Even the best cybersecurity system – with state-of-the-art technology, effective and well-implemented policies and procedures, and the most security-aware employees available – cannot guarantee that your business will never be the victim of a cyberattack.
As with all other aspects of your business that involve unpredictable risk and potentially catastrophic damage, you’d better be insured.
Given how new the market is, though, there are a few things you need to watch out for. As an insurance product, it’s basically brand new. There is no uniformity in coverage from one company or policy to the next. Even basic terms like “data breach,” “computer,” and “wrongful act” can vary significantly from policy to policy.
Before you purchase cyber liability insurance, make sure that your policy covers the things you’ll actually need in the event of a cyber-attack:
The 5 Major Expenses Your Cyber Liability Policy Better Cover!
The resources required to recover from a cyberattack are significant. The key to finding the right cyber insurance policy is understanding what costs you’re going to incur in the event of a data breach, and then making sure your insurance will cover those costs.
Your cyber insurance needs to protect you from damages and expenses caused by a cyberattack. It needs to help your business recover quickly. And it needs to help you restore your operations.
The first thing you’re going to need is:
1) Professionals. Immediately.
You need an emergency response team. Think of them as a really nerdy version of Seal Team Six, or a less Quentin-Tarantino-style Winston Wolf.
You’re going to need significant help. Expensive help. How expensive? Most cyber insurance policies that max out their limits usually do so covering the costs in this category! So imagine how bad it would be if you didn’t have any insurance at all.
So, who are the professionals I’m talking about?
Forensic IT Specialists
You need immediate and effective analysis of your system to determine the size and scope of any breach. Professionals with the experience and training to eliminate any active threats to your system, limit the damage being caused by existing penetrations, and shore up your short-term defenses.
And it probably shouldn’t be the people who were responsible for setting up your IT security in the first place.
These IT experts, particularly the ones who know how to limit the damage from a data breach, are essential to your business recovering quickly. As a result, they’re not cheap…
… so wouldn’t it be better if your insurance company paid their tab?
Legal Advisors (immediate)
Depending on where your customers live and what specific information was accessed/taken, you could have to provide notification of a cyber incident to your customers.
In fact, you may have a legal obligation to notify those people, usually within a specified period of time!
Oh, and that amount of time varies from state to state. So does the definition of “personally identifiable information” that triggers your duty to notify. So does the content of your notification. More on that later.
Your emergency response legal team will handle the immediate legal hurdles for you (or at least give you a plan).
Listen to them.
They know what you need to do. They’re here for a reason. Let them do their jobs…
… but on the insurance company’s dime.
Your reputation matters, and the information that gets put into the media WILL impact that reputation, especially in the local press.
60% of consumers will be less likely to patronize a business that’s been the victim of a data breach. Without help, and fast, you can kiss that hard-earned reputation goodbye.
Also, bearing in mind that you’re dealing with a stressful situation already, maybe it’s not the best time for you to be dealing with press inquiries.
While you’re stressed out dealing with the ramifications of a breach, let a PR professional handle all media contacts and set up a plan and a script for responding to angry clients or other inquiries. You’re in a bad spot, no reason to make it worse…
… especially when you’re not paying their bill.
Another significant expense your policy should help you cover is…
2) Compliance with Notification Laws
Your team of professionals have parachuted into your office and gotten your dumpster fire under control. They’ve also gone over your data and informed you that your customers reside in 37 different states, each with a requirement for notifying people that their personal data may have been stolen. Your forensics experts pull all the information they can on what data was exposed and give you a list.
You then… do… what, exactly?
That’s right, it’s not as easy as it sounds.
Each state has a deadline by which you have to notify people that their data may have been exposed. (Federal regulations and other applicable laws, like the GDPR, have similar deadlines.) They also have very specific requirements about the content of the notice and the manner it must be provided.
Compliance with these laws isn’t easy. Nor is it free.
Your cyber insurance policy must include data breach notification expenses, and that goes beyond just the printing and the stamps. You’re likely going to need continuing legal advice over the course of your notification process.
And in case you didn’t know, continuing legal advice ain’t free!
Unfortunately, the process of notification doesn’t really end once you’ve sent out the notice of a potential data breach. It actually has the potential to rapidly expand, creating the need for…
3) Dedicated Communications Systems
You’re probably going to need a dedicated line of communication for any questions or concerns related to the breach. And in case you thought about doing this part on the cheap, your regular business communication system is not going to be anywhere near sufficient.
