Even the best cybersecurity system – with state-of-the-art technology, effective and well-implemented policies and procedures, and the most security-aware employees available – cannot guarantee that your business will never be the victim of a cyber-attack.
As with any aspect of business involving unpredictable risk and potentially catastrophic loss, the threat of cyber-attacks requires protection that you cannot provide entirely by yourself. That’s where cyber liability insurance comes in.
However, since cyber liability insurance is so new to the market, a lot of the things we take for granted in regular insurance may not necessarily apply. For example, since cyber liability insurance has only been around for a few years, there is no uniformity in coverage from one policy to the next. Even basic terms like “data breach,” “computer,” and “wrongful act” can vary significantly from policy to policy.
Before you purchase cyber liability insurance, make sure that your policy covers the things you’ll actually need in the event of a cyber-attack:
The 5 Major Expenses Your Cyber Liability Policy Better Cover!
Your cyber liability insurance policy needs to protect you from incurring significant expenses as a result of a cyber-attack. In addition, it needs to help your business recover quickly, and to the greatest extent possible, restore your operations to where they were prior to the attack.
The resources required to accomplish those tasks are significant, so the key to finding the right cyber liability insurance policy is understanding what costs you’re going to incur in the event of a data breach.
The first thing you’re going to need is:
1) Professionals. Immediately.
You need an emergency response team. Think of them as a really nerdy version of Seal Team Six, or a less Quentin-Tarantino-style Winston Wolf.
Think I’m being overly-dramatic? Maybe I am.
However, you should be aware that most cyber liability claims that exhaust the policy limits do so covering the costs in this category!
So, who are the professionals I’m talking about?
Forensic IT Specialists
You need immediate and effective analysis of your system to determine the size and scope of any breach, and professionals with the experience and training to eliminate any active threats to your system, limit the damage being caused by existing penetrations, and shore up your short-term defenses.
And, just a thought, it probably shouldn’t be the people who were responsible for setting up your IT security in the first place.
These IT experts, particularly the ones who know how to limit the damage from a data breach, are essential to your business recovering quickly. As a result, they’re not cheap…
… so wouldn’t it be better if your insurance company paid their tab?
Legal Advisors (immediate)
One of the most critical (and coming soon, most litigated) roles you play when your company has been the victim of a cyber-attack is to be a kind of “Paul Revere.” Depending on where your customers live (that’s right, where they live, not where you live), you could have to provide notification of a cyber incident to your customers.
In fact, you have a legal obligation to notify those people, usually within a specified period of time!
Oh, and that amount of time varies from state to state.
Your emergency response legal team will handle all of the immediate legal hurdles for you (or at least give you a plan).
Listen to them.
They know what you need to do. They’re here for a reason. Let them do their jobs…
… but on the insurance company’s dime.
One of the most important assets your business has is its reputation. Every deal you’ve done, every customer you’ve helped, over time you’ve established a reputation in your community.
Your reputation matters, and the information that gets put into the media WILL impact that reputation, especially in the local press.
Considering that 60% of consumers will be less likely to patronize a business that’s been the victim of a data breach, all that work you’ve put in could quickly be destroyed.
Furthermore, being the victim of a cyber-attack is extremely stressful.
While you’re stressed out dealing with the ramifications of a breach, let a professional handle all media contacts and set up a plan and a script for responding to angry clients or other inquiries. You’re in a bad spot, no reason to make it worse…
… especially when you’re not paying their bill.
Your cyber liability insurance policy needs to cover the costs of your emergency professionals. Another significant expense your policy should help you cover is…
2) Compliance with Notification Laws
So your team of professionals have parachuted into your office and gotten your dumpster fire under control. They’ve also gone over your data and informed you that your customers reside in 37 different states, each with a requirement for notifying people that their personal data may have been stolen. Your forensics experts pull all the information they can on what data was exposed and give you a list.
You then… do… what, exactly?
That’s right, it’s not as easy as it sounds.
Each state (and possibly federal statutes or regulations, depending on what kind of data was accessed) will provide a time by which you have to notify people that their data may have been exposed. Those laws also usually include very specific requirements about the content of the notice and the manner it must be provided.
Compliance with these laws isn’t easy. Nor is it free.
Your cyber liability insurance policy should include coverage for expenses incurred to notify your customers of a data breach. In addition to the costs of specific compliance with notification laws, you’re likely going to need continuing legal advice on the course of your notification process.
And in case you didn’t know, continuing legal advice ain’t free!
Unfortunately, the process of notification doesn’t really end once you’ve sent out the notice of a potential data breach. It actually has the potential to rapidly expand, creating the need for…
3) Dedicated Communications Systems
You’re probably going to need to establish a dedicated line of communication allowing people to contact your business with any questions or concerns related to the breach. Oh, and in case you even thought about doing this part on the cheap, your regular business communication system is not going to be anywhere near sufficient.
You’ll need a dedicated communications system (website, phone banks, social media) to respond to frequently asked questions and provide assistance to anyone who may have been impacted. Bear in mind that high-quality, effective response teams can save you money, reduce the chances of litigation, and may even help convince existing customers to keep their business with you!
