Does my company need cyber insurance?

This is a particularly relevant topic given that cyber attacks and threats seem to pop up constantly. The big ones attract lots of media attention. But what about the average business? What kind of cyber risks do they face?

Cyber risk is roughly defined as the risk of financial loss, disruption, or damage to an organization's reputation due to a failure in its IT systems. This financial loss can come in the form of direct damage to your business, business interruption, or liability from third parties whose information was compromised.

Personal Information and Data Breaches

These days, most businesses run on a complex network of IT systems. Whether they know it or not, they are also collecting troves of customer data – much of which is considered Personally Identifiable Information (PII) under applicable privacy laws. This data is invaluable and informs business decisions in both product development and sales and marketing. However, any business that collects personal data has the responsibility to protect it. If you fail to take reasonable steps to protect your customer data, you may be held liable for what happens to it.

The kicker is that this data is more vulnerable than you think and governments around the world are beginning to take a tougher stance imposing hefty fines for data breaches.

Customer data and even your company's own proprietary information can be leaked through the improper disposal of documents or office equipment, stolen devices, or even by accidentally emailing the information to the wrong person. Fortunately, most of these breaches are opportunistic in nature. Unfortunately, there is an increasing number of data breaches targeting small business.

To protect itself, your business should institute preventative measures like coming up with an incident response plan, instituting cyber security measures like firewalls, and purchasing cyber insurance.

Information security and procedures should be part of your staff's standard training. Many attacks these days involve social engineering, which simply means tricking staff members into giving up private information. Proper training will help your employees identify suspicious requests for information and know how to respond when they're unsure about an e-mail or phone call they receive. There should also be procedures in place for the disposal of documents or office equipment. Electronic devices like desktops or storage devices should be encrypted in case they are lost or stolen.

When a breach occurs, there should also be procedures, likely created by your IT department, for how to recover and minimize damage. Having firewalls and other security systems in place will help, and so will maintaining backups of important information.

Despite your best efforts, a determined attacker will still be able to gain access to your systems provided they are dedicated enough. When this happens, it is best to have cyber insurance in place to help your business recover and pay damages.

First Party and Third Party Cyber Insurance

Cyber insurance coverages are generally broken down into 2 types: first party and third party coverage.

First party cyber coverage provides protection for your business. Losses covered by the first party portion of your cyber insurance policy include: business interruption, the cost to recover your computer systems/data, or ransomware extortion payments.

The third party coverage provides protection for your business against third parties holding you responsible for the breach or leakage of their personal data. Expenses covered here include: regulatory penalties, damages paid to 3rd parties, and legal expenses. Other supplementary costs covered by cyber policies include paying for credit monitoring, breach response, PR costs, and more.

This type of insurance is still in its early stages and there are no standard forms available, but most cyber insurance policies provide coverage for privacy breach expenses, business interruption coverage, and legal expenses.

(See Cyber Liability Insurance: Is Your Business Covered? to learn more.)