Cyber Insurance – Get It Right!
Call it “hacking” or “cyber risk” — businesses are more exposed to loss from the use of technology than in the past. The number of credit card transactions has grown steadily: Transactions grew at an annual rate of 7.6 percent between 2009 and 2012, increasing from 21 billion to 26.2 billion, according to the Federal Reserve System’s 2013 Federal Reserve Payments Study. And the risk and cost associated with losing customer data has grown, too. The average per capita cost of a data breach in the U.S. increased from $188 to $194 between 2012 and 2013, according to the Ponemon Institute Research Report’s 2013 Cost of Data Breach Study: Global Analysis.
The same risk exists for organizations with employee data and medical data. Hackers have proven that they can break into some of the more sophisticated data systems. It has been reported that high-profile companies, including Target, Schnuck Markets and T.J. Maxx, have been fully compliant with system security standards yet were able to be hacked.
Cyber risk insurance is a specific coverage that is meant to provide financing in the event you have a loss. This insurance has been developing over the past 10 years. There used to be minimal coverage in a general liability policy, but as specific cyber coverage has been developed, exclusions have shown up in general liability policies. If you do not buy a cyber liability policy, you probably do not have sufficient coverage in the event of a loss. Cyber liability policies are relatively new and come in many forms with various coverage options. Buying cyber coverage is different than buying auto insurance where you get relatively standard policies with a few options. Cyber policies vary greatly in the coverage that is provided. There are many sections to a cyber policy, with each selected section bringing additional premiums. What does your business need to properly protect it if a loss occurs? It’s confusing even to insurance professionals. Questions worth considering include:
- Do you have/need business interruption coverage from a cyber event at your company?
- How much is enough?
- Are costs for forensic IT included to help you fix the problem?
- Are costs for breach notifications covered? Are there limits?
- What about cost for a public relations firm to help with media coverage?
- Is liability coverage included?
And that’s just scratching the surface. An independent review of your situation by a firm that understands insurance, IT and Enterprise Risk Management can help you select the appropriate coverage for your situation. We have seen many companies that either have not purchased insurance or thought they had purchased policies that properly covered them, but the policies fell short in various areas. For example, a retailer was considering additional cyber coverage but decided that because it didn’t need it in the past, it didn’t need it now. Management decided not to buy cyber coverage since it already had business interruption insurance coverage as part of their property policy. Unfortunately, it later came to light that the property policy did not cover cyber or hacking loss.