Just don’t try to do this on your own!
An experienced PR professional can save you and your staff considerable frustration, and limit your exposure to litigation down the road, by coming up with the right scripted responses to frequently asked questions.
They should be able to tell you exactly what questions you’re likely to get – there’s nothing new under the sun – and can help you craft responses to those questions ahead of time. Taking this part of your response seriously requires spending some time and money, so your insurance policy needs to take this aspect seriously as well.
In the event that personally identifiable information may have been stolen, most states require you to provide some form of credit monitoring services for each person whose information was potentially taken. Just like everything else on this list, those services are not free. Make ABSOLUTELY CERTAIN that your cyber liability insurance policy provides coverage for this type of service.
The expenses directly related to containing a data breach and restoring your systems are the expenses most people think of when discussing cybersecurity. However, your cyber liability insurance policy should also provide coverage for the often-unexpected-but-usually-considerable price of…
4) Business Interruption Costs
This is one category of costs that’s a little bit different than the others. It’s not an expense the way that word is normally used. The previous items on this list are the kinds of things we think of as “expenses” – they require you to pull out the company’s checkbook or credit card, taking money directly out of your account, but also providing an easily quantifiable loss.
Business Interruption, on the other hand, is the revenue you DON’T earn because your office is effectively shut down. Oftentimes difficult to quantify, and even more difficult to prove, these losses are nonetheless significant to your business.
Small businesses are particularly susceptible to suffering considerable, even catastrophic loss, in this category. If you’re a service-oriented business, the potential for serious loss is even greater. In a business model that requires you to perform services, without performance, you have no revenue.
Business Interruption coverage can help you recover revenue lost due to network downtime, recovery of lost/deleted data, and many other aspects of a data breach that prevent you from doing your job.
Nearly 60% of small businesses close their doors for good within 6 months of a data breach. The most significant expense small businesses experience as a result of a data breach is business interruption.
Remember, even the most basic ransomware attack is likely to shut down your ENTIRE NETWORK for two days. Can you afford to just lose the money you would have made? Doesn’t it make sense to get cyber liability insurance that limits your greatest vulnerability in the event of a data breach?
In addition to the expenses you expect and the business interruption costs you may not have, your cyber liability insurance policy should also help you cover those “incidental” costs directly associated with a data breach. For that, your cyber liability insurance policy should provide…
5) Petty (and not so Petty) Cash
As with most problems you’re likely to experience in business, there are a few data breach-related issues that require nothing more of you (and accept nothing less) than throwing a pile of cash at someone.
Which is fine, I guess, if you have the cash. Catastrophic if you don’t.
Ransomware and Extortion
You’ve heard that movie trope about “we don’t negotiate with [insert movie villain].” In the real world, you may have no other meaningful choice.
If your system is taken over by ransomware, or other extortion-ware, you may be presented with the unenviable choices of either 1) paying a hacker some money, or 2) losing all of your company’s stored data. Unfortunately, even the best backups may not prevent you from being confronted with this horrible choice.
What should you do?
Even the FBI advises victims of ransomware to pay the ransom if data can’t be restored from backups. Unfortunately, paying the ransom may not be as simple as taking some cash from an ATM and putting it in a discreet location. It’ll require Bitcoin.
Your cyber liability insurance policy needs to provide coverage for these types of payments. It would also be helpful if they would take responsibility for making the payments, because otherwise, you’ll need to have a Bitcoin wallet set up, which has caused some problems in the past.
Litigation expenses related to loss/theft of data
There isn’t much precedent at this point for large judgments against companies that have been hacked, but my general read of the landscape is that those judgments are coming. They’ll be even worse for companies that are found to have failed to take adequate steps to secure data (and potentially catastrophic for companies that were aware of the risk and STILL failed to improve security).
There’s no precedent to help us estimate what your damages could be in litigation brought by your customers, your vendors, or others. However, pretty much everyone in the insurance industry seems to expect those damages to start rising quickly.
This isn’t a situation where you want to put your cash surplus or your rainy-day fund at risk – particularly when you have no idea what the potential damages would be. Make sure your cyber liability insurance policy provides you with some protection (and pays for the lawyer, too).
Regulatory fines and other governmental penalties
One of the potential future expenses we have some information about is the potential for regulatory or other governmental fines related to a data breach. They can be significant.
Make sure your cyber liability insurance policy provides funds to pay any fines levied by governmental organizations and pays for lawyers to defend you in those proceedings. Reviews and hearings by regulatory agencies can take months or years to complete. You don’t want the potential for significant fines on your company’s books that whole time. So, make sure your company is protected.
No cyber liability insurance policy can possibly provide adequate protection for your business unless it covers the items I’ve listed above. Make sure that your policy has everything your business needs. (Also, have your lawyer review any cyber liability policy to make sure it has everything you believe it has!)
About the Author
Brian Focht is a cybersecurity and civil litigation attorney based in Charlotte, North Carolina at the Law Offices of Brian C. Focht. In addition to being the author of Resilience Cybersecurity & Data Privacy, he is also the author of the The Cyber Advocate, a blog on tools and technology for lawyers, the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.