- 781-659-2262
Do you store your customers or prospects personal identification information on your computer system? Do you share proprietary information via email or a portal? Is it accessible over the internet or from a tablet, phone or laptop? If you answer "yes" to these questions, cyber liability and data breach might be the greatest risk your business faces today.
We hear nearly daily how public and private companies and government entities are being breached, and data stolen or ransoms demanded. There is insurance available, though price increases reflect the increased frequency and severity of these attacks, and underwriting is becoming more demanding. Gone are the days - not so long ago - when a small business could get insurance with little up-front protection; getting insurance today demands more up-to-date risk mitigation before underwriters will offer insurance worth having.
Common defense against theft of data or theft of your customers' privacy, include:
Cyber criminals are everywhere (most overseas), but they are like any other crook: they seek easy targets first. With robots constantly scanning the web seeking out vulnerable computers, the primary message is DON'T BE A SOFT TARGET.
Cyber Liability insurance today can be broken down into two broad categories: how do I respond when a hacker has gained access to my customers’ personal identification information, and what is my liability for theft of information that causes loss or damage to others? For insurance purposes the first category refers to “first party coverage" and the second refers to "third-party liability."
First party cyber liability insurance is for you, the policyholder, and the first step is crisis management: “What do I do now that someone has hacked and possibly stolen some of our information?” Another expense is forensic accounting: “How did this happen?” Notifying affected customers is another critical step. Depending upon the number of customers and the nature of the breach, you may need to engage a call center to handle the inquiries bound to come in. Finally, you may need to provide credit monitoring for customers who were affected by the data breach or data theft. Insurance policies have evolved to provide specific supplements for these categories: credit monitoring, notification, forensic accounting and other first party services.
A separate category of first party losses include business interruption. This can be especially important coverage for businesses that conducts most of their operations online. While under attack, a web-based business is no better off than a retail business with locked front doors: you’re simply "out of business." Generally business interruption insurance has specific triggers such as a network attack or an actual system breach.
The next category is third party liability claims. These are the claims that customers may make against you because that lost laptop or lost phone of yours resulted in their credit card having unauthorized charges. Third party liability claims involving personal identifiable information are generally less severe than those involving personal health information. When personal health information is stolen for the purpose of obtaining prescription medications or other treatments, plaintiffs can sue for invasion of privacy, tarnished reputation, mental anguish, and other subjective (and expensive) damages.
Third party damages currently account for only 10%–15% of cyber related losses because insured events mandate the carrier pay first party costs and have a crisis management partner in attendance. Experience for uninsured events is harder to quantify, but when first party intervention is delayed third party damages typically rise.
Another major financial exposure is the regulatory angle. Fines imposed by laws in various jurisdictions, both state and federal, are harsh in an attempt to force businesses to secure their systems from attacks. Here in Massachusetts the law known as CMR-17 imposes severe penalties on businesses that lose private identifiable information. If you are reading this article and do not have a W.I.S.P. (Written Information Security Plan) on file and actively updated, call us for guidance. Some insurance policies do not include coverage for government fines and penalties, but it's good to ask. Not only is insurance a needed backstop, but securing your network through carefully designed procedures and protocols is absolutely necessary in today's global business environment.
We work with all the top carriers to help design a data breach strategy best for you. Click below to have a discussion about this critical coverage.
