If you looked into buying cyber insurance for your SMB more than a couple of years ago and didn’t, look again. Why? Because cyber risks for SMBs are increasing rapidly, and affordable coverage options are emerging. Follow these five steps toward a little peace of mind.
Before we get to the five steps to owning cyber insurance (a.k.a. cyber liability insurance or cyber risk insurance), let’s answer what most SMB owners ask first: Do I need the stuff?
The answer is: Probably — but even if you don’t need it — it’s your responsibility to do your homework and make an informed decision.
Start by looking at cybersecurity trends for small- to medium-sized businesses. Here are some eye-openers from a 2018 Ponemon Institute survey report:
- SMBs were the victims of 67% of all cyber attacks reported, up from 61% in 2017.
- 58% of the data breaches over the previous 12 months were from SMBs, up from 54% in 2017.
- The damage or theft of IT assets cost these SMBs an average of $1.43 million, a 33% increase from 2017, PLUS an average of $1.56 million from disruption to normal operations, a 25% increase.
I touched on cyber insurance in this post that quoted cyber liability experts. Here are five key steps to take based on their recommendations, along with other information I’ve gathered (and my own experience getting cyber insurance for TechGen):
1. BEFORE YOU SHOP: Find Out Whether Your Current Business Owners Policy Covers Cyber Losses
If you have standard business insurance coverages such as General Liability, Professional Liability, and Errors and Omissions, ask your insurance carrier whether these cover losses related to data breaches or other cyber threats.
Some coverages may be very limited. For example, losses from fraudulent wire transfers may only be covered if your employee followed certain security protocols when making the transfer. Or the coverage may apply only to officers and executives.
According to InsuranceBee’s Cyber Survey of SMB owners:
-83% don’t have enough money set aside to recover from a cyber attack or data breach.
-Of the 17% that have set aside money, few have considered the reputational or legal costs of a cyber attack.
2. WHEN YOU DECIDE TO SHOP: Get Expert Assistance
Cyber insurance — especially for smaller businesses — has improved greatly, but it’s still relatively new. The coverages and terminology aren’t standardized yet, so don’t wade into this muddy water without a life preserver.
Look for a business insurance broker and/or an attorney who has specific experience with this type of coverage.
3. WHILE YOU SHOP: Look Beyond Coverage Names — Get Details
A broker or attorney can help you sort through the various coverages available. But let’s give you a head start. In general, cyber insurance coverages fall into two buckets: first-party and third-party.
The Federal Trade Commission has a useful breakdown of the coverages you should look for in those two categories:
First-party cyber coverage protects your data, including employee and customer information. This coverage typically includes your business’s costs related to:
- Legal counsel to determine your notiﬁcation and regulatory obligations
- Recovery and replacement of lost or stolen data
- Customer notiﬁcation and call center services
- Lost income due to business interruption
- Crisis management and public relations
- Cyber extortion and fraud
- Forensic services to investigate the breach
- Fees, ﬁnes, and penalties related to the cyber incident
Third-party cyber coverage generally protects you from liability if a third party brings claims against you. This coverage typically includes:
- Payments to consumers aﬀected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Losses related to defamation and copyright or trademark infringement
- Costs for litigation and responding to regulatory inquiries
- Other settlements, damages, and judgments
- Accounting costs
Cyber insurance coverages and package names differ from carrier to carrier, more so than for more established products like auto and home insurance. That’s why you need to ask specifically about whether the policy you’re considering addresses the items above.
Also, for each coverage, check the restrictions and dollar limits, and the policy’s exclusions.
4. WHEN YOU’RE APPLYING FOR A POLICY: Fill Out the Application Very Carefully
When you fill out a cyber insurance application, you’ll probably be asked about certain data protections and policies you currently have in place. That information will be verified should you suffer a loss, and if your answers prove incorrect, your policy may be void.
This would be especially catastrophic if your firm is targeted by a class action lawsuit, which is becoming more of a possibility.
If you work with an IT services provider, you may need to bring them in on the process. I’ve helped TechGen clients answer insurance application questions about their cybersecurity measures and IT infrastructure.
5. AFTER YOU HAVE CYBER INSURANCE: Notify Your Insurer Immediately if You Detect a Data Breach (Even if You’re Not Sure)
One of the more difficult, costly and time consuming results of a data breach is complying with regulations regarding who must be notified, how, and when. Some insurance carriers have specialists or teams that help walk firms through these obligations, step by step.
The sooner the insurance company knows there may be a problem, the faster and more efficiently they can help you fix the problem and clean up after it.
An Affordable Cybersecurity Plan B
Even if your business has an excellent cybersecurity program — let’s call that Plan A — you can’t eliminate risks from hacking, fraud, or mistakes that can expose you to enormous costs. That’s why you probably need a Plan B: cyber insurance.
The insurance industry is getting up to speed on cybersecurity now, and more players are taking the field to sell these products.
Competition generally brings down prices, of course. And as more SMBs get cyber insurance, the industry can spread the risk further and price the products accordingly.
I can’t say getting cyber insurance is easy, in terms of your time or your money, but I’ll tell you I sleep a little better knowing my SMB has a solid Plan B in place.