Important Thoughts on Cyber Coverage

Most customers I meet with conceptually understand the value of cyber insurance.  It seems we can’t go a week without news of a major data breach happening.  Statistics abound regarding the major losses that can happen with a data breach.  However, I still often come across customers who hesitate at purchasing an actual cyber policy.  The hesitation sometimes comes from price, but more often it comes from not really understanding what a cyber policy covers.

It’s with good reason folks are sometimes confused by cyber coverage.  Cyber policies can be quite broad and are one of the few policy types that combine first- and third-party coverage.  They can have upwards of 15 coverage clauses, and they insure an intangible exposure. Throw in the issue that some agents can’t explain the coverages either, and it is no wonder consumers are doubtful they need to purchase the policy.

First and Third-Party Coverage

Most insurance policies do one of two things:  Either they reimburse you for something of value you lost (such as insuring a building) or they protect you from a lawsuit in case you hurt someone else.

If the insurance company is reimbursing you, we call that first party or property coverage.  One can insure a building, merchandise, tools, bridges, intellectual property, or anything else of value.  Whether tangible or not, if you possess something of value, there is an insurance policy that can reimburse you in case it is lost or destroyed.

If the insurance company is defending you from someone else, or paying them compensation from your actions, we call that third party or liability coverage.  Most folks understand the general business exposure, like the ubiquitous “slip & fall” scenario.  However, there are also very sophisticated liability situations, such as medical malpractice, employment liability, directors & officers liability, and myriad others that one can protect themselves from with a liability policy.

A cyber policy uniquely combines both these coverages.

Consider the following example:  A hacker has breached your computer files that contain information on your clients.

You uniquely have both a first- and third-party issue.

From a first party situation, you must hire someone to cleanse your computer system of the virus.  You might need to pay to restore some data.  You likely will have overtime or additional staff costs to deal with the situation.  In all these cases, you, yourself, are out extra money which is a first party expense.   A proper cyber policy will reimburse you for these losses.

Simultaneously, you now have a third-party exposure from your clients whose information was released into the world.  You a breached your duty to them to maintain their private information and are now subject to liability (lawsuits) from any of them if they can prove they’ve been harmed.  Even if not harmed, you likely must notify them, provide credit monitoring, and respond to their demands.  A proper cyber policy will provide liability protection in this scenario.

The Widening Types of Cyber Coverage

Beyond that simple example, a challenge with cyber coverage is the growing number of ways criminals can act.  In fact, cybercrime terminology is outpacing our ability to keep up with it. It isn’t just picking up a computer virus anymore:  ransomware, phishing, social engineering, bricking, extortion, wire fraud are words that get thrown about as if we all understand them.  This article isn’t meant to provide an encyclopedic understanding of every cyber exposure, but rather to point out that all businesses (large and small) are subject to some types of cybercrime.

Businesses that think they are “too small” to be attacked miss the issue that most attacks are pushed by automated scripts.  They don’t care if you are large or small.  They just penetrate systems.  Some businesses also believe they won’t fall victim to cyber scams.  This is really foolish to believe.  Many cyber hacks require zero complicity from the business.  But the best part of a cyber policy is that even if the business is “duped”, the cyber policy will still respond.

A great example of this is social engineering.  A bad actor breaks into one of your vendor’s systems.  They send you an email about a legitimate invoice but modify the payment instructions.  It is a real invoice.  It is a real email from your vendor.  And there are real payment instructions, but to an alternate account.  I’ve seen this happen multiple times, and businesses don’t realize the cybercrime happened until the (actual) vendor follows up about the status of their missing payment.  Yes, even this “trickery” is covered by a cyber policy and you’ve just suffered a first-party loss.

Because there are so many different types of cybercrimes, cyber policies have multiple coverage line items.  This is great because it affords coverage, but it can be a challenge to understand them all.  If your insurance advisor can’t explain them, go find a broker who can.  You should have the same level of expectation from your insurance broker that you do your CPA or attorney—that they are professionals who understand their craft.

The Value of Cyber Insurance

No doubt everyone wants to save a buck.  Businesses want to spend money where necessary, but not purchase frivolously.  The underlying value of cyber coverage is that it adapts to the ways in which malevolent attackers evolve.  These cyber-attacks can come from true software breaches to normal daily business operations such as paying an invoice.  Each business has both first- and third-party exposures regardless of how sophisticated they believe their business processes to be.

A cyber insurance policy is worth the investment for every business.  Consult your insurance professional today to discuss a cyber policy.