You’ll need a dedicated communications system (website, phone banks, social media) to respond to frequently asked questions and help anyone who may have been affected. High-quality, effective response teams can save you money, reduce the chances of litigation, and may even help convince existing customers to keep their business with you!
An experienced PR professional can save you and your staff considerable frustration, and limit your exposure to litigation down the road, by coming up with the right scripted responses to frequently asked questions.
They should be able to tell you exactly what questions you’re likely to get – there’s nothing new under the sun – and can help you craft responses to those questions ahead of time. Taking this part of your response seriously requires spending some time and money, so your insurance policy needs to take this aspect seriously as well.
Your cyber insurance policy should also provide coverage for the often-unexpected-but-usually-considerable price of…
4) Business Interruption Costs
The previous items on this list are the kinds of things we think of as “expenses” – they require you to pull out the company’s checkbook or credit card, taking money directly out of your account, but also providing an easily quantifiable loss. This category is a little different. It’s not an expense the way that word is normally used.
Business Interruption costs essentially means the money you DON’T earn because your office is effectively shut down. Oftentimes difficult to quantify, and even more difficult to prove, these losses are nonetheless significant to your business.
Small businesses are particularly susceptible to suffering considerable, even catastrophic loss to their earnings following a cyberattack. If you’re a service-oriented business, the potential for serious loss is even greater. In a business model that requires you to perform services, without performance, you have no revenue.
The most significant expense small businesses experience because of a data breach is business interruption. Nearly 60% of small businesses close their doors for good within 6 months of a data breach.
Business interruption coverage can help you recover revenue lost due to network downtime, recovery of lost/deleted data, and many other aspects of a data breach that prevent you from doing your job.
Your cyber insurance policy should also help you cover those “incidental” costs directly associated with a data breach. For that, your cyber insurance policy should provide…
5) Petty (and not so Petty) Cash
As with most problems you’re likely to experience in business, there are a few data breach-related issues that require nothing more of you (and accept nothing less) than a pile of cash.
Which is fine, I guess, if you have the cash. Catastrophic if you don’t.
Ransomware and Extortion
If your system is taken over by ransomware, or other extortion-ware, you may be presented with the unenviable choices of either 1) paying a hacker some money, or 2) losing all of your company’s stored data and having your customers’ personal information published on the internet.
What should you do?
Law enforcement and insurance companies are begging you to not pay the ransom. Of course, they say this while oftentimes paying a ransom when in the same situation themselves. What to do then? Unfortunately, paying the ransom may not be as simple as taking some cash from an ATM and putting it in a discreet location. Usually, it’ll require Bitcoin.
Your cyber insurance policy needs to provide coverage for these types of payments. It would also be helpful if they would take responsibility for making the payments, because otherwise, you’ll need to have a Bitcoin wallet set up, which has caused some problems in the past.
And if we’ve learned anything from the history of… well, everything, I guess… we should all know to never use cryptocurrency if at all possible.
Litigation expenses related to loss/theft of data
There isn’t much precedent at this point for large judgments against companies that have been hacked, but my general read of the landscape is that those judgments are coming. They’ll be even worse for companies that are found to have failed to take adequate steps to secure data (and potentially catastrophic for companies that were aware of the risk and STILL failed to improve security).
There’s no precedent to help us estimate what your damages could be in litigation brought by your customers, your vendors, or others. However, pretty much everyone in the insurance industry seems to expect those damages to start rising quickly.
This isn’t a situation where you want to put your business at risk – particularly when you have no idea what the potential damages would be. Make sure your cyber insurance policy provides you with some protection (and pays for the lawyer, too).
Regulatory fines and other governmental penalties
Regulatory fines, on the other hand, are much more established. They’re significant, and growing.
Make sure your cyber insurance policy provides funds to pay any fines levied by governmental organizations and pays for lawyers to defend you in those proceedings. Reviews and hearings by regulatory agencies can take months or years to complete. Make sure your company is protected.
No cyber insurance policy provides adequate protection without the items I’ve listed above. Also, have your lawyer review any cyber policy to make sure it has everything you believe it has!
Photo credit: Megaphone, Call Center
About the Author
Brian Focht is a cybersecurity and civil litigation attorney based in Charlotte, North Carolina at the Law Offices of Brian C. Focht. In addition to being the author of Resilience Cybersecurity & Data Privacy, he is also the author of the The Cyber Advocate, a blog on tools and technology for lawyers, the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.