer), which cannot be recovered.
  • The client suffers from bad press and a hit to their reputation.

None of this is covered by your normal business general liability insurance.

To mitigate some of these risks, a cyber plan or cyber rider is needed, or even a breach protection/data compromise policy.  How many of these potential losses can be mitigated varies depending on your cyber policy.  For instance, the policy may not compensate for lost productivity or for time spent recreating intellectual property.

Again, keep in mind that these policies are evolving with the threats and business risks.  Some policies may cover breach notification, fines, and forensics, but none of the clean-up and data restoration involved, so discuss the policy you are looking at with a qualified rep.

RSVP for the CyberSec Symposium on October 3rd, 2019

There is no standard for underwriting these policies, but these are common reimbursable expenses:

  • Investigation: A forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
  • Business losses: A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.
  • Privacy and notification: This includes required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
  • Lawsuits and extortion: This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.

Source CIO Magazine: What is cyber insurance and why you need it (Kim Lindros, May 2016)

Jared Sholley and his team at Sholley Insurance Agency can guide you to a policy or rider that suits your business risks.

RSVP for the CyberSec Symposium on October 3rd, 